DNS Resolver just stops after 24 hours and needs restart - SG-3100

Detfree23

It appears after a day or so using DNS Resolver and content filtering (Network interfaces are LAN and Localhost) I must 'restart' the DNS Resolver service (like in them morning). I'm using 21.02.2-RELEASE (arm) on a SG-3100. Internet exists, but can't get out until I restart the DNS Resolver service. Also using it on the Outgoing WAN interfaces. Enable DNSSEC Support is on by default. Wild Card TLD (Top Level Domain) is checked off and content filtering using Shalla and UT1 as the blacklists (gambling, porn, phishing, and malware clicked off, only updated weekly (couple other things. Also using pfBlocker for content management as well (DNSBL_BBcan177, Easy list, Ads, malicious, etc.). I'm curious to know why the Resolver would just stop and need a restart morning time? It seems to go for a day or two before I need to go back in and restart. Thoughts anyone?

Notificaitons are:

Filter Reload
There were error(s) loading the rules: /tmp/rules.debug:30: cannot define table pfB_NAmerica_v4: Cannot allocate memory - The line in question reads [30]: table <pfB_NAmerica_v4> persist file "/var/db/aliastables/pfB_NAmerica_v4.txt"
@ 2021-05-23 23:20:02
There were error(s) loading the rules: /tmp/rules.debug:26: cannot define table pfB_Asia_v4: Cannot allocate memory - The line in question reads [26]: table <pfB_Asia_v4> persist file "/var/db/aliastables/pfB_Asia_v4.txt"
@ 2021-05-23 23:20:36

Memory usage fluctuates:

Memory usage
69% of 2017 MiB

Disk
39% of 6.9GiB - ufs

/var/run
5% of 3.4MiB - ufs in RAM

Appreciate any help................I'm somewhat new to Netgate and pfSense

Thanks!!

Detfree23

Gertjan

@detfree23

Need to see more (unbound ?) and system logs.

Probably a OOM issue.

Btw :

When you see stuff like this :

..... cannot define table pfB_NAmerica_v4: Cannot allocate memory

it's time to really cut in the number of pfBlockerNF feeds /lists.

Or double -or more - your memory :

69% of 2017 MiB

NOCling

Try the DNSBL Mode with Python for Unbound, it run faster and will use less RAM to.

Detfree23

Gertjan,

I disabled those pfBlocker "GEO IP" (NA, Europe, Oceania, South America feeds..etc..etc..etc..) as I'm not opening any ports to the inside. I've not seen any log notications surrounding the So good to see what this unit can handle or not.. Will provide logs after NOCling option to see if you both think it's a ram issue? I was under the impression that I could not upgrade the RAM on this SG-3100 unit. Unless you know otherwise? I wanted this unit primarily for gig speeds which it handles just fine. Knowing about pfBlocker and what it can do is a nice plus. I had Snort at one point to learn IDS et al, but the previous pfSense update blew that out of whack and was told to remove it until the kernel and snort work together on a later version.

N0Cling,

I'll try the DNSBL Mode with Python...........

I report this to you and not sure if it's because I'm leaving my browser open (although i've also closed browsers as well)? After two days the Resolver remained on, but cut out this morning.

What do you both know about this?

Certificate Manager
The following CA/Certificate entries are expiring:
Certificate: webConfigurator default (5eb85174c0d77) (5eb85174c0d77): Expiring soon, in 12 days @ 2021-05-31 03:01:00
The following CA/Certificate entries are expiring:
Certificate: webConfigurator default (5eb85174c0d77) (5eb85174c0d77): Expiring soon, in 11 days @ 2021-06-01 03:01:00
The following CA/Certificate entries are expiring:
Certificate: webConfigurator default (5eb85174c0d77) (5eb85174c0d77): Expiring soon, in 10 days @ 2021-06-02 03:01:00
The following CA/Certificate entries are expiring:
Certificate: webConfigurator default (5eb85174c0d77) (5eb85174c0d77): Expiring soon, in 9 days @ 2021-06-03 03:01:00

NOCling

Uhh your pfsense Webserver Cert is about to expire.

Go System, Cert Manager and you are good to create your own CA.
If you won't do that, go to Certificates and use the Reissue/Renew Button to reset the cert Lifetime back to now 398 Days.

And there is no way to upgrade the RAM of the SG-3100.
But my SG-1100 runs nice with 1G and some List activ with pfBlocker.
Max Tabel 1mil, activ in use 155k.
CIRD and TDL activ.
Ram Load round about 30%.

SteveITS

@detfree23 said in DNS Resolver just stops after 24 hours and needs restart - SG-3100:

I must 'restart' the DNS Resolver service

Note 21.05 moved "back to Unbound 1.12.x due to instability on Unbound 1.13.x".

Detfree23

@nocling
Thank you about the certificate info. Pretty massive drop Memory usage
11% of 2017 MiB because of change to DNSBL Mode with Python. We'll see what happens over the next few days....thanks for everything.

Detfree23

@steveits Thanks Steve for chiming in. I'll read your NOTE link...!

Current release i'm on....

Version 21.02.2-RELEASE (arm)
built on Mon Apr 12 07:50:07 EDT 2021
FreeBSD 12.2-STABLE

Version 21.05 is available.
Version information updated at Thu Jun 3 18:16:32 EDT 2021

I'm being offered 21.05 now..........what are your thoughts here?

SteveITS

@detfree23 said in DNS Resolver just stops after 24 hours and needs restart - SG-3100:

I'm being offered 21.05 now..........what are your thoughts here?

Ordinarily I’d wait a week or two but apparently unbound 1.13 has stability problems so you’ll have to weigh the pros and cons of waiting.

NOCling

I run 21.05 RC since Monday no Problem and the Final since Release.
All IPsec Problems i have had are fixed. It run so mutch better than the 21.02.2 Release.
I highly recommend it.

Detfree23

I just wanted all on this topic to know that my Netgate has not crashed once since reducing/modifing the pfBlocker geo IP rules as well as changing to Python for Unbound. I'm going to upgrade to the latest OS tonight...21.05. Thanks again all! Franklin p....