Domain Overrides Intermittently Stop Working

thearamadon

I have unbound set up as a recursive DNS resolver. I had a problem in the past where my Domain Overrides intermittently stopped working. I could do a dig @xxx.xxx.xxx.xxx to query the override target directly and it would work just fine, meaning connectivity wasn't an issue, unbound just wasn't forwarding the dns query for some reason. The problem randomly went away for several months, and now its back! Restarting unbound fixes the issue right away, but it's annoying to have to do it.

Might be worth noting that both targets are over wireguard, but there are no connectivity issues when this happens.

My (censored) config files are below. Anyone have any ideas what the heck is happening?

unbound.conf:

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 4096
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 1352
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /var/unbound/root.key
prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no
aggressive-nsec: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"

# Interface IP(s) to bind to
interface: 10.7.7.1
interface: 10.7.1.1
interface: 10.7.0.1
interface: 10.7.6.1
interface: 10.7.3.129
interface: 10.7.3.0
interface: 10.0.1.0
interface: 127.0.0.1
interface: ::1

# Outgoing interfaces to be used
outgoing-interface: 70.95.67.62
outgoing-interface: 10.7.7.1
outgoing-interface: 10.7.3.0

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address
private-domain: "wgdomain1.com."
domain-insecure: "wgdomain1.com."
private-domain: "localdomain1.com."
domain-insecure: "localdomain1.com."
private-domain: "wgdomain2.com."
domain-insecure: "wgdomain2.com."
private-domain: "localdomain2.com"
domain-insecure: "localdomain2.com"



# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf



# Domain overrides
include: /var/unbound/domainoverrides.conf


# Unbound custom options
server:
  local-zone: "domain1.com." redirect  
  local-data: "domain1.com. 86400 IN A 10.7.1.2"
  local-zone: "backups.domain1.com." always_transparent
  local-zone: "sgtjohnson.domain1.com." always_transparent
  local-zone: "domain2.com." redirect  
  local-data: "domain2.com. 86400 IN A 10.7.1.4"

include: /var/unbound/pfb_dnsbl.*conf


###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

domainoverrides.conf

forward-zone:
	name: "wgdomain1.com."
	forward-addr: 192.168.1.1
forward-zone:
	name: "localdomain1.com."
	forward-addr: 192.168.1.1
forward-zone:
	name: "wgdomain2.com."
	forward-addr: 10.0.0.2
forward-zone:
	name: "localdomain2.com"
	forward-addr: 10.7.7.2

bmeeks

Are you running pfSense CE or pfSense Plus 22.05? If the latter, the unbound version in 22.05 is very flaky. For some folks it appears to run fine, but quite a few others have experienced weird behaviors. The current CE and Plus releases run different versions of unbound, and the 1.15.0 version found in Plus is intermittently flaky for many.

I had the same issue as you, and finally wound up killing all unbound processes and then restarting it. I am running 22.05 Plus. The upcoming 23.01 release contains a much newer 1.17.1 version of unbound, let's hope it is more dependable.

thearamadon

@bmeeks I'm running CE 2.6.0 which has unbound 1.13.2

bmeeks

@thearamadon said in Domain Overrides Intermittently Stop Working:

@bmeeks I'm running CE 2.6.0 which has unbound 1.13.2

That is the better behaved version between the two, so I am a little surprised to see it giving problems.

For what it's worth, my failure to honor domain overrides has not returned after I killed the unbound daemon and then restarted it again. Prior to that, I had clicked the restart button under SERVICES several times without improvement. Finally, in desperation, I tried the kill -9 <pid> command from the shell. That seemed to kick it back into submission and my AD domain overrides started being honored again after restarting the daemon from the GUI.