Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS breaks after installing pfBlockerNG?

    Scheduled Pinned Locked Moved pfBlockerNG
    20 Posts 7 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      averythomas
      last edited by

      Hello,

      I followed this guide to install pfBlockerNG: https://www.fredmerc.com/2016/07/pfsense-adblock-using-pfblockerng-guide/
      Everything worked great until pfsense restarted - DNS no longer works locally.
      Here is the error log when pfsense restarted: http://pastebin.com/UR8004Q7

      Thanks!

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        First of all, upgrade your pfSense. And while there, I'd suggest to stop using nanobsd and use amd64 full install.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Yes, it's because Unbound cannot start with the DNSBL custom options present before pfBlocker has populated them. But also pfBlocker cannot download the lists until Unbound has started.
          In the full install the list contents persist across a reboot so it's not an issue.

          If you disable DNSBL you will be able to start Unbound and then you can re-enable DNSBL.

          Steve

          1 Reply Last reply Reply Quote 0
          • A
            averythomas
            last edited by

            @doktornotor:

            First of all, upgrade your pfSense. And while there, I'd suggest to stop using nanobsd and use amd64 full install.

            Can you even do that on a firebox? https://doc.pfsense.org/index.php/PfSense_on_Watchguard_Firebox

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              No idea about 64bit, however at least you could use the full install (and avoid this issues with ramdisk, and tons of others).

              As for the catch-22 DNS issue mentioned above, configuring DNS servers in System should help. I.e., Unbound should NOT be the only DNS server configured for the firewall itself.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Depends which firebox, most are 32bit only. Most covered there anyway. But you can boot from HD or run a full install from CF if required. I would normally recommend moving /var and /tmp to ramdisks but that defeats the purpose here.

                @doktornotor:

                As for the catch-22 DNS issue mentioned above, configuring DNS servers in System should help. I.e., Unbound should NOT be the only DNS server configured for the firewall itself.

                Yep, I would have assumed that yet I have DNS servers defined and it fails everytime on a Nano install I have here. And not just until the cronjob runs either. I'll have to dig deeper.

                Steve

                1 Reply Last reply Reply Quote 0
                • P
                  pfcode
                  last edited by

                  Ah, I'm wondering if its the cause (catch-22) that at any time when a IP4/IP6/VPN Client IP got renewed, Unbound failed to restart itself.  It is becoming a nightmare for us, we have to manually start unbound until we disabled DNSBL.

                  so adding extra DNS servers in System/General would solves??

                  Release: pfSense 2.4.3(amd64)
                  M/B: Supermicro A1SRi-2558F
                  HDD: Intel X25-M 160G
                  RAM: 2x8Gb Kingston ECC ValueRAM
                  AP: Netgear R7000 (XWRT), Unifi AC Pro

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    If you are able to simply restart Unbound without disabling DNSBL first then it's probably not that. Sounds more like a timing issue.

                    However it's easy to test adding an alternative DNS server in general setup so you might as well try it.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • P
                      pfcode
                      last edited by

                      @stephenw10:

                      If you are able to simply restart Unbound without disabling DNSBL first then it's probably not that. Sounds more like a timing issue.

                      However it's easy to test adding an alternative DNS server in general setup so you might as well try it.

                      Steve

                      You are right. It didn't work by adding an alternative DNS server, always got the error when IPs got renewed/any changes made under the System menu(ie. DNS servers changed and applied…): "/system.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1483291498] unbound[77155:0] error: bind: address already in use [1483291498] unbound[77155:0] fatal error: could not open ports'"

                      It is currently a nightmare to us. Manually restart Unbound is not an option. we have to disable DNSBL until this is addressed by pfSense dev teams.

                      Release: pfSense 2.4.3(amd64)
                      M/B: Supermicro A1SRi-2558F
                      HDD: Intel X25-M 160G
                      RAM: 2x8Gb Kingston ECC ValueRAM
                      AP: Netgear R7000 (XWRT), Unifi AC Pro

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Ok, that's something else. It implies either Unbound isn't stopping correctly or something else is already listening on port 53.

                        If you can trigger that again try running:

                        sockstat|grep :53
                        

                        If nothing shows it could still be a timing issue in restarting Unbound.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned
                          last edited by

                          Also, if you have Services Watchdog package installed, make sure you did NOT add Unbound to it. (That causes race conditions and wreaks complete havoc on DNS when pfBNG updates the DNSBLs.)

                          1 Reply Last reply Reply Quote 0
                          • RonpfSR
                            RonpfS
                            last edited by

                            Might just be that unbound take a long time to start (mine take up to 3 minutes)
                            When it boots unbound starts more than once, so while one instance is starting, a restart/reload happens and it can not bind to the port of the previous unfinished unbound.

                            2.4.5-RELEASE-p1 (amd64)
                            Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                            Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                            1 Reply Last reply Reply Quote 0
                            • P
                              pfcode
                              last edited by

                              @doktornotor:

                              Also, if you have Services Watchdog package installed, make sure you did NOT add Unbound to it. (That causes race conditions and wreaks complete havoc on DNS when pfBNG updates the DNSBLs.)

                              No, I don't have Watchdog package installed.

                              Release: pfSense 2.4.3(amd64)
                              M/B: Supermicro A1SRi-2558F
                              HDD: Intel X25-M 160G
                              RAM: 2x8Gb Kingston ECC ValueRAM
                              AP: Netgear R7000 (XWRT), Unifi AC Pro

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfcode
                                last edited by

                                Just wondering, Whats the difference between manually restart Unbound vs. Auto restart Unbound by pfSense?  I'm really confused since the start process should be the same, manually restart works but auto restart doesn't work.

                                Release: pfSense 2.4.3(amd64)
                                M/B: Supermicro A1SRi-2558F
                                HDD: Intel X25-M 160G
                                RAM: 2x8Gb Kingston ECC ValueRAM
                                AP: Netgear R7000 (XWRT), Unifi AC Pro

                                1 Reply Last reply Reply Quote 0
                                • C
                                  chrcoluk
                                  last edited by

                                  note my thread in the pfsense 2.4 forum, my unbound doesnt start on boot if I do not select the default ALL interfaces, when specific interfaces are chosen the bootup script gets all confused and breaks, although I can always start it fine from the gui.

                                  So if you got specific network interfaces selected. change it to ALL to see if it fixes the boot problem.

                                  pfSense CE 2.8.0

                                  1 Reply Last reply Reply Quote 0
                                  • BBcan177B
                                    BBcan177 Moderator
                                    last edited by

                                    I haven't had a chance to dig thru the Unbound/pfSense code to figure out this issue… but there definitely is an issue when utilizing DHCP... Hopefully one of the pfSense devs get a chance to improve that part of the code. I am unable to replicate in my environment as I am static...

                                    "Experience is something you don't get until just after you need it."

                                    Website: http://pfBlockerNG.com
                                    Twitter: @BBcan177  #pfBlockerNG
                                    Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Ah that's interesting. Do you know how that applies if you are using DHCP, as I am?

                                      Like, DHCP WAN?

                                      Steve

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        chrcoluk
                                        last edited by

                                        I have dhcp wan for ipv4 and ipv6.

                                        On my setup there seems to be no ipv4 renewals been logged and as such no affect on unbound, but the dhcp wan ipv6 renews twice an hour and will restart unbound, I fixed it by manually patching the services.inc file to stop the configure_unbound function from restarting unbound.

                                        Pfblockerng doesnt use that function so it can still restart unbound when it does its dnsbl updates.

                                        pfSense CE 2.8.0

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          pfcode
                                          last edited by

                                          @chrcoluk:

                                          I have dhcp wan for ipv4 and ipv6.

                                          On my setup there seems to be no ipv4 renewals been logged and as such no affect on unbound, but the dhcp wan ipv6 renews twice an hour and will restart unbound, I fixed it by manually patching the services.inc file to stop the configure_unbound function from restarting unbound.

                                          Pfblockerng doesnt use that function so it can still restart unbound when it does its dnsbl updates.

                                          May I know what/how you fixed in services.inc?

                                          Release: pfSense 2.4.3(amd64)
                                          M/B: Supermicro A1SRi-2558F
                                          HDD: Intel X25-M 160G
                                          RAM: 2x8Gb Kingston ECC ValueRAM
                                          AP: Netgear R7000 (XWRT), Unifi AC Pro

                                          1 Reply Last reply Reply Quote 0
                                          • C
                                            chrcoluk
                                            last edited by

                                            sure

                                            I used SECOIT GmbH's solution (crediting the original guy).

                                            His post is here.

                                            https://forum.pfsense.org/index.php?topic=89589.msg517047#msg517047

                                            Be aware with this solution, if you do an action that requires a unbound restart/configure, you will manually need to stop and then start in the gui. pfblockerng will still be fine tho.

                                            pfSense CE 2.8.0

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.