Unbound utilising all cpu

coza73 · Feb 6, 2023, 10:08 AM

I am running pfsense:

2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

I am seeing a re-occurring issue in my network where periodically the unbound service utilises all the CPU and I get a massive amount of logs generated in resolver.log, in the range of 100,000 lines per minute.

Is there any way for me to be able to track where this is coming from? I brings down my whole WAN. Once I reboot the pfsense system it clears for a few days.

The events logged are all mostly the following:

Feb  6 20:26:57 firewall unbound[78378]: [78378:2] debug: sending to target: <.> 2001:7fd::1#53
Feb  6 20:26:57 firewall unbound[78378]: [78378:3] info: sending query: . NS IN
Feb  6 20:26:57 firewall unbound[78378]: [78378:3] debug: sending to target: <.> 199.7.91.13#53
Feb  6 20:26:57 firewall unbound[78378]: [78378:1] info: validator operate: query D.ROOT-SERVERS.NET. AAAA IN
Feb  6 20:26:57 firewall unbound[78378]: [78378:2] info: sending query: . NS IN
Feb  6 20:26:57 firewall unbound[78378]: [78378:2] debug: sending to target: <.> 192.112.36.4#53
Feb  6 20:26:57 firewall unbound[78378]: [78378:3] debug: request . has exceeded the maximum number of glue fetches 129 to a single delegation point
Feb  6 20:26:57 firewall unbound[78378]: [78378:3] info: sending query: . NS IN
Feb  6 20:26:57 firewall unbound[78378]: [78378:2] info: processQueryTargets: . NS IN
Feb  6 20:26:57 firewall unbound[78378]: [78378:3] debug: sending to target: <.> 192.33.4.12#53
Feb  6 20:26:57 firewall unbound[78378]: [78378:2] debug: request . has exceeded the maximum number of glue fetches 79 to a single delegation point
Feb  6 20:26:57 firewall unbound[78378]: [78378:1] info: priming . IN NS
Feb  6 20:26:57 firewall unbound[78378]: [78378:2] info: sending query: . NS IN
Feb  6 20:26:57 firewall unbound[78378]: [78378:1] debug: return error response REFUSED
Feb  6 20:26:57 firewall unbound[78378]: [78378:2] debug: sending to target: <.> 199.9.14.201#53
Feb  6 20:26:57 firewall unbound[78378]: [78378:3] debug: request . has exceeded the maximum number of glue fetches 130

Taudris · Feb 12, 2023, 9:09 PM

Same here. It seems to happen for me when my ISP goes down and the cable modem goes into a restart loop. I don't know if the WAN interface actually goes down or if it just drops packets.

coza73 · Feb 16, 2023, 5:42 AM

@taudris

Interesting, thanks for the info.
I was on the page of this event was bringing down my WAN but maybe you are right that a WAN down event is causing it.

On the rare occasion I could get onto the GUI while they system was affected I do remember noticing the WAN was reporting down due to packet loss.

For me this has only just started happening over the last month or so. It is strange that a potential WAN down event can cause a flood of DNS requests.

I would love to see where the source of these requests are coming from, whether it is from the firewall or one of the clients. None of the logs show the source of the dns request.

coza73 · Feb 19, 2023, 8:39 PM

Touch wood I think I have found my issue. It was the old RealTek network card driver in pfsense 2.6. Here a my basic notes on how to update

Realtek Drivers

Enable BSD repo /usr/local/etc/pkg/repos/pfSense.conf and changing the first line to:

FreeBSD: { enabled: yes }

Next, edit /usr/local/etc/pkg/repos/FreeBSD.conf and make the same change there:

FreeBSD: { enabled: yes }

It must be enabled in both places to function.

Install new driver You can just use pkg add directly

pkg update
pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/realtek-re-kmod-198.00.pkg

Edit /boot/loader.conf.local to load new driver. You can append those lines with echo

echo 'if_re_load="YES"' >> /boot/loader.conf.local
echo 'if_re_name="/boot/modules/if_re.ko"' >> /boot/loader.conf.local