Unbound crashes periodically with signal 11
-
I got tired of seeing delayed DNS queries (because watchdog doesn't restart the service immediately), so I'm currently running a bash loop:
while true; do /usr/local/sbin/unbound -vd -c /var/unbound/unbound.conf; done-v makes Unbound print a message while starting, so I have a record of all restarts for the last 3 hours, here are the number of seconds between those (in case it helps):
249
213
1982
266
143
45
970
647
1312
4065
174
60Doesn't seem to be consistent in my case -- but I also have an amount of devices on my network, maybe more devices makes things more noisy..?
-
@jimp Do you still want more configuration examples?
Here's mine:
Packages:
Acme, Avahi, RRD Summary, Service_Watchdog, Shellcmd, System_Patchesserver: chroot: /var/unbound username: "unbound" directory: "/var/unbound" pidfile: "/var/run/unbound.pid" use-syslog: yes port: 53 verbosity: 1 hide-identity: yes hide-version: yes harden-glue: yes do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes do-daemonize: yes module-config: "validator iterator" unwanted-reply-threshold: 0 num-queries-per-thread: 512 jostle-timeout: 200 infra-host-ttl: 900 infra-cache-numhosts: 10000 outgoing-num-tcp: 10 incoming-num-tcp: 10 edns-buffer-size: 4096 cache-max-ttl: 86400 cache-min-ttl: 0 harden-dnssec-stripped: yes msg-cache-size: 4m rrset-cache-size: 8m num-threads: 4 msg-cache-slabs: 4 rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 outgoing-range: 4096 auto-trust-anchor-file: /var/unbound/root.key prefetch: no prefetch-key: no use-caps-for-id: no serve-expired: no aggressive-nsec: no statistics-interval: 0 extended-statistics: yes statistics-cumulative: yes tls-cert-bundle: "/etc/ssl/cert.pem" tls-port: 853 tls-service-pem: "/var/unbound/sslcert.crt" tls-service-key: "/var/unbound/sslcert.key" interface: 192.168.2.1 interface: 192.168.2.1@853 interface: 192.168.6.1 interface: 192.168.6.1@853 interface: 192.168.4.1 interface: 192.168.4.1@853 interface: 192.168.8.1 interface: 192.168.8.1@853 interface: fe80::201:2eff:fe78:9c5f%re1 interface: fe80::201:2eff:fe78:9c5f%re1@853 interface: fe80::201:2eff:fe78:9c5f%re1.6 interface: fe80::201:2eff:fe78:9c5f%re1.6@853 interface: fe80::201:2eff:fe78:9c5f%re1.4 interface: fe80::201:2eff:fe78:9c5f%re1.4@853 interface: fe80::201:2eff:fe78:9c5f%re1.8 interface: fe80::201:2eff:fe78:9c5f%re1.8@853 interface: 127.0.0.1 interface: 127.0.0.1@853 interface: ::1 interface: ::1@853 outgoing-interface: <*** REDACTED ***> outgoing-interface: <*** REDACTED ***> private-address: 127.0.0.0/8 private-address: 10.0.0.0/8 private-address: ::ffff:a00:0/104 private-address: 172.16.0.0/12 private-address: ::ffff:ac10:0/108 private-address: 169.254.0.0/16 private-address: ::ffff:a9fe:0/112 private-address: 192.168.0.0/16 private-address: ::ffff:c0a8:0/112 private-address: fd00::/8 private-address: fe80::/10 include: /var/unbound/access_lists.conf include: /var/unbound/host_entries.conf include: /var/unbound/dhcpleases_entries.conf include: /var/unbound/domainoverrides.conf forward-zone: name: "." forward-addr: 8.8.8.8 forward-addr: 8.8.4.4 server: log-servfail: yes private-domain: "pfsense.mydomain.com" include: /var/unbound/remotecontrol.confboth "Register DHCP leases in the DNS Resolver" and "Register DHCP static mappings in the DNS Resolver" are enabled
Lease time is default (24hrs, I think?)
-
I also had the “ Register DHCP leases in the DNS Resolver” option enabled when seeing this issue and disabling this option appears to have stopped the crash.
-
@jkv +1
No packages at all... -
@fry-kun I suspect you're seeing crashes approximately whenever certain devices renew their DHCP lease. Since the timing of this has more to do with when that device was turned on you would expect to see somewhat random delays between such renewals.
Question for those experiencing these crashes, do you have both "Register DHCP static mappings in the DNS Resolver" enabled AND DHCP Static Mappings where at least one mapping has something filled in in the hostname field?
-
@salander27-0 said in Unbound crashes periodically with signal 11:
Question for those experiencing these crashes, do you have both "Register DHCP static mappings in the DNS Resolver" enabled AND DHCP Static Mappings where at least one mapping has something filled in in the hostname field?
Affirmative
-
@salander27-0 Yes, same here on my system..both were enabled and have quite some manual mappings in my system. After upgrade to 2.5 it seems unbound crashed about every ten minutes, after disabling register DHCP mapping it stopped crashing.
My System is based on a standalone AMD GX-412TC SOC having run pfSense stable for years now.
-
@salander27-0 I can confirm this as well, I have this option set with a handful of static mappings with hostname specified.
-
confirmed
-
@jimp I have successfully downloaded and installed unbound-1.13.1 from the devel repo now that the package has been built. No crashes yet, but none of the DHCP leases of my static leases (with hostname) have expired yet so I wouldn't expect crashes yet. I will update in a few hours once those leases start expiring.
OBSOLETE PLEASE SEE https://forum.netgate.com/post/966915
For anyone else who wishes to try unbound 1.13.1 (normal caveats about this being unsupported and at your own risk) I simplified the install command to the following:
pkg add -f https://files01.netgate.com/packages/pfSense_master_amd64-pfSense_devel/All/unbound-1.13.1.txzYou can roll back with:
pkg install -f unboundAfter either of these commands you will need to restart the unbound service to pick up on the new binary.
OBSOLETE PLEASE SEE https://forum.netgate.com/post/966915
-
@salander27-0 been running 1.13.1 for ~2hrs, no crashes yet!
1.13.0 crashed way more often, as evidenced in my earlier message -
Alright, it's been about 2 and a half hours since I installed unbound-1.13.1 on my system. I have stress-tested it by reducing the DHCP lease time to 120 seconds and have since seen hundreds of DHCP renewals (and subsequent unbound HUPs). Were this unbound 1.13.0 I would have likely seen dozens of crashes, however unbound 1.13.1 has been completely stable in that time.
At this point I believe the best course of option is for additional people to test to see if their issue is resolved with the updated version. If you are willing to take system backups and accept the (IMO very low) risk that you may need to reinstall pfSense completely if something goes wrong (so don't do this on your prod systems) then please follow the instructions in my previous comment to install unbound-1.13.1.
-
@salander27-0 I'm having similar results that you report. DHCP registration is turned back on, and no crashes so far. 1.13.1 seems to be an upstream solution.
-
I had a stable unbound service again after flushing all DHCP leases.
SOLUTION (in my case): FLUSH DHCP Leases
Details/ Follow-up is here:
https://forum.netgate.com/topic/161092/2-5-0-dns-service-stopping-randomly/5?_=1613861976462(sorry, if we may have opened a very similar thread to this topic)
-
@salander27-0 Thanks! This was really helpful. Seems to be working perfectly now.
-
@khuynh very well. Glad to help. Hit „like“ on the solution and spread the news.
-
@salander27-0 Thanks! That fixed it. I forced short leases to cause a lot of renewals, and since I installed unbound-1.13.1, I've had no crashes going on 18 hours now.
-
@fivetoedslothbear Yeah, I'm just past 24 hours myself without any crashes.
Also, to anyone who installed 1.13.1 please continue to follow this thread as you may need to manually install the patched unbound from the stable repositories if/when a patched version is pushed.
-
@salander27-0 Been having the same issue for the last 24 hours -- will try this solution and see if it works for me. I appreciate it mate. Have a good one.
-
I see that also on two 2.5.0 CE machines.
Disable "Register DHCP leases in the DNS Resolver" now and will have an eye on it.