[Solved] Requests Timing Out Unbound DNS Resolver

Joshdw · Jan 4, 2018, 9:50 PM

Hello everyone,

first of all, thank you to everyone who has written guides and posts on here. I've spent the last few days reading a ton of guides and threads which all helped a lot.

Also please excude me if this is in the wrong section, there are too many to choose from.

Today I decided to try out pfBlocker. After following a ton of steps I have it all set up and working correctly. I had some issues with my Plex server being extremely slow, which I solved by adding

server:private-domain: "plex.direct"

under Custom Options under Services > DNS Resolver (In case anyone else future googles this issue: pfsense plex slow after pfblocker).

Anyhow, for some reason, I noticed a huge impact on loading times after setting up pfBlocker. Below you'll find screenshots of some trace routes, where you can see every single one has requests that timed out. I honestly have no idea what to look for to figure out solving this.

The only thing I can think this could be related to, is the DNS server changes I made related to Unbound DNS. Any ideas?

My pfSense machine is behind the router, everything else in the house is connected to the switch that comes from the pfsense machine. So only the pfsense instance is running on the router itself (router 192.168.1.1 -> pfsense 10.0.0.1)

TRACE ROUTE:
https://i.imgur.com/p9ejbHH.png

MORE TRACE:
https://i.imgur.com/QjZqXp3.png

PING:
https://i.imgur.com/LcftCDu.png

System->General Settings:
https://i.imgur.com/l2Z0JZm.png

Services->DHCP:
https://i.imgur.com/3m6q3dh.png

Services->DNS Resolver:
https://i.imgur.com/NFoOGlW.png

Squid:
https://i.imgur.com/Z2zU97C.png

pfBlocker->General Settings:
https://i.imgur.com/Yw7FKQY.png

pfBlocker->IPV4 Blacklist:
https://i.imgur.com/NM9AMxH.png

pfBlocker->DNSBL->Config:
https://i.imgur.com/Uaqfjxt.png

pfBlocker->DNSBL->Easylist:
https://i.imgur.com/ytU3jAV.png

Joshdw · Jan 5, 2018, 12:38 PM

Any ideas please? I am not sure how to troubleshoot this. Thanks in advance!

BBcan177 · Jan 5, 2018, 2:59 PM

In the IPv4 tab try to remove that Youtube block list and see what that does…. I also heard that Level3 was having issues, just can't remember what day that was exactly... Run a Force Reload - ALL after that...

Anything that is blocked via IP/DNSBL will show in the Alerts Tab... So you can review those events...
Also increase the pfSense Resolver "Log Verbosity" to "2", and review the resolver.log for additional clues...

Joshdw · Jan 5, 2018, 4:00 PM

@BBcan177:

In the IPv4 tab try to remove that Youtube block list and see what that does…. I also heard that Level3 was having issues, just can't remember what day that was exactly... Run a Force Reload - ALL after that...

Anything that is blocked via IP/DNSBL will show in the Alerts Tab... So you can review those events...
Also increase the pfSense Resolver "Log Verbosity" to "2", and review the resolver.log for additional clues...

Heya, thank you for the reply! Also thanks for creating pfblocker, seems like it must have been a lot of time to create such a script.

I removed both those lists and forced a reload. I think DNSBL has never worked for me for some reason, the process never shows as started on the dashboard, when I try to start it it just loads and does nothing.
DNSBL.log shows Log file is empty or does not exist.

I did change the log verbosity to 2 and tried following it but didn't really see anything out of place.

Alerts: https://i.imgur.com/0XT4ba2.png
Dashboard: https://i.imgur.com/blLOXYd.png
resolver.log: https://i.imgur.com/E3KvhP8.png

BBcan177 · Jan 5, 2018, 11:03 PM

@Joshdw:

@BBcan177:

In the IPv4 tab try to remove that Youtube block list and see what that does…. I also heard that Level3 was having issues, just can't remember what day that was exactly... Run a Force Reload - ALL after that...

Anything that is blocked via IP/DNSBL will show in the Alerts Tab... So you can review those events...
Also increase the pfSense Resolver "Log Verbosity" to "2", and review the resolver.log for additional clues...

Heya, thank you for the reply! Also thanks for creating pfblocker, seems like it must have been a lot of time to create such a script.

I removed both those lists and forced a reload. I think DNSBL has never worked for me for some reason, the process never shows as started on the dashboard, when I try to start it it just loads and does nothing.
DNSBL.log shows Log file is empty or does not exist.

DNSBL will not function if the service is not running… First need to fix that...

Run this from the shell and see if it shows any errors?

/usr/local/etc/rc.d/dnsbl.sh restart

Joshdw · Jan 6, 2018, 5:39 PM

@BBcan177:

@Joshdw:

@BBcan177:

In the IPv4 tab try to remove that Youtube block list and see what that does…. I also heard that Level3 was having issues, just can't remember what day that was exactly... Run a Force Reload - ALL after that...

Anything that is blocked via IP/DNSBL will show in the Alerts Tab... So you can review those events...
Also increase the pfSense Resolver "Log Verbosity" to "2", and review the resolver.log for additional clues...

Heya, thank you for the reply! Also thanks for creating pfblocker, seems like it must have been a lot of time to create such a script.

I removed both those lists and forced a reload. I think DNSBL has never worked for me for some reason, the process never shows as started on the dashboard, when I try to start it it just loads and does nothing.
DNSBL.log shows Log file is empty or does not exist.

DNSBL will not function if the service is not running… First need to fix that...

Run this from the shell and see if it shows any errors?
/usr/local/etc/rc.d/dnsbl.sh restart

Getting the following messages:

2018-01-06 17:37:33: (configfile.c.59) Warning: please add "mod_openssl" to server.modules list in lighttpd.conf.  A future release of lighttpd 1.4.x *will not* automatically load mod_openssl and lighttpd *will not* use SSL/TLS where your lighttpd.conf contains ssl.* directives
2018-01-06 17:37:33: (network.c.316) can't bind to socket: 0.0.0.0:8443 Address already in use

BBcan177 · Jan 6, 2018, 5:43 PM

Lighttpd changed its OpenSSL integration in the last update…

Edit this file and add the part in red:
/var/unbound/pfb_dnsbl_lighty.conf

From:
server.modules = ( "mod_access", "mod_accesslog", "mod_fastcgi", "mod_rewrite" )

To:
server.modules = ( "mod_access", "mod_accesslog", "mod_fastcgi", "mod_rewrite", "mod_openssl" )

Joshdw · Jan 6, 2018, 9:16 PM

@BBcan177:

Lighttpd changed its OpenSSL integration in the last update…

Edit this file and add the part in red:
/var/unbound/pfb_dnsbl_lighty.conf

From:
server.modules = ( "mod_access", "mod_accesslog", "mod_fastcgi", "mod_rewrite" )

To:
server.modules = ( "mod_access", "mod_accesslog", "mod_fastcgi", "mod_rewrite", "mod_openssl" )

I made the changes, but still getting the same error:

2018-01-06 21:15:26: (network.c.316) can't bind to socket: 0.0.0.0:8443 Address already in use

BBcan177 · Jan 6, 2018, 9:59 PM

/usr/local/etc/rc.d/dnsbl.sh stop
/usr/local/etc/rc.d/dnsbl.sh start

Failing that just reboot and see if that clears it…

Joshdw · Jan 6, 2018, 11:54 PM

@BBcan177:

/usr/local/etc/rc.d/dnsbl.sh stop
/usr/local/etc/rc.d/dnsbl.sh start
Failing that just reboot and see if that clears it…

Tried those commands, getting the same error. Rebooted, same error.

Reinstalled package, still persisting :( Thanks for helping me so far, I'm clueless.

Joshdw · Jan 7, 2018, 11:37 PM

Adding an update.

BBcan was kind enough to help me via teamviewer.
Solution to my issues were to remove lightsquid package, as well as changing the SSL Listening port under pfBlocker -> DNSBL Configuration.

Thank you very much!

DaReaLDeviL · Apr 3, 2018, 8:48 PM

Thank you for sharing. Had the same problem with a very slow dns and changing the default.

But in the dns custom config I put:

server: include: /var/unbound/pfb_dnsbl.*conf
server: private-domain: "plex.direct"

and I don't get the plex server running out of the network like before without dnsbl… any advice?