Slow DNS resolution with PfBlocker/DNSBL



  • Hi all!
    With the 2.3.4 version of pfsense I see a strange and a little annoying behaviour with DNS resolution.
    Note that I use PfBlocker/DNSBL with Unbound DNS resolver.
    If I wake my computer from a standby mode, I can get an ip pretty fast but the DNS resolution take a lot of time until it fully works. If I disable PfBlocker/DNSBL then the wake up/dns resolution is far more faster.
    Since my 2.3.4 was an update from the previous version, I tries to reinstall from scratch and restore my config but I got the same issue until I disable the PfBlocker/DNSBL.
    Note that with 2.3.3 and PfBlocker/DNSBL, the issue was not there.

    Any idea?
    Thanks!



  • Has this been figured out?  I appear to be having the same issues.  I just installed pfsense on a new box and I wasn't sure if it was the box, my install, or if this was an actual issue.



  • I've posted the same thing. I think we're being ignored. Basically DNSBL with feeds is causing the service to restart periodically and causing massive DNS lag.
    I've experienced this on my machine and another machine. Both are C2758 w/16GB of RAM. More than enough horse power to handle DNS feeds.



  • @Visseroth:

    I've posted the same thing. I think we're being ignored.

    I'd rather guess you are ignoring the documentation from pfBlockerNG:

    The 'Unbound Resolver Reloads' can take several seconds or more to complete and may temporarily interrupt DNS Resolution until the Resolver has been fully Reloaded with the updated Domain changes. Consider updating the DNSBL Feeds 'Once per Day', if network issues arise.

    Also if you have:

    Register DHCP leases in the DNS Resolver

    enabled unbound will restart whenever a device succesfully requests a DHCP lease.



  • Overlooked that.

    Well I guess if someone has a large DNSBL feeds and the service takes to long to restart you will start to notice it on the network. The restarting of the service is a problem when used with PfBlocker DNSBL Feeds and Register DHCP leases in the DNS Resolver are enabled.

    Kind of sucks that you have to enable DNSBL or Registering DHCP leases but not both.



  • You can still define Static DHCP Mapping ;)



  • Very true, though still sad the service needs to restart with every DHCP renewal. Means more work for those that have multiple devices they'd like to be able to do a reverse lookup with or where DNS is critical and needs to be functioning correctly.



  • Hi. I am also seeing the same behaviour with pfsense unbound with pfblocker and dnsbl feeds. I tried all kind of suggestions, disabled registration of clients in DNS when requesting DHCP lease etc. etc. Nothing matters. In the end I experience DNS lag on my network. My solution was to stop using pfblocker on pfsense and move adblocking to ubuntu server with pihole installed. Problem solved.

    I am looking forward to the next pfblocker release and hope that it will be more stable and perform a lot better then what it is doing now.

    edit: I have pfsense running on dedicated core i3 with 4GB RAM and SSD disk. Tested it on core i5 with 32GB RAM and SSD disk. Unbound with pfblocker and dnsbl still lags.


  • Moderator

    @vjizzle

    When do you see laggs? You need to provide more information.

    Do you have vlans? If so, ensure the Dnsbl permit option is enabled with all of the interfaces selected as required.

    You should be able to ping the dnsbl VIP and browse to the dnsbl VIP. If that doesn't occur, your browser may timeout.

    If the laggs are occurring when dnsbl is performing an update there can be some dns resolution issues until it fully reloads. You can set it to update once per day after hours, or use the new live reload option.



  • Hi. Is the live reload option available in the current stable release of pfblocker? Thanks!


  • Moderator

    @vjizzle said in Slow DNS resolution with PfBlocker/DNSBL:

    Hi. Is the live reload option available in the current stable release of pfblocker? Thanks!

    No, only available in devel.



  • Thnx. I will make a backup of my current setup and test with development version of pfsense and pfblockerng.



  • Hi again :). So I have setup pfblockerNG-devel now and so far it is looking good!. I have set all my DNSBL and IP feeds to update Once A Day. Now I want them to update at 05:00. Is it enough to set the cron job to run like the screenshot here?

    0_1536489134469_db3ddde4-c565-410d-853f-f62b9e416b00-image.png



  • Depending on you configuration an Unbound reload can take a few seconds to a few minutes to complete, hence disruption DNS service to devices. Running cron update during off hours is recommended.

    With the Live Reload, pfBlockerNG perform live Unbound conf modification without interrupting DNS service. So you can run Cron Update hourly.

    Live reload still have an issue where the Unbound internal DB becomes out of sync with pfb_dnsbl.conf file. It shows in the pfblockerng.log as

    Resolver Live Sync... completed [ 09/06/18 05:29:28 ]
    DNSBL update [ 1107297 | PASSED  ]... completed [ 09/06/18 05:29:29 ]
    
    DNSBL DEBUG..[ Data(s): 1107298	Zone(s): 950371 | 09/06/18 05:29:52 ]
    

    When this happens, you can run a Force Reload DNSBL to correct the drift. Or you can just perform a Unbound reload with the shell cmd :

    unbound-control -c /var/unbound/unbound.conf reload
    code
    

    The widget DNSBL Unbound total queries counter might be cleared when an Unbound reload, giving you bad statistics. Simply clear the DNSBL counters by clicking on the Garbage Can icon in the widget.