DHCP6 makes DNS Resolver/Forwarder constantly restart [Solved]



  • Hello,

    Unbound constantly restart making internet almost unusable. The issue is present with both DNSmasq or Unbound if I switch between them.

    "DHCP Registration" is disabled.

    DNS resolver log (Followed with the same filtered to show frequency)

     Dec 30 23:34:14 	unbound 	47339:0 	info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
    Dec 30 23:34:14 	unbound 	47339:0 	info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
    Dec 30 23:34:14 	unbound 	47339:0 	info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
    Dec 30 23:34:14 	unbound 	47339:0 	info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
    Dec 30 23:34:14 	unbound 	47339:0 	info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
    Dec 30 23:34:14 	unbound 	47339:0 	info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
    Dec 30 23:34:14 	unbound 	47339:0 	info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
    Dec 30 23:34:14 	unbound 	47339:0 	info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
    Dec 30 23:34:14 	unbound 	47339:0 	info: service stopped (unbound 1.9.1).
    Dec 30 23:34:11 	unbound 	47339:0 	info: start of service (unbound 1.9.1).
    Dec 30 23:34:11 	unbound 	47339:0 	notice: init module 1: iterator
    Dec 30 23:34:11 	unbound 	47339:0 	notice: init module 0: validator
    Dec 30 23:34:09 	unbound 	96393:0 	info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
    Dec 30 23:34:09 	unbound 	96393:0 	info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
    Dec 30 23:34:09 	unbound 	96393:0 	info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
    Dec 30 23:34:09 	unbound 	96393:0 	info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
    Dec 30 23:34:09 	unbound 	96393:0 	info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
    Dec 30 23:34:09 	unbound 	96393:0 	info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
    Dec 30 23:34:09 	unbound 	96393:0 	info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
    Dec 30 23:34:09 	unbound 	96393:0 	info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
    Dec 30 23:34:09 	unbound 	96393:0 	info: service stopped (unbound 1.9.1).
    Dec 30 23:34:07 	unbound 	96393:0 	info: start of service (unbound 1.9.1).
    Dec 30 23:34:07 	unbound 	96393:0 	notice: init module 1: iterator
    Dec 30 23:34:07 	unbound 	96393:0 	notice: init module 0: validator 
    
    Dec 30 13:07:04 	unbound 	55350:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:59 	unbound 	10645:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:55 	unbound 	60753:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:50 	unbound 	87885:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:45 	unbound 	38436:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:39 	unbound 	94372:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:35 	unbound 	48064:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:31 	unbound 	3532:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:26 	unbound 	55485:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:21 	unbound 	11420:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:16 	unbound 	66189:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:12 	unbound 	20646:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:06 	unbound 	75631:0 	info: start of service (unbound 1.9.1).
    Dec 30 13:06:01 	unbound 	87361:0 	info: start of service (unbound 1.9.1). 
    

    I am not sure if this have a link with this issue (Maybe the cause or a consequence) but I get the following errors messages with a matching frequency:

    System/Routing

    Dec 30 13:11:06 	radvd 	25516 	resuming normal operation
    Dec 30 13:11:06 	radvd 	25516 	invalid all-zeros prefix in /var/etc/radvd.conf, line 9
    Dec 30 13:11:06 	radvd 	25516 	attempting to reread config file 
    
    Dec 30 13:07:05 	radvd 	25516 	resuming normal operation
    Dec 30 13:07:00 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:56 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:51 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:45 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:40 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:36 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:32 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:27 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:22 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:17 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:13 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:07 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:04 	radvd 	25516 	resuming normal operation
    Dec 30 13:06:02 	radvd 	25516 	resuming normal operation 
    Dec 30 13:05:58 	radvd 	25516 	resuming normal operation 
    

    System/General

     Dec 30 13:07:05 	php-fpm 	18286 	/rc.newwanipv6: Removing static route for monitor fe80::d257:94ff:fe47:20da and adding a new route through fe80::d257:94ff:fe47:20da%igb0
    Dec 30 13:07:02 	php-fpm 	18286 	/rc.newwanipv6: rc.newwanipv6: on (IP address: 2a01:cb1c:4a1:ce00:290:bff:fea2:9c77) (interface: wan) (real interface: igb0).
    Dec 30 13:07:02 	php-fpm 	18286 	/rc.newwanipv6: rc.newwanipv6: Info: starting on igb0.
    Dec 30 13:07:01 	check_reload_status 		Reloading filter
    
    Dec 30 13:07:06 	check_reload_status 		Reloading filter
    Dec 30 13:07:01 	check_reload_status 		Reloading filter
    Dec 30 13:06:56 	check_reload_status 		Reloading filter
    Dec 30 13:06:52 	check_reload_status 		Reloading filter
    Dec 30 13:06:51 	check_reload_status 		Reloading filter
    Dec 30 13:06:46 	check_reload_status 		Reloading filter
    Dec 30 13:06:41 	check_reload_status 		Reloading filter
    Dec 30 13:06:37 	check_reload_status 		Reloading filter
    Dec 30 13:06:33 	check_reload_status 		Reloading filter
    Dec 30 13:06:28 	check_reload_status 		Reloading filter
    Dec 30 13:06:23 	check_reload_status 		Reloading filter
    Dec 30 13:06:18 	check_reload_status 		Reloading filter
    Dec 30 13:06:14 	check_reload_status 		Reloading filter
    Dec 30 13:06:08 	check_reload_status 		Reloading filter
    Dec 30 13:06:03 	check_reload_status 		Reloading filter
    Dec 30 13:05:59 	check_reload_status 		Reloading filter 
    

    System/Gateways

    Dec 30 13:07:05 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:07:00 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:07:00 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:56 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:56 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:52 	dpinger 		WAN_DHCP6 fe80::d257:94ff:fe47:20da%igb0: Alarm latency 849us stddev 301us loss 33%
    Dec 30 13:06:51 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:51 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:46 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:46 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:40 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:40 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:36 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:36 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:32 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:32 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:27 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:27 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:22 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:22 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:17 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:17 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:13 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:13 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:07 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:07 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:06:02 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:06:02 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP "
    Dec 30 13:05:58 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr fe80::d257:94ff:fe47:20da%igb0 bind_addr fe80::290:bff:fea2:9c77%igb0 identifier "WAN_DHCP6 "
    Dec 30 13:05:58 	dpinger 		send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 0 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 192.168.1.1 bind_addr 192.168.1.10 identifier "WAN_DHCP " 
    

    I noticed this issue since I changed ISP (But maybe it existed before).
    Not sure this may have a link but the Pf-sense router is behind the ISP box (That changed with the ISP, the previous was setup is "Bridge" mode, the new does not have this mode).

    I would really appreciate help on this point, I have already spent several hours trying to understand without success.

    Thank you in advance.

    EDIT: I finally find that the cause is only with Interfaces/WAN/IPv6 Configuration Type set to DHCP6.



  • After more search, I think the issue is not with the DNS itself but with something that make it restart. It also make "php-fpm" restart with the same frequency.

    I tried to disable the Gateways monitoring, but this does not solved the issue (Only stopped the dpinger outputs)

    I also tried to disable pfBlockerNG/DNSBL with no success.

    Concerning the radvd error invalid all-zeros prefix in /var/etc/radvd.conf, line 9

    Here is my /var/etc/radvd.conf content:

    # Automatically Generated, do not edit
    # Generated config for dhcp6 delegation from wan on lan
    interface igb1 {
            AdvSendAdvert on;
            MinRtrAdvInterval 5;
            MaxRtrAdvInterval 10;
            AdvLinkMTU 1500;
            AdvOtherConfigFlag on;
            prefix ::/64 {
                    AdvOnLink on;
                    AdvAutonomous on;
                    AdvRouterAddr on;
            };
            DNSSL LEGION { };
    };
    

    It don't like the prefix ::/64 {, but how to fix this and is this the DNS restart trigger ?.

    As temporary workaround I use a NAT redirection to move all DNS requests from my network to 1.1.1.1, but this break all nice DNS related pfSense feature (local DNS, DNSBL,...)



  • The issue disappear if I set Interfaces/WAN/IPv6 Configuration Type to StaticIPv6 instead of DHCP6.

    I use the default configuration for DHCP6, so there are maybe something to configure on it to make it work properly.


  • LAYER 8 Global Moderator

    well good luck getting dhcp with prefix delegation and tracking for your ipv6 behind a nat router.. Which I highly doubt supports prefix delegation to downstream routers.

    Does your new isp even support IPv6?

    Easiest solution is to just set IPv6 to none if your isp doesn't support it.. You can always setup a HE tunnel if they do not, or your forced to live behind their nat device.



  • The ISP support IPv6 (Orange France).

    The ISP router (Orange Livebox 5) provides a IPv6 address and a IPv6 prefix (With a CIDR like xxxx:xxxx:xxxx:xxxx::/56).
    I don't know exactly how this is configured, their device is very basic and does not provides any option.


  • LAYER 8 Global Moderator

    well a /56 if not delegated is junk... You can not actually assign that to an interface.. a /56 would be delegated to a router, which could then assign subs of that in /64s to its lan side interfaces...

    So their devices shows a /56 on its wan? What does it show on its lan.. Does pfsense get an IP at on its wan?

    I would suggest you contact your isp on how to put a router behind and delegate say a /60 from their /56 to pfsense, so it can use /64s out of that for its lan.



  • @Ginn said in DHCP6 makes DNS Resolver/Forwarder constantly restart:

    (That changed with the ISP, the previous was setup is "Bridge" mode, the new does not have this mode).

    Are you sure? On some modems, bridge mode is well hidden. On the local phone company's ADSL modem, it's called PPPoE bypass. If they really don't support that, then providing anything more than a /64 is pretty much useless.



  • @johnpoz said in DHCP6 makes DNS Resolver/Forwarder constantly restart:

    So their devices shows a /56 on its wan? What does it show on its lan.. Does pfsense get an IP at on its wan?

    Here are all information I have on WAN,LAN and IPv6:
    Screenshot_20200101_130931.png
    Screenshot_20200101_131034.png
    Screenshot_20200101_131145.png
    The IPv6 Address on the Network/IPv6 page is the same as the WAN IPv6 address from the System information/Internet page.

    pfSense also get the same IPv6 address when its WAN configuration was set to DHCP6 (The one I set as static IP, but looking your explanation, this look useless).

    @JKnott said in DHCP6 makes DNS Resolver/Forwarder constantly restart:

    Are you sure? On some modems, bridge mode is well hidden. On the local phone company's ADSL modem, it's called PPPoE bypass. If they really don't support that, then providing anything more than a /64 is pretty much useless.

    Yes, based on information from some forums specialized on this ISP, this seem to be a well known issue with this ISP's devices...

    The only workaround that allow this device, and that does not help in this case (Because it does not allow routing) is to use the following "DMZ" option:
    Screenshot_20200101_133722.png
    😓

    The only solution I found is to totally remove the ISP device, replacing it with an ONT, and configuring pfSense to work with the ISP (that look a little tricky based on forum comments, but feasible). Since I does not have an ONT now, this will wait.



  • @Ginn said in DHCP6 makes DNS Resolver/Forwarder constantly restart:

    Yes, based on information from some forums specialized on this ISP, this seem to be a well known issue with this ISP's devices...

    Do they have another device available? Can you buy your own?



  • They does not provide any other device.



  • @Ginn

    Will they allow you to buy your own from elsewhere and use that? Some ISPs will and some won't. My own ISP, the local cable TV company won't, but a 3rd party ISP, connected via the same cable, allows customers to buy their own modem.



  • Not sure if they will or won't. It is hard to find information about this.
    I found some examples of peoples using pfSense directly behind the external ONT provided by the ISP. But that was with older versions of the device with an external ONT, It is included in the device for the new version.

    Not sure asking for the old version is a good option since it will likely reduce the bandwidth.

    I will need to ask to the support if I want more information on this.


Log in to reply