Unbound continues to restart frequently with DHCP registration enabled.

moelassus

I watched the new YouTube video by Netgate and in that video the presenter states that with 23.01 it is now OK to enable DHCP registrations in python mode. However, when enable DHCP registrations, this is what I see.

Screenshot 2023-02-16 at 9.50.58 PM.jpg

KimbleWorshack

This is indeed frustrating with all the mixed messaging, but a decent answer by one of the devs can be read at bug #5413 over at the Redmine.

https://redmine.pfsense.org/issues/5413#note-49

moelassus

@kimbleworshack Thanks, that is indeed disappointing.

Gertjan

@moelassus

You do know how to make unbound not restarting anymore ? Or like ones or twice a week ?
By disable "DHCP registration enabled" and still have all your LAN devices known by there host name ( of course )?

Just checking

moelassus

@gertjan Well, what I do is manually create DNS entries for hosts that I want to be able to reach by hostname. For my home environment this is manageable but irritating. I can’t imagine dealing this at the scale of a business. As of last night, I’m tinkering with BIND for local hosts which forwards to pfSense for internet name resolution. This will also require changing DHCP services to something that can interface with BIND. Lots of testing to do.

KimbleWorshack

Some promising developments could be coming for v23.05 in regards to replacing ISC DHCP Server (now End of Life) with something better.

https://redmine.pfsense.org/issues/6960

Gertjan

@moelassus
Even if you bind, devices will get a 'random' IP out of the pool.
The exception is :
You've assigned a static IP (and mask and DNS) to every device you will 'fix' on an known IP in your network.
Large business, or not, people have reasons to map their devices to location that are defined, like managed switches on .2, .3 etc. APs on .10, .11, etc. Printers afterwards. Then NASs, etc etc.
The fact is, security on your LANs means also that you know what device is connected where.
So, every time a new device (PC, switch, printer etc) gets added, I add a static mac lease. Such an event happens .... for me ... every 6 months or so.
So instead of visiting each devices on every floor in the building, I add a static mac lease (ones) on the DHCP server page of that LAN. This way my entire network is mapped out from one central place = pfSense (the local DHCP server(s).
The one exception : my captive portal network : I don't care what IP these devices have - as these are not device that "serve" something. That network is even AP isolated, which means that devices from that network can't 'see' and connect to each other'.

@moelassus said in Unbound continues to restart frequently with DHCP registration enabled.:

can’t imagine dealing this at the scale of a business.

The biggest company I visited handed about 2000 IP's on a map. Most of them were parked to an upfront defined IP addresses. This was mandatory. It's the admin's job.

So, on pfSense, or on the device, you have to set something. No on is going the accept the default host names BBHHNY200 and BBHNY285 for the last Dell PCs I bought, as these were the names out of the box. I DHCP mac leased them, and now the network knows them as 'FRONT-OFFICE-4' and 'FRONT-OFFICE-4'.

bind : true : the DHCO uses :

and bind accepts this out of the box.
I'm still not going to accept 'iPhone' and 'BBHHNY200 ' ( or Redmi-Note-11 or Galaxy-A40 ) into my local DNS as host names.

KimbleWorshack

@gertjan You‘ve replied to any thread about the automatic DHCP registration in DNS issue with the exact same thing, telling people that they shouldn’t use it and why you don’t like it. I understand that you do not have a use for the feature, and that’s perfectly fine, but others including myself find enormous value in this feature. We are just wanting to use a feature that every other competing product offers, and a feature that is even advertised by pfSense as being available.

For all the years that bugs/issues have been raised about this, not once has Netgate removed the option or written a warning notice in the WebGUI about the feature being broken. That must mean that they support this feature, right?

michmoor

@kimbleworshack I agree. I have been posting a few times in the forums here that they need to either update the documentation or remove the notice. All its doing is creating the same posts here and on reddit..
Its jus strange as to why they havent done it yet.

michmoor

@kimbleworshack said in Unbound continues to restart frequently with DHCP registration enabled.:

I understand that you do not have a use for the feature, and that’s perfectly fine, but others including myself find enormous value in this feature. We are just wanting to use a feature that every other competing product offers, and a feature that is even advertised by pfSense as being available.

Completely agree with your post. Often times here i noticed personal opinion gets in the way of helping people. Some posters are more known for it then others.
But never the less, there has been so much mix messaging surrounding this i just want them to update the documentation to at least state 'Feature coming but not ready, hotfix pending' or something.....

SteveITS

@moelassus I think there are maybe a couple of things getting confused in this thread. DHCP registrations trigger an unbound restart, see https://redmine.pfsense.org/issues/5413.

The 23.01 release notes say "It is now safe again to enable DHCP registration alongside Unbound Python mode in pfBlockerNG," which is not the above issue.

moelassus

@steveits Yes, I suspect you're right. What I'm seeing however, is that enabling DHCP registrations with Unbound Python mode (with or without pfBlockerNG installed) still results in constant restarts of the Unbound service. My log entry above was with pfBlockerNG installed but I've tried it with pfBlockerNG removed. With registrations disabled, my log shows unbound restarting once per day around midnight. I presume that is normal behavior?

With registrations enabled the unbound service restarts multiple times per hour and is down for about 10 seconds each time. Name resolution delays are significant so I'm wondering if I'm an outlier or if others are still experiencing this issue or if I need to do further troubleshooting.

SteveITS

@moelassus Unbound doesn't normally restart. I just checked a router on 2.6 (unbound-control -c /var/unbound/unbound.conf status) and it shows "uptime: 15400184 seconds" so ~180 days vs the router's 280 days of uptime. We probably changed a setting. :) [edit: that router has DHCP disabled]

I think you're talking about Enable Python Module in the DNS Resolver settings, not DNSBL Mode in the pfBlockerNG settings?

The names are similar.

Enabling DHCP registrations (currently, see above redmine) writes the change to the config file then restarts unbound to pick up the new config file. So it will restart on average every (#devices/lease time/2) whenever any lease is renewed. Workarounds include having a longer lease time, not enabling that option, or using alternate local DNS servers...such as something that forwards to pfSense but caches so the downtime isn't as obvious.

Restarting due to DHCP registrations is a frequent complaint here on the forums.

moelassus

@steveits Thanks so much for that clarification. Makes sense. I'll have to enable deeper logging on the unbound service to see if I can figure out why it's restarting nightly. It restarts right after midnight.

Thanks again!

SteveITS

@moelassus Check the system log also. Could be something like Suricata update, WAN link down/up, etc.