Unbound massively broken (pfSense >= 2.5.2)

thiasaef

When I upgrade from 2.4.5-p1 to either 2.5.2 or 2.6.0, the DNS Resolver happens to stop responding to queries on various interfaces - presumably ones that have been offline for a while.

The DNS request passes the firewall without any problems:

but it is not answered by the DNS Resolver that is listening on this interface:

drill netgate.com @192.168.30.1
Error: error sending query: Could not send or receive, because of network error

drill netgate.com @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 2294
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; netgate.com.	IN	A

;; ANSWER SECTION:
netgate.com.	50	IN	A	199.60.103.104
netgate.com.	50	IN	A	199.60.103.4

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 9 msec
;; SERVER: 8.8.8.8
;; WHEN: Thu Feb 24 11:31:39 2022
;; MSG SIZE  rcvd: 61

A probably non-exhaustive list of things that temporarily fix the problem:

• Restarting the DNS Resolver
• Clicking "Save" on the System / General Setup page

Any help is welcome!

thiasaef

I guess the most likely cause of the issue is this: https://redmine.pfsense.org/issues/12613

thiasaef

Manually applying the patch which is supposed to fix #11570 at least ensures that Unbound no longer fails completely on up/down link events, but it still causes Unbound to reboot and lose its entire cache every time a device is rebooted.

Does really nobody else care about this horrible mess?

thiasaef

@jimp, is there any chance that Unbound will ever work the way it did in 2.4.5-p1? That is, without restarting on every link up/down or is https://redmine.pfsense.org/issues/12613 really supposed to be the final "solution"?

Gertjan

@thiasaef said in Unbound massively broken (pfSense >= 2.5.2):

is there any chance that Unbound will ever work the way it did in 2.4.5-p1? That is, without restarting on every link up/down or is

See the documentation : unbound.conf(5) from the authors.

See the unbound.conf in /var/unbound/ that's the one your are using right now.

Even if you have this (default ?) :

.....
# Interface IP(s) to bind to
interface-automatic: no
interface: 0.0.0.0
interface: 0.0.0.0@853
interface: ::0
interface: ::0@853
.....

The doc says :

...The interfaces are not changed on a reload (kill -HUP) but only on restart.....

So, if your (LAN) interface come and go, unbound can serve them, or stop serving them, on a process restart.

If you have LAN's that go down and up over time, put a switch in front of them, and use the same power source as pfSense has : an UPS, for these switches. Now interfaces won't go down/up/down, and unbound doesn't have to (won't) get restarted any more.
I know, it sound a bit silly.

After thought :

...The interfaces are not changed on a reload (kill -HUP) but only on restart.....

Some time ago I've been reading the real documentation, the source code (it's open source) and it HUPping unbound was what really was a complete process restart .... that seem to have changed now, I guess.

Also, if "Unbound massively broken (pfSense >= 2.5.2)" was unconditionally true, why is is working for me right now ? I'm using "2.6.0 CE".
Ok, my LANs are not flapping (remember : UPS ! but power is pretty solid here anyway)
If unbound was really 'bad', pfSense as a whole would became unusable. That's not my impression.

thiasaef

@gertjan said in Unbound massively broken (pfSense >= 2.5.2):

Even if you have this (default ?)

Yes! Otherwise I would not whine like a baby.

I know, it sound a bit silly.

And it is silly.

Also, if "Unbound massively broken (pfSense >= 2.5.2)" was unconditionally true

You do realize, that I chose this title before I knew the root cause of my dead network?

Ok, my LANs are not flapping (remember : UPS ! but power is pretty solid here anyway)

Can we please stop this bullshit argument, that you are not supposed to connect end user devices directly to the firewall?

Gertjan

@thiasaef said in Unbound massively broken (pfSense >= 2.5.2):

Can we please stop this bullshit argument, that you are not supposed to connect end user devices directly to the firewall?

Well .... isn't your subject and what you just said, actually proving your point ?
I'm only trying to propose a workaround 'solution'. Yeah, I know, not perfect. I'm sure better ones will be proposed.

Bob.Dig

I have those cheap 4-5 Port green unmanaged switches laying around with no purpose, maybe you have too.
Have you tried one of those and that they are able to fix your problems?

thiasaef

@gertjan said in Unbound massively broken (pfSense >= 2.5.2):

Well .... isn't your subject and what you just said, actually proving your point ?

That's like (me) asking my doctor: 'My leg hurts when I walk, what can I do?' and the doctor (you) says: 'Don't walk!'.

PS: The next time you come up with this argument I'll put you on my ignore list.

@bob-dig said in Unbound massively broken (pfSense >= 2.5.2):

Have you tried one of those and that they are able to fix your problems?

This would of course avoid being affected by the problem, but as I've said many times before - it's no substitute for properly fixing the bug.

Bob.Dig

I am seeing flakiness too, since I switched to PPPoE and now using haproxy. Or it is just a loose cable somewhere, I can't tell for sure.