dhcp process errors in log

Gertjan

@louis2 said in dhcp process errors in log:

. Every couple of seconds I see a request e.g. from my Lan-printer (every 30 seconds).

@louis2 said in dhcp process errors in log:

not really exceptional

Not ????
It's plain broken - needs to be investigated.

@louis2 said in dhcp process errors in log:

I must think a bit longer about if it is yes or no a good idea to do the registration.

Noop. The thinking part is done.
Having 'restart' unbound every 30 seconds - give or take it 15 seconds start tile, that means half of the time your have no DNS system running.
DNS caching doesn't work, the cache is thrown away every 30 seconds.
No good at all.
Have a talk with this printer. And if the discussion doesn't work out, give it a fixed IPv4.

@louis2 said in dhcp process errors in log:

IMHO ridiculous to restart the dhcp server,

The dhcp server isn't restarting.
It's unbound, the Resolver, because one of the config files that he reads at start time is changed (a new device was registered to the network).
This subject is known for year - see my other (a couple of hundreds or so the last 4 years ?) 'unbound' versus DHCP Registration threads.
And no, pfSense doesn't write neither maintain unbound.

louis2

Gertjan,

I also tried SSH option 8
clog /var/log/resolver.log | grep 'Restart'

result (running 2.5 dev) is "command not found",
but from the normal log (I copied a piece below), lot of IPV6 but nothing really extreme, I think.

For info I have 9 VLAN's, all very very small, sometime only having one device at the moment, having DHCP enabled for IPV4 and IPV6.

Louis

Gertjan

@louis2 said in dhcp process errors in log:

(running 2.5 dev)

2.5.0 users (the exeprts !!) should know that 2.5.0 ditched clog - the log are 'plain text' now, no more rotating logs (clog).

So, what about a

cat /var/log/resolver.log | grep 'Restart'

I'm no expert, so I stay away from 2.5.0 ;)

louis2

Strange thing is that this HP-printer gets a static IP from the DHCP-server IPV4 and IPV6.

Louis
PS I was writing a mail with a part of the log as example, but the bloudy website did block it as spam.

Louis

Gertjan

@louis2 said in dhcp process errors in log:

HP-printer gets a static IP from the DHCP-server IPV4 and IPV6.

You mean you've set a "DHCP Static Mappings" or MAC based Lease for it ?

Set these on the DHCP server :

Or abandon DHCP usage for that printer : set it static : this has to be done "on the printer", not pfSense.

louis2

@Gertjan said in dhcp process errors in log:

cat /var/log/resolver.log | grep 'Restart'

the result is "zero" :)

default lease time (IPV6 only the printer) is 300 I see. I probably did that for testing, have change that bakc to the default two hours.

IPV4 was unchanged (default 7200 seconds)

Louis

louis2

Gertjan,

I did:

disable Register DHCP leases in the DNS Resolver
enabled Register DHCP static mappings in the DNS Resolver (did not change that)
DHCP V4 and V6 set lease times 7200 s every where (default)
Reboot

The log (one try only) did not show any of the following messages:

Jun 12 13:50:44 pfSense dhcpleases[88140]: kqueue error: unknown
Jun 12 13:50:44 pfSense dhcpleases[88140]: Could not deliver signal HUP to process because its pidfile (/var/run/unbound.pid) does not exist, No such process.
Jun 12 13:50:44 pfSense dhcpleases[49211]: /etc/hosts changed size from original!

cat /var/log/resolver.log | grep 'Restart' does not return any rows, just like before!

I do the static mapping normally from the DHCP-server, since I prefer a centralized management and IP-overview

As you already wrote:
Having 'restart' unbound every 30 seconds - give or take it 15 seconds start tile, that means half of the time your have no DNS system running.
DNS caching doesn't work, the cache is thrown away every 30 seconds.
No good at all. However that ubound behavoir is IMHO not good at all !!!

So to a certain extent we fixed this issue, however it is better to say that we mitigated it. It is not fixed nor OK.

Another remark you made "Having 'restart' unbound every 30 seconds - give or take it 15 seconds start tile, that means half of the time your have no DNS system running." Do make me thing about an issue I noted since two days, beeing service interruptions on Tidal (streaming service) and YouTube. I wonder if those issues where perhaps related to this DNS-issue ......

I will pay extra attention to that in the comming days.

Thanks for the mails,

Louis

louis2

@Gertjan said in dhcp process errors in log:

Having 'restart' unbound every 30 seconds

........ I do not know how unbound is exactly working nor how it is doing its job together with the dhcp server, however ...

I noticed that 2.5 develpment is running the very latest unbound version (1.10.1)
I also had a look at the unbound website "https://nlnetlabs.nl/documentation/unbound/unbound-control/"

under COMMANDS one of the commands is "reload" ...... so I do not understand the restarts needed at every change in the "host_entries.conf" as described in the discussion above ....

of course I admit that the errors are gone (I hope), but I do not understand what happens ...

Louis

Gertjan

@louis2 said in dhcp process errors in log:

under COMMANDS one of the commands is "reload" ...... so I do not understand the restarts needed at every change in the "host_entries.conf" as described in the discussion above ....

Unbound is open source.
Have a look, at what the control command "reload" does when the unbound process receives it.
It stops itself. And starts itself.
"It's in the code" ;)

@louis2 said in dhcp process errors in log:

........ I do not know how unbound is exactly working nor how it is doing its job together with the dhcp serve

It's a resolver.
A global wike.org page will detail that.

I tend to think :
Everything that is local can not be requested elsewhere, because how would the Internet know how to resolve "yourpc.yourlocaldomain" ?
So unbound knows that .yourlocaldomain is your local domain.
Everything else is known locally and resolved is used.
Use :

dig microsoft.com +trace

to see this work.

About the DHCP server :
It maintains a pool of IP address, and hand one over to a device if it asks one. When the device is doing so, it hands over a "host name" to the DHCP server. The DHCP server will put this name into it leases file /var/dhcpd/var/db/dhcpd.leases

If you just connected a file server to your network, with a host name like "fileserver" then the leases file will contain :

lease 192.168.1.115 {
  starts 1 2020/06/15 01:19:21;
  ends 2 2020/06/16 01:19:21;
  cltt 1 2020/06/15 01:19:21;
  binding state active;
  next binding state free;
  rewind binding state free;
  hardware ethernet 30:3a:bb:8d:e6:69;
  uid "\0010:d\215\356c";
  set vendor-class-identifier = "MSFT 5.0";
  client-hostname "fileserver";
}

but if you want to use on another device (PC) something like this :

\\fileserver

or

\\fileserver.yourlocaldoman

then you wouldn't be able to fnd it.

unbound doesn't know what 'dhcpd' is, neither ca,, it read it's (internal) leases file.

That's where the process "dhcpleases" kicks in.
This process is created when you activate (check) :

It's a separate process, that reads the dhcpd leases files, finds new ones, and writes them to the /var/unbound/dhcpleases_entries.conf file, where unbound can find it.

unbound is not capable of detecting a change of that (any) configuration file during executing. It reads them only when it starts, as it is part of its configuration. Change that (any) configuration file could be seen as a configuration change. So : restart.

It's the choice of (pfSense) application that introduces a possible issue = very frequent unbound restarts. A redmine report was created years ago.
Possible solutions are : re write the resolver, or choose a resolver that handles this situation, like 'bind'.
Note : the file and memory footprint, compared to Unbound, is several ten times bigger ...

Ones the 'unbound' restarting issue is recognized and known, it can be solved easily.
We, as firewall router admins, have to to something to justify our jobs ^^
Some basic knowledge of DHCP and DNS are needed, though. Like a taxi driver should have a licence to drive ^^

louis2

Thanks again Gertjan,

Glad that the issue is gone now ...

However I do only partly agree on your taxi driver, story. IMHO problems should be fixed where they are .....

Louis