DNS resolver Stop Working after upgrade 2.4.5 to 2.5.1

jabacrack

Re: DNS resolver Stop Working after upgrade 2.4.5 to 2.5.0

After updating to 2.5.1 from 2.4.5 unbound still randomly stop, around 1-2 times at day. I do not want to disable "Register DHCP leases in the DNS Resolver", because I use this feature.
Unbound version is 1.13.1 and reinstall do not help me.
I do not find in logs anything that describe why it stop.

What I can try else?

Gertjan

@jabacrack said in DNS resolver Stop Working after upgrade 2.4.5 to 2.5.1:

I do not want to disable "Register DHCP leases in the DNS Resolver", because I use this feature.

That's ok and understandable. Would also love to leave it 'on' and forget about it.

But you created some sort of mutual exclusive issue here.
"Register DHCP leases" to off can help you.
And you can compensate for the side effects yourself.

Btw
What pfSense device / version ?
Other packages installed ?
You have read about the 'unbound' history on this forum ?
Did you check how often unbound restart ? Per day/hour/minute/second ? - as every incoming DHCP lease or renew will restart unbound - goto the the unbound log and count the number of "start" per day/hour/minute.
I dealt with the issue a couple of years ago : I added a "MAC lease" for every device on my network (about 60), and knowing I'm not adding new devices every day - and that I don't want to know what devices are connected on my 'public captive portal'. Never had an issue since.

jabacrack

@Gertjan

What pfSense device / version ?
Other packages installed ?

Sorry, I was little frustrated and forgot to provide this information.
I use APU2 and pfsense 2.5.1-RELEASE
I only use backup 0.5_5 package.
In additional I have two openvpn tunnels for route some sites via it using aliase lists.
Also I have Gateway Group with my openvpn gateway and my default provider. I expect in case openvpn down to auto switch to default one, but it doesn't work this way sometimes :)
Everything else is very common for router setup, but I can post my full config backup if needed.

Did you check how often unbound restart ?

If it will restart it will be fine for me, but it die without any error. Maybe adding watchdog help me, but this is not elegant solution.

This is latest records from unbound log.

Spoiler

Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: server stats for thread 3: 161 queries, 76 answers from cache, 85 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: server stats for thread 3: requestlist max 61 avg 8.71765 exceeded 0 jostled 0
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: average recursion processing time 1.275102 sec
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: histogram of recursion processing times
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: [25%]=0.0919324 median[50%]=0.222822 [75%]=0.787629
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: lower(secs) upper(secs) recursions
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: 0.000000 0.000001 6
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: 0.032768 0.065536 8
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: 0.065536 0.131072 18
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: 0.131072 0.262144 15
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: 0.262144 0.524288 9
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: 0.524288 1.000000 14
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: 1.000000 2.000000 5
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: 2.000000 4.000000 3
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: 4.000000 8.000000 4
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: 8.000000 16.000000 2
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: 16.000000 32.000000 1
Jul 6 08:27:04 	unbound 	66806 	[66806:0] notice: Restart of unbound 1.13.1.
Jul 6 08:27:04 	unbound 	66806 	[66806:0] notice: init module 0: validator
Jul 6 08:27:04 	unbound 	66806 	[66806:0] notice: init module 1: iterator
Jul 6 08:27:04 	unbound 	66806 	[66806:0] info: start of service (unbound 1.13.1).
Jul 6 08:27:08 	unbound 	66806 	[66806:0] info: generate keytag query _ta-4f66. NULL IN
Jul 6 08:27:08 	unbound 	66806 	[66806:3] info: generate keytag query _ta-4f66. NULL IN
Jul 6 08:27:27 	filterdns 	27051 	failed to resolve host hentainexus.com will retry later again.
Jul 6 08:27:30 	unbound 	66806 	[66806:2] error: read (in tcp s): Connection refused for 199.249.113.1 port 53
Jul 6 08:27:30 	filterdns 	27051 	failed to resolve host btc-e.com will retry later again.
Jul 6 08:27:32 	unbound 	66806 	[66806:1] error: read (in tcp s): Connection refused for 199.249.121.1 port 53
Jul 6 08:27:32 	filterdns 	27051 	failed to resolve host thepiratebay.se will retry later again.
Jul 6 08:27:32 	unbound 	66806 	[66806:2] error: read (in tcp s): Connection refused for 199.249.121.1 port 53
Jul 6 08:27:32 	unbound 	66806 	[66806:2] error: read (in tcp s): Connection refused for 199.249.121.1 port 53
Jul 6 08:27:33 	unbound 	66806 	[66806:2] error: read (in tcp s): Connection refused for 199.249.113.1 port 53
Jul 6 08:27:33 	unbound 	66806 	[66806:2] error: read (in tcp s): Connection refused for 199.249.113.1 port 53
Jul 6 08:27:33 	unbound 	66806 	[66806:2] error: read (in tcp s): Connection refused for 199.249.121.1 port 53
Jul 6 08:27:33 	unbound 	66806 	[66806:2] error: read (in tcp s): Connection refused for 199.249.121.1 port 53
Jul 6 08:27:35 	unbound 	66806 	[66806:0] error: read (in tcp s): Connection refused for 199.249.119.1 port 53
Jul 6 08:27:35 	unbound 	66806 	[66806:0] error: read (in tcp s): Connection refused for 199.249.119.1 port 53 

You have read about the 'unbound' history on this forum ?

No, problems is common situation for unbound? I get this problem when update to 2.5.0, revert to 2.4.5 and decide to wait until it will be fixed in next release. But it doesn't help.

I dealt with the issue a couple of years ago : I added a "MAC lease" for every device on my network

I have similar setup, but i thought that "Register DHCP leases in the DNS Resolver" should be enable in this case too.

Gertjan

@jabacrack said in DNS resolver Stop Working after upgrade 2.4.5 to 2.5.1:

I have similar setup, but i thought that "Register DHCP leases in the DNS Resolver" should be enable in this case too.

Noop. Disable it.
"Register DHCP leases in the DNS Resolver" isn't a bad option, but it with every new DHCP lease, and DHCP renew, the resolver (unbound) gets restarted.

For "DHCP MAC leases" to be added to the DNS local cache, this option

needs to be checked.

SteveITS

2.5.2 will have a lower version for Unbound due to instability.