PFSense not playing nicely with Android TV
-
We've seen issues with Android devices when Unbound has the "respond to SSL/TLS queries" option on. Turning it off fixes it. Interestingly, the Android devices reporting the problems also have problems with Google's own DNS. I haven't had a chance to get my hands on any of the devices in question, but this behavior's been confirmed in a lot of places on a lot of devices, so it's worth a shot.
My understanding is that some Android versions default to SSL over TLS and fall back to regular DNS eventually. The latest pfSense release seemed to "cut off" a lot of recent Android devices (they'd eventually load sites and things, but large numbers of DNS requests timing out = users thinking the internet was down).
-
Your mean this one :
That's an option for pure paranoid network, where even the DNS LAN traffic has to be crypted.
Only experts, who control every connected device, and fools would activate this option (imho).I've never played with this option. I don't know, right now, if my own devices even support it.
-
@Gertjan I wonder how one might test such a situation...
-
@2fst4u Turn off DHCP Registration in DNS Resolver until the need for reloading is fixed in some future version.
How much RAM does your pfsense box have and how many pfblocker dns entries do you have? Low RAM with large pfblocker lists leads to long unbound restart times.
-
@Gertjan that's fine. I have seen many installations where it was turned on just to support it for the devices that wanted it - until recently, that never seemed to be a problem. Just thought I'd put the information out there in case you happened to have turned it on.
-
@beatvjiking said in PFSense not playing nicely with Android TV:
We've seen issues with Android devices when Unbound has the "respond to SSL/TLS queries" option on. Turning it off fixes it. Interestingly, the Android devices reporting the problems also have problems with Google's own DNS. I haven't had a chance to get my hands on any of the devices in question, but this behavior's been confirmed in a lot of places on a lot of devices, so it's worth a shot.
My understanding is that some Android versions default to SSL over TLS and fall back to regular DNS eventually. The latest pfSense release seemed to "cut off" a lot of recent Android devices (they'd eventually load sites and things, but large numbers of DNS requests timing out = users thinking the internet was down).
Thank you for the suggestion. I gave this a try and let it run for a few days but the TV has still had this issue just as often as it was previously. It was worth a shot and I'll leave that setting off now anyway.
@sotirone said in PFSense not playing nicely with Android TV:
@2fst4u Turn off DHCP Registration in DNS Resolver until the need for reloading is fixed in some future version.
How much RAM does your pfsense box have and how many pfblocker dns entries do you have? Low RAM with large pfblocker lists leads to long unbound restart times.
It's an SG-3100. I've pared down my pfblocker lists to just four DNS ones. It's not so much that inbound is taking a long time to reload I think, it's just that when it does reload (maybe - I'm still not sure that's why) the TV gives up trying.
-
@2fst4u 4 lists could still have millions of entries. Do a Force Reload on the pfblocker page and see how many total entries it says it loaded.
The usual culprit for unbound reloading frequently as mentioned before is the DHCP Registration in DNS Resolver. That means every time a DHCP client connects (and maybe disconnects?) unbound reloads to update. This is especially problematic when you have many Wifi clients that might connect and disconnect frequently for whatever reason. I think I read somewhere in here that a fix is being worked on for a future release. The current fix is to disable the DHCP Registration in DNS Resolver.
-
@sotirone pfblocker only reloads at midnight though, so surely it isn't forcing unbound to reload, right?
I've disabled the registration of DHCP clients too. Unfortunately the problem persists.
-
I think I might have resolved my particular issue... I was timing the incidences of the lock-ups of my TV & I could only get about 1 hour before having to reboot it, to resolve the problem. I believe that I set my DHCP lease to 3600s during a DNS outage, as it was causing havoc, having to wait for my devices to re-establish their DNS serviceability.
Anyway, I just set the TV’s IP from automatic, to manual & it has since managed to automatically continue-play a second episode of a Netflix TV show I’ve been watching...
I remain hopeful & will update you if it looks like it has been completely resolved.
-
I can confirm that manually configuring my TV’s network settings has resolved the regular freeze-ups.
Good luck @2fst4u
-
sounds more like your tv was having issues renewing its lease to be honest. Vs a dns related problem.
-
I was having a myriad of issues with an Android P device after upgrading to 2.4.4_3 and also having SSL/TLS DNS turned on; this would cause intermittent DNS lookups to take an excessively long time (2-3 minutes). I don't use forwarding. I captured packets and there was a ton of TLS spam between pfSense and said device, all for DNS, with intermittent communication breakdowns and retries.
Being that I probably gave the settings a once-over when doing the upgrade to 2.4.4_3, I am unsure whether it is something specifically in that version or if it's a coincidence. Regardless, turning off is a workaround for now. I'm not sure if a proper certificate is needed for this to work properly or if it's just a bug.