Netgate 2100 dns resolver reconfiguration takes very long
-
Hi there,
it seems to me that every tiny change of DNS related configurations triggers a full restart of unbound. That takes up 2 minutes where complete DNS resolution (internal and external) isn't working. Some of my services are not amused about that.
Is there a tweakable to fix that, or is this behavior works as designed?
I can understand that it's mandatory to restart service for bigger changes in configuration. But absolutely not, if I only want to create a DNS-Record or add a DHCP-Reservation.- Firmware: 22.01-RELEASE (arm64)
- My Unbound is running in Forward-Mode (Resolver-Mode isn't working with my ISP) to official DNS-Resolvers and used as internally LAN-DNS-Resolver.
- Static-DHCP Clients will be registered automatically. Dynamic-DHCP Clients not.
- pfBlockerNG is enabled in quite basic configuration
- Tried both modes, Python Modul und default Mode. Can't see any different behaviour.
Are there any suggestions?
-
@n300 2 minutes seems absurdly long. Do the logs show anything useful?
To be clear are you suing DNS Resolver and forwarding, or using DNS Forwarder?
-
Hi Steve,
No interesting things in unbound log. OK its only about 1 min. But that's also much to long if I only add a dns alias.
There is only a time hole in log.concerning your question about forwarding:
I only use the server "DNS Resolver". DNS-Forwarder is disabled.
But in DNS Resolver DNS Query Forwarding is enabled.
Otherwise I'm unable to resolve anything outside my LAN.
-
@n300 Is Internet active at that time?
https://redmine.pfsense.org/issues/12985 looks to be in the upcoming 22.05. -
WAN port was up as far I can see.
I think it's unbound related, because also internal DNS resolving from all my clients/servers isn't possible while applying changes.
-
@n300 said in Netgate 2100 dns resolver reconfiguration takes very long:
WAN port was up as far I can see.
I think it's unbound related, because also internal DNS resolving from all my clients/servers isn't possible while applying changes.
pfBlockerNG with a bunch of DNSBL feeds active causes this because of the huge block lists that is added to unbound - optionally via python integration. The SG-2100 CPU is not exactly powerfull, so it takes quite a while to load large feeds on that platform.
-
@keyser Ok. But if I disable pfblockerNG (not uninstalling it), it's not significantly faster? I also don't have many subscriptions. Only the basic/default Blacklist is enabled.