Release 2.6.0 upgrade issues with dnsmasq
-
I took the plunge and attempted an upgrade from 2.5.2 to 2.6.0 CE.
Long story short, it did not go well and I had to roll back. I tried two "in-place" upgrades from the GUI and got the same behavior. In both cases, the rollback restored everything to a stable state.First, a few points on my configuration:
- Single device gateway
- I'm using 802.1Q VLANs. All end points connect to downstream switches on specific VLANs, which are uplinked to the pfSense via a VLAN trunk, which has two port members in a roundrobin LAGG.
- dnsmasq is enabled on each vlan interface and DHCP tells endpoints to use the address of the firewall on that VLAN as its DNS server.
- I use dnsmasq to resolve local host names, and forward the rest to the internet
This configuration has worked really well for as long as I can recall and never given me issues across any upgrade until now.
The behavior after the upgrade was a ridiculous number of DNS query failures. End users see a lot of NX DOMAIN pages, and then it suddenly works and brings them to the page, but subsequently fails to load all the page content due to more NX domain failures. Mashing the reload might eventually load the page, but it is pretty insane.
I also noticed massive latency spikes in upstream gateway ping times, every 15 minutes on the minute (so 15:00, 15:15, 15:30 ... etc). Not sure if that is a separate issue yet or not. Mentioning it in case it is relevant. That seems more likely tied to scheduled firewall rules though (which I have a few).
I am happy to make another attempt and collect more debug information if you have any suggestions on what to collect. I am stuck on 2.5.2 until I figure out what went wrong.
-
DNS Forwarder issue might be https://redmine.pfsense.org/issues/12902 or maybe https://redmine.pfsense.org/issues/12901 -- Is there a reason you are still using the old DNS Forwarder instead of the DNS Resolver? The latter tends to be more reliable and is more widely used and actively developed.
Latency issue is likely https://redmine.pfsense.org/issues/12901 -- there is a workaround for that built into the system patches package on 2.6.0.
-
Is there a reason you are still using the old DNS Forwarder instead of the DNS Resolver?
Nothing more than I set this up so long ago, I don't think there was another option, or I don't remember there being one that supported host overrides.
I will attempt another upgrade with the above suggested fixes in mind, and see how it goes.
Much appreciated. Looks like when I searched for known issues I should have set my filter to 2.7.0, which is why I didn't find these. Thanks as always. -
I cut over to DNS resolver and performed the upgrade. That solved the DNS issues. I believe it all came down to this one: https://redmine.pfsense.org/issues/12901.
The latency spikes every 15 min are still present, but that is evidently a different issue so I'll create a separate post for it. Thanks for your help.
-Jeff
-
The follow-up post on latency issues is here:
https://forum.netgate.com/topic/170660/latency-spikes-every-15-minutes-after-upgrade-to-2-6-0-ce