DNS Resolver failing to resolve random domains from time to time

leonroy

I have a simple pfSense setup using pfSense for DHCP + DNS Resolver. After updating to 2.4.4 pfSense fails to resolve DNS lookups to certain domains randomly. Directly looking up to 8.8.8.8 always works though. A restart fixes the issue for a while.

Originally I was using Unbound in forwarding mode to Cloudflare's DNS servers but while trying to debug this issue I implemented pfSense best practise with root hints instead as follows:

DNS settings in General Setup are:

And in the Resolver:

Any suggestions or areas I can look to troubleshoot?

thanks!

bepo

Try to uncheck the "DHCP Registration" setting. This setting causes the dns resolver to restart in short intervalls depending on the amount of clients in your network.

leonroy

thanks @bepo you are right though about restarts - looking at resolver.log I see:

[2.4.4-RELEASE][root@gateway.XXXXX]/var/log: grep -i restart resolver.log
Dec 18 21:04:03 gateway unbound: [13769:0] notice: Restart of unbound 1.8.1.
Dec 18 09:34:19 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.
Dec 18 09:38:50 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.
Dec 18 09:53:00 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.
Dec 18 09:57:24 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.
Dec 18 09:58:09 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.
Dec 18 09:59:34 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.
Dec 18 10:04:52 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.
Dec 18 10:04:59 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.
Dec 18 10:07:31 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.
Dec 18 10:13:12 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.
Dec 18 10:13:12 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.
Dec 18 10:13:45 gateway unbound: [22689:0] notice: Restart of unbound 1.8.1.

Just checked, I only have 32 registrations in the DHCP table...it was also working fine up until recently. Do you really think the DHCP registration setting could be the problem?

bepo

@leonroy said in DNS Resolver failing to resolve random domains from time to time:

Do you really think the DHCP registration setting could be the problem?

Try and see. I had this problem on multiple pfSense firewalls and unchecking this setting resolves it.
If it works please don't forget to upvote :-)

chrcoluk

I second the suggestion, you dont want your DNS resolver restarting every time a DHCP client connects ot disconnects.

Static DHCP will still be resolved.

leonroy

Thanks @bepo @chrcoluk - is there a way to ensure my DHCP clients are able to resolve each other by name with this unchecked?

Most of my stuff on the network uses FQDN rather than IP to communicate.

I'm happy forgoing Unbound altogether but unsure what's best practise here.

johnpoz

If you have devices that need to resolve their names to IP... Why not just setup reservations for them, so they always get the same IP.. Having unbound register static reservations does not cause the reboot on every dhcp renewal, etc.

Other thing you could do is lengthen the dhcp lease so that you don't have clients renewing all the time.. So unbound will restart less.

chrcoluk

yes use reservation, thats what I meant by static DHCP.

Once this is done, unbound will resolve the hostnames and without the restarts.