Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS crashing every ~ 36 hours or so and unbound has to be restarted.

    General pfSense Questions
    5
    38
    616
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gawainxx last edited by

      I've been having an issue where DNS has been crapping out every other day or so and I'm having to restart the DNS (unbound?) Service in order to restore service.

      The only thing I've really done in the time period before this began was configuring log forwarding to a Splunk instance...
      I suppose it could be related and I might try turning it back off although that will hamper my ability to collect troubleshooting information.

      Can someone please provide any insight such as possible causes and processes or other things to focus on when looking through the syslogs?

      1 Reply Last reply Reply Quote 0
      • G
        gawainxx last edited by stephenw10

        Think I may have found something.

        I see the following entries right before a complete absense of any logging data from unbound until the service is restarted.

        12/6/19
        3:13:42.000 AM	
        Dec  6 03:13:39 unbound: [92636:0] fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
        host = gatewaysource = udp:7001sourcetype = pfsense:unbound
        12/6/19
        3:13:42.000 AM	
        Dec  6 03:13:39 unbound: [92636:0] fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconf
        host = gatewaysource = udp:7001sourcetype = pfsense:unbound
        12/6/19
        3:13:42.000 AM	
        Dec  6 03:13:39 unbound: [92636:0] notice: Restart of unbound 1.9.1.
        
        1 Reply Last reply Reply Quote 0
        • Gertjan
          Gertjan last edited by

          @gawainxx said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

          host = gatewaysource = udp:7001sourcetype = pfsense:unboun

          Hi,
          Can you show the unbound.conf file ?
          It's here : /var/unbound/unbound.conf

          (and not here in the root = /unbound.conf)

          No "help me" PM's please. Use the forum.

          G 2 Replies Last reply Reply Quote 0
          • G
            gawainxx @Gertjan last edited by

            This post is deleted!
            1 Reply Last reply Reply Quote 0
            • G
              gawainxx @Gertjan last edited by stephenw10

              @Gertjan
              Sorry, I had a derp moment and as accessing the wrong server.

              
              ##########################
              # Unbound Configuration
              ##########################
              
              ##
              # Server configuration
              ##
              server:
              
              chroot: /var/unbound
              username: "unbound"
              directory: "/var/unbound"
              pidfile: "/var/run/unbound.pid"
              use-syslog: yes
              port: 53
              verbosity: 1
              hide-identity: yes
              hide-version: yes
              harden-glue: yes
              do-ip4: yes
              do-ip6: yes
              do-udp: yes
              do-tcp: yes
              do-daemonize: yes
              module-config: "validator iterator"
              unwanted-reply-threshold: 0
              num-queries-per-thread: 4096
              jostle-timeout: 200
              infra-host-ttl: 900
              infra-cache-numhosts: 10000
              outgoing-num-tcp: 10
              incoming-num-tcp: 10
              edns-buffer-size: 4096
              cache-max-ttl: 86400
              cache-min-ttl: 0
              harden-dnssec-stripped: yes
              msg-cache-size: 4m
              rrset-cache-size: 8m
              
              num-threads: 2
              msg-cache-slabs: 2
              rrset-cache-slabs: 2
              infra-cache-slabs: 2
              key-cache-slabs: 2
              outgoing-range: 4096
              #so-rcvbuf: 4m
              auto-trust-anchor-file: /var/unbound/root.key
              prefetch: no
              prefetch-key: no
              use-caps-for-id: no
              serve-expired: no
              # Statistics
              # Unbound Statistics
              statistics-interval: 0
              extended-statistics: yes
              statistics-cumulative: yes
              
              # TLS Configuration
              tls-cert-bundle: "/etc/ssl/cert.pem"
              
              # Interface IP(s) to bind to
              interface-automatic: yes
              interface: 0.0.0.0
              interface: ::0
              
              # Outgoing interfaces to be used
              
              # DNS Rebinding
              # For DNS Rebinding prevention
              private-address: 10.0.0.0/8
              private-address: ::ffff:a00:0/104
              private-address: 172.16.0.0/12
              private-address: ::ffff:ac10:0/108
              private-address: 169.254.0.0/16
              private-address: ::ffff:a9fe:0/112
              private-address: 192.168.0.0/16
              private-address: ::ffff:c0a8:0/112
              private-address: fd00::/8
              private-address: fe80::/10
              # Set private domains in case authoritative name server returns a Private IP address
              private-domain: "_msdcs.britannia2.local"
              domain-insecure: "_msdcs.britannia2.local"
              private-domain: "britannia2.local"
              domain-insecure: "britannia2.local"
              
              
              # Access lists
              include: /var/unbound/access_lists.conf
              
              # Static host entries
              include: /var/unbound/host_entries.conf
              
              # dhcp lease entries
              include: /var/unbound/dhcpleases_entries.conf
              
              
              
              # Domain overrides
              include: /var/unbound/domainoverrides.conf
              
              
              # Unbound custom options
              server: 
              # Allow plex to work over LAN
              private-domain: "plex.direct"
              # Configuration for Britannia2.local with the PDC of mordred.britannia2.local
              local-data: "_ldap._tcp.your.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
              local-data: "_ldap._tcp.Default-First-Site-Name._sites.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
              local-data: "_ldap._tcp.pdc._msdcs.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
              local-data: "_ldap._tcp.gc._msdcs.britannia2.local 600 IN SRV 0 100 3268 mordred.britannia2.local"
              local-data: "_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.britannia2.local 600 IN SRV 0 100 3268 mordred.britannia2.local"
              local-data: "_ldap._tcp.30e36ab8-a6ac-4c64-85aa-0fbeb612a33b.domains._msdcs.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
              local-data: "d4f866aa-a210-4c29-81a2-ebb256bdef7d._msdcs.britannia2.local 600 IN CNAME mordred.britannia2.local"
              local-data: "_kerberos._tcp.dc._msdcs.britannia2.local 600 IN SRV 0 100 88 mordred.britannia2.local"
              local-data: "_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.britannia2.local 600 IN SRV 0 100 88 mordred.britannia2.local"
              local-data: "_ldap._tcp.dc._msdcs.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
              local-data: "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
              local-data: "_kerberos._tcp.britannia2.local 600 IN SRV 0 100 88 mordred.britannia2.local"
              local-data: "_kerberos._tcp.Default-First-Site-Name._sites.britannia2.local 600 IN SRV 0 100 88 mordred.britannia2.local"
              local-data: "_gc._tcp.britannia2.local 600 IN SRV 0 100 3268 mordred.britannia2.local"
              local-data: "_gc._tcp.Default-First-Site-Name._sites.britannia2.local 600 IN SRV 0 100 3268 mordred.britannia2.local"
              local-data: "_kerberos._udp.britannia2.local 600 IN SRV 0 100 88 mordred.britannia2.local"
              local-data: "_kpasswd._tcp.britannia2.local 600 IN SRV 0 100 464 mordred.britannia2.local"
              local-data: "_kpasswd._udp.britannia2.local 600 IN SRV 0 100 464 mordred.britannia2.local"
              local-data: "_ldap._tcp.ForestDnsZones.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
              local-data: "_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
              local-data: "_ldap._tcp.DomainDnsZones.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
              local-data: "_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
              local-data: "britannia2.local 600 IN A 192.168.4.5"
              local-data: "britannia2.local  600 IN A 192.168.4.5"
              local-data: "gc._msdcs.britannia2.local 600 IN A 192.168.4.5"
              local-data: "gc._msdcs.britannia2.local 600 IN A 192.168.4.5"
              local-data: "ForestDnsZones.britannia2.local 600 IN A 192.168.4.5"
              local-data: "ForestDnsZones.britannia2.local 600 IN A 192.168.4.5"
              local-data: "DomainDnsZones.britannia2.local 600 IN A 192.168.4.5"
              local-data: "DomainDnsZones.britannia2.local 600 IN A 192.168.4.5"
              
              
              ###
              # Remote Control Config
              ###
              include: /var/unbound/remotecontrol.conf
              
              
              1 Reply Last reply Reply Quote 0
              • Gertjan
                Gertjan last edited by

                Looks pretty normal to me.

                No "help me" PM's please. Use the forum.

                1 Reply Last reply Reply Quote 0
                • stephenw10
                  stephenw10 Netgate Administrator last edited by

                  Do you have pfBlocker installer with DNS-BL enabled? I don't see it in the conf file but that would update the file potentially causing a problem.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • Gertjan
                    Gertjan last edited by

                    @gawainxx said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

                    config file

                    https://github.com/NLnetLabs/unbound/blob/e828d678bafb7ef0df32623f6883bc4bdc07dc5b/daemon/unbound.c#L664

                    The config file is actually ok /unbound.conf - this file named is prefixed with with chrooted dir.
                    The chroot went wrong ? => File system errors ?

                    No "help me" PM's please. Use the forum.

                    Gertjan 1 Reply Last reply Reply Quote 0
                    • G
                      gawainxx last edited by

                      Died again, help plox!

                      1 Reply Last reply Reply Quote 0
                      • stephenw10
                        stephenw10 Netgate Administrator last edited by

                        Need more info to help further. What's logged in the system log when it fails? Or just before it fails?

                        G 1 Reply Last reply Reply Quote 0
                        • G
                          gawainxx @stephenw10 last edited by

                          @stephenw10 I'll grab those logs for you in a bit once I'm able to access my network again , am currently remote and am locked out due to the issue.

                          My logs are divided by process within Splunk.
                          Is there a specific process that would have the most relevant log data?

                          G 1 Reply Last reply Reply Quote 0
                          • G
                            gawainxx @gawainxx last edited by gawainxx

                            Here are some logs, they are csvs renamed to .txt
                            Unbound logs from 10:40am - 3 PM
                            1576040675_650.txt
                            System" logs from 10:40am - 3 PM
                            1576040737_651.txt

                            I've also purged the DC related entries in my unbound config to see if that perhaps makes a change as I really only use that for labs/training stuff. Also adjusted my firewall rules so that I can access the router webUI from it, would have saved myself a lot of headache if I could have just restarted it via Ovpn.

                            1 Reply Last reply Reply Quote 0
                            • Gertjan
                              Gertjan last edited by

                              unbound is stopped and restarted.

                              More logs are needed to see which process is doing this. It could also be a hardware event like a "LINK UP / LINK UP"

                              Btw : this "plunked" unbound log is close to totally unreadable : possible to see the original one ?
                              And while testing, can snort be send on a holiday ? What is snort protecting ?

                              No "help me" PM's please. Use the forum.

                              1 Reply Last reply Reply Quote 0
                              • Gertjan
                                Gertjan @Gertjan last edited by

                                @Gertjan said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

                                File system errors ?

                                ?

                                No "help me" PM's please. Use the forum.

                                1 Reply Last reply Reply Quote 0
                                • stephenw10
                                  stephenw10 Netgate Administrator last edited by

                                  Yeah very hard to read that. You should export the snort logs separately and not log the main system log, that makes it much easier to see actual system events.
                                  But anyway nothing seems to be logged there, not much to go on.

                                  Running a filesystem check is probably a good idea.

                                  Steve

                                  G 1 Reply Last reply Reply Quote 0
                                  • G
                                    gawainxx @stephenw10 last edited by gawainxx

                                    @stephenw10
                                    Unfortunately the system logs have already looped and only go as far back as this morning.

                                    I've set up service watchdog to monitor the unbound process which will hopefully prevent the issue from causing extended outages while I work on getting it figured out. Snort is protecting my home network as well as a few miscellaneous things, mostly running for added security, I'm using one of the lighter pre-defined snort ruleset bundles.

                                    I've exported the data from splunk in a raw format, perhaps that will be closer to the original?

                                    Here are my logs from yesterday, the outage was around 10:56am, where there is an absolute absense of unbound log data until I had someone at home restart the server via console.

                                    UnboundIssues_SystemLogs.txt
                                    UnboundIssues_UnboundLogs.txt
                                    UnboundIssues_SnortLogs.txt

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10
                                      stephenw10 Netgate Administrator last edited by

                                      Nothing logged but that file error seems like a permissions issue.

                                      I would definitely run the file system check. I would consider just reinstalling and restoring, it's usually pretty quick.

                                      Steve

                                      G 1 Reply Last reply Reply Quote 0
                                      • G
                                        gawainxx last edited by

                                        This post is deleted!
                                        1 Reply Last reply Reply Quote 0
                                        • G
                                          gawainxx @stephenw10 last edited by

                                          @stephenw10

                                          Thanks,
                                          Here are the things i'm currently planning to do in order, moving to the next one if I see the service failure in the logs afterwords.

                                          • Gutting all non-critical code from my unbound.conf (Awaiting results on this currently).
                                          • SSHing to the router and running a filesystem check.
                                          • Toggling snort
                                          • Toggling Avahi
                                          • Toggling NUT
                                          • Reload and restore

                                          Seem fair?

                                          bmeeks 1 Reply Last reply Reply Quote 0
                                          • bmeeks
                                            bmeeks @gawainxx last edited by

                                            @gawainxx said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

                                            @stephenw10

                                            Thanks,
                                            Here are the things i'm currently planning to do in order, moving to the next one if I see the service failure in the logs afterwords.

                                            • Gutting all non-critical code from my unbound.conf (Awaiting results on this currently).
                                            • SSHing to the router and running a filesystem check.
                                            • Toggling snort
                                            • Toggling Avahi
                                            • Toggling NUT
                                            • Reload and restore

                                            Seem fair?

                                            Just an FYI. Snort and Unbound have absolutely nothing to do with each other in terms of Unbound starting or stopping. However, the DNSBL function of pfBlockerNG does rewrite the unbound.conf file and that can lead to Unbound issues.

                                            While troubleshooting it is certainly prudent to stop Snort to remove that variable, but Snort running or not will have no impact on Unbound stopping and failing to restart.

                                            G 1 Reply Last reply Reply Quote 0
                                            • G
                                              gawainxx last edited by

                                              That was my thought as well although another had suggested it may be related.

                                              Installed packages are as follows
                                              Avahi
                                              notpng
                                              nut
                                              Openvpn-client-export
                                              service_watchdog (New per this thread)
                                              snort

                                              1 Reply Last reply Reply Quote 0
                                              • G
                                                gawainxx @bmeeks last edited by gawainxx

                                                @bmeeks

                                                So far i've gone a week without any issues after pulling the domain server forwarding code from my unbound.conf file.

                                                I would like to re implement the code or an alternative setup to obtain the same goal.
                                                I have a domain controller, mordred.britannia2.local which I use for CBT labs as well as testing some misc group policies before proposing them at work.
                                                I need systems on my server as well as test vlans to be able to do dns lookups for this system if they happen to be a domain member, i however only want domain specific DNS lookups going through it.

                                                Could you please advise me on how to best accommodate this so that only domain specific traffic is forwarded to the DC?

                                                I guess I could alternatively move the DC to one of my two test VLANS and add a static DNS record for it although that'd be less then ideal for me.

                                                Here's the code I'd be looking to reimplement.
                                                There were 3 redundant entries towards the bottom that I have since cleaned up.

                                                server:

                                                Allow plex to work over LAN

                                                private-domain: "plex.direct"

                                                Configuration for Britannia2.local with the PDC of mordred.britannia2.local

                                                local-data: "_ldap._tcp.your.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
                                                local-data: "_ldap._tcp.Default-First-Site-Name._sites.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
                                                local-data: "_ldap._tcp.pdc._msdcs.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
                                                local-data: "_ldap._tcp.gc._msdcs.britannia2.local 600 IN SRV 0 100 3268 mordred.britannia2.local"
                                                local-data: "_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.britannia2.local 600 IN SRV 0 100 3268 mordred.britannia2.local"
                                                local-data: "_ldap._tcp.30e36ab8-a6ac-4c64-85aa-0fbeb612a33b.domains._msdcs.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
                                                local-data: "d4f866aa-a210-4c29-81a2-ebb256bdef7d._msdcs.britannia2.local 600 IN CNAME mordred.britannia2.local"
                                                local-data: "_kerberos._tcp.dc._msdcs.britannia2.local 600 IN SRV 0 100 88 mordred.britannia2.local"
                                                local-data: "_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.britannia2.local 600 IN SRV 0 100 88 mordred.britannia2.local"
                                                local-data: "_ldap._tcp.dc._msdcs.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
                                                local-data: "_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
                                                local-data: "_kerberos._tcp.britannia2.local 600 IN SRV 0 100 88 mordred.britannia2.local"
                                                local-data: "_kerberos._tcp.Default-First-Site-Name._sites.britannia2.local 600 IN SRV 0 100 88 mordred.britannia2.local"
                                                local-data: "_gc._tcp.britannia2.local 600 IN SRV 0 100 3268 mordred.britannia2.local"
                                                local-data: "_gc._tcp.Default-First-Site-Name._sites.britannia2.local 600 IN SRV 0 100 3268 mordred.britannia2.local"
                                                local-data: "_kerberos._udp.britannia2.local 600 IN SRV 0 100 88 mordred.britannia2.local"
                                                local-data: "_kpasswd._tcp.britannia2.local 600 IN SRV 0 100 464 mordred.britannia2.local"
                                                local-data: "_kpasswd._udp.britannia2.local 600 IN SRV 0 100 464 mordred.britannia2.local"
                                                local-data: "_ldap._tcp.ForestDnsZones.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
                                                local-data: "_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
                                                local-data: "_ldap._tcp.DomainDnsZones.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
                                                local-data: "_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.britannia2.local 600 IN SRV 0 100 389 mordred.britannia2.local"
                                                local-data: "britannia2.local 600 IN A 192.168.4.5"
                                                local-data: "gc._msdcs.britannia2.local 600 IN A 192.168.4.5"
                                                local-data: "ForestDnsZones.britannia2.local 600 IN A 192.168.4.5"
                                                local-data: "DomainDnsZones.britannia2.local 600 IN A 192.168.4.5"

                                                overrides.PNG

                                                1 Reply Last reply Reply Quote 0
                                                • bmeeks
                                                  bmeeks last edited by bmeeks

                                                  So is the AD domain name "Britannia2.local"? If so, you simply need to add two entries to the Domain Override section of the DNS Resolver configuration page in pfSense.

                                                  Here is an example from my system. I have an internal AD domain and it contains two LAN subnets (192.168.10.0/24 and 192.168.20.0/24). In the example below, the 192.168.10.4 IP address is my AD domain controller.

                                                  Domain Override Example.png

                                                  So this tells Unbound that whenever someone attempts to lookup a host within the "themeeks.net" domain, it should forward the request to 192.168.10.4 (my internal AD domain controller) for resolution. Since I also wanted reverse IP lookups to work, I added the reverse pointer entries as well and set those to be forwarded to my AD domain controller, too.

                                                  For this to work, you must have your AD domain controller assigned a static IP address. That is really required anyway, though.

                                                  Don't try to put any of the AD records in Unbound! Just configure the domain override section for Unbound and let the AD DNS server handle all the Active Directory services lookups.

                                                  G 1 Reply Last reply Reply Quote 0
                                                  • johnpoz
                                                    johnpoz LAYER 8 Global Moderator last edited by

                                                    Not a fan of this method - if your an AD shop, then all your AD clients should be pointing to your AD for dns, and should use that as your dhcp as well..

                                                    If you want pfsense to be able to resolve your AD clients, and or any other clients that are not members of your domain to be able to resolve your ad stuff, then sure you can use a domain override as you have shown.

                                                    Keep in mind that you will have to set this domain as private or your going to not resolve anything due to rebind protection. Or you would have to disable rebind protection across the board.

                                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                    If you get confused: Listen to the Music Play
                                                    Please don't Chat/PM me for help, unless mod related
                                                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                                    bmeeks 1 Reply Last reply Reply Quote 0
                                                    • G
                                                      gawainxx @bmeeks last edited by

                                                      @bmeeks
                                                      That's how I swore it worked on one of my previous pfsense instances.. I wonder why it's having issues that are requiring me to throw stuff in the unbound.conf.

                                                      Without throwing that crap into the unbound config I was getting errors such as clients being unable to resolve _ldap._tcp.Default-First-Site-Name._sites.britannia2.local

                                                      Does my screenshot look correct?

                                                      bmeeks 1 Reply Last reply Reply Quote 0
                                                      • bmeeks
                                                        bmeeks @johnpoz last edited by

                                                        @johnpoz said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

                                                        Not a fan of this method - if your an AD shop, then all your AD clients should be pointing to your AD for dns, and should use that as your dhcp as well..

                                                        If you want pfsense to be able to resolve your AD clients, and or any other clients that are not members of your domain to be able to resolve your ad stuff, then sure you can use a domain override as you have shown.

                                                        Keep in mind that you will have to set this domain as private or your going to not resolve anything due to rebind protection. Or you would have to disable rebind protection across the board.

                                                        @johnpoz:
                                                        This is only for pfSense in my case so that log entries and hosts in the ARP table resolve to their actual names. All my LAN clients do indeed point to the AD controller for DNS and get their addresses via DHCP from there.

                                                        I could have also just disabled the DNS Resolver and simply used the DNS Forwarder and forwarded everything from pfSense back to the AD domain controller. Six of one and half-a-dozen of the other in a manner of speaking.

                                                        1 Reply Last reply Reply Quote 0
                                                        • johnpoz
                                                          johnpoz LAYER 8 Global Moderator last edited by

                                                          Yeah for pfsense to be able to resolve your AD stuff its great and sure works as you stated. You just left off the rebind info - if you forward to something in unbound - it will fall under rebind if rfc1918 is returned.

                                                          Not exactly sure what the OP is after - and setting up a domain override is fine.. Just not a fan of AD members pointing to anything other than their AD and using AD for dhcp... If your a AD shop - why would not just what is part of what your paying for anyway with your MS tax ;)

                                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                          If you get confused: Listen to the Music Play
                                                          Please don't Chat/PM me for help, unless mod related
                                                          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                                          bmeeks 1 Reply Last reply Reply Quote 0
                                                          • bmeeks
                                                            bmeeks @gawainxx last edited by bmeeks

                                                            @gawainxx said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

                                                            @bmeeks
                                                            That's how I swore it worked on one of my previous pfsense instances.. I wonder why it's having issues that are requiring me to throw stuff in the unbound.conf.

                                                            Without throwing that crap into the unbound config I was getting errors such as clients being unable to resolve _ldap._tcp.Default-First-Site-Name._sites.britannia2.local

                                                            Does my screenshot look correct?

                                                            No, you don't need to enter that host information. Simply put the AD domain name in the override and then optionally any reverse pointer records if you also want to be able to resolve IP addresses back to hosts.

                                                            Also remove that "_msdcs" entry. You do not need to let pfSense be where your AD clients try to find AD services! Let the AD domain controller handle all of that. You only would put AD overrides in pfSense if you wanted, as I did, certain logging information on pfSense to have resolved host names from your AD domain.

                                                            G 1 Reply Last reply Reply Quote 0
                                                            • bmeeks
                                                              bmeeks @johnpoz last edited by bmeeks

                                                              @johnpoz said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

                                                              • if you forward to something in unbound - it will fall under rebind if rfc1918 is returned.

                                                              True, but in my case there is no forwarding to Unbound. The only thing in my network that uses Unbound is pfSense itself. I do have the "DNS Rebind Check" disabled on the SYSTEM > ADVANCED tab and forgot to mention that.

                                                              johnpoz 1 Reply Last reply Reply Quote 0
                                                              • G
                                                                gawainxx @bmeeks last edited by gawainxx

                                                                @bmeeks

                                                                Without the stuff in unbound.conf present and just the domain override I get the following error on clients. If I plug in the IPv4 of the ADDS into the TCP/IP properties on the client it works though (however that's a shitty fix)

                                                                ote: This information is intended for a network administrator. If you are not your network's administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

                                                                The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "britannia2.local":

                                                                The error was: "DNS name does not exist."
                                                                (error code 0x0000232B RCODE_NAME_ERROR)

                                                                The query was for the SRV record for _ldap._tcp.dc._msdcs.britannia2.local

                                                                Common causes of this error include the following:

                                                                • The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

                                                                192.168.50.1

                                                                • One or more of the following zones do not include delegation to its child zone:

                                                                britannia2.local
                                                                local
                                                                . (the root zone)

                                                                Overrides2.PNG

                                                                bmeeks 1 Reply Last reply Reply Quote 0
                                                                • bmeeks
                                                                  bmeeks @gawainxx last edited by bmeeks

                                                                  @gawainxx

                                                                  You are not understanding what I am saying. NO CLIENTS AT ALL should be asking pfSense for anything related to AD. The only reason the domain override should be there is for pfSense itself to resolve hostnames for logging purposes. Unbound does not understand how to serve up DNS service records for Active Directory. That's what AD DNS is for.

                                                                  All of your AD clients MUST have the IP address of the AD domain controller for the DNS server. Anything else and it won't work -- as you are seeing.

                                                                  Your clients in AD should all have their addresses (if not static) assigned by the AD DHCP server and that server should give them the AD domain controller for DNS resolutions.

                                                                  Set your AD domain controller's DNS service to forward to Unbound if you want Unbound to resolve external (non-AD) hosts or domains.

                                                                  G 1 Reply Last reply Reply Quote 0
                                                                  • johnpoz
                                                                    johnpoz LAYER 8 Global Moderator @bmeeks last edited by

                                                                    @bmeeks said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

                                                                    I do have the "DNS Rebind Check" disabled on the SYSTEM > ADVANCED tab and forgot to mention that.

                                                                    Why??? Just set the domain your forwarding with your override set as private..

                                                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                                                    If you get confused: Listen to the Music Play
                                                                    Please don't Chat/PM me for help, unless mod related
                                                                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                                                                    bmeeks 1 Reply Last reply Reply Quote 0
                                                                    • bmeeks
                                                                      bmeeks @johnpoz last edited by bmeeks

                                                                      @johnpoz said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

                                                                      @bmeeks said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

                                                                      I do have the "DNS Rebind Check" disabled on the SYSTEM > ADVANCED tab and forgot to mention that.

                                                                      Why??? Just set the domain your forwarding with your override set as private..

                                                                      No reason other than it was an old leftover setting that migrated with upgrades over the years. I actually had forgotten about it until I was looking after being reminded by your earlier replies.

                                                                      It's been a long time, but I think that came along with the old DNS Forwarder many moons ago. I switched over to Resolver earlier this year just to stay more current. My old setting hid (or actually overrides) the need to set the particular domain as private. It would be better security practice for me to alter the setting and switch off the rebind override for all domains and instead just mark my AD domain as private.

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • G
                                                                        gawainxx @bmeeks last edited by

                                                                        @bmeeks

                                                                        What's best practice in this case were this a business network, would the scope of subnets with domain clients be configured something like below?

                                                                        DNS Server #1 (PFsense Router)
                                                                        DNS Server #2 (AD DC), obviously the DC would differ depending upon the site if there is more then one controller.

                                                                        bmeeks 1 Reply Last reply Reply Quote 0
                                                                        • bmeeks
                                                                          bmeeks @gawainxx last edited by bmeeks

                                                                          @gawainxx said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

                                                                          @bmeeks

                                                                          What's best practice in this case were this a business network, would the scope of subnets with domain clients be configured something like below?

                                                                          DNS Server #1 (PFsense Router)
                                                                          DNS Server #2 (AD DC), obviously the DC would differ depending upon the site if there is more then one controller.

                                                                          No, you should never hand out any DNS server to Windows AD clients except the AD domain controller. Otherwise, they will randomly fail depending on whether they choose the pfSense Router or a real AD DNS server.

                                                                          Nothing in my network gets the pfSense firewall as its "DNS server" (save the actual firewall itself) The firewall does not need to lookup AD stuff other than I like to be able to see my AD hostnames in logging entries and/or when looking at the ARP table. That's why I point pfSense to my AD DNS server. And I could just as easily tell pfSense to use my AD DNS servers for everything and never run Unbound on pfSense at all.

                                                                          G 1 Reply Last reply Reply Quote 0
                                                                          • G
                                                                            gawainxx @bmeeks last edited by

                                                                            @bmeeks

                                                                            So in my particular case I should do one of the following?
                                                                            Set the DHCP scope of network segments that have my test clients in them to hand out the domain controller's IP address for DNS.
                                                                            OR for one-offs such as test servers I could modify their DHCP reservation to include the DNS address of the AD DC?

                                                                            bmeeks 1 Reply Last reply Reply Quote 0
                                                                            • bmeeks
                                                                              bmeeks @gawainxx last edited by

                                                                              @gawainxx said in DNS crashing every ~ 36 hours or so and unbound has to be restarted.:

                                                                              @bmeeks

                                                                              So in my particular case I should do one of the following?
                                                                              Set the DHCP scope of network segments that have my test clients in them to hand out the domain controller's IP address for DNS.
                                                                              OR for one-offs such as test servers I could modify their DHCP reservation to include the DNS address of the AD DC?

                                                                              Yes, especially if those one-off servers would need to know about any AD-related things. Mostly likely if they are Windows servers then they will need to see an AD DNS server so they can locate the various domain services.

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • G
                                                                                gawainxx last edited by

                                                                                Thanks, makes sense.

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • First post
                                                                                  Last post