[SOLVED] Intermittent DNS Problem 23.01

SteveITS · Feb 20, 2023, 2:16 AM

@manjotsc Another link for you…per https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS
“Disable Enable DNSSEC Support if enabled.
DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures.”

Gertjan · Feb 20, 2023, 7:44 AM

When forwarding, DNSSEC should be de activated as it makes no sense.
I actually wonder why this isn't even enforced in the GUI.

But this :

@manjotsc said in Intermittent DNS Problem 23.01:

Feb 19 00:35:49 unbound 17934 [17934:0] info: service stopped (unbound 1.17.1).

doesn't look like unbound is 'tripping up'.
It was ordered 'from above' to restart
The question that pops in mind now is : who would restart unbound and why ?
A next question would be : why would my unbound restart xxx times a day etc etc.

bmeeks · Feb 20, 2023, 2:27 PM

The three things that immediately come to mind when investigating frequent unbound restarts are:

DHCP client registrations in DNS is enabled under the DHCP Server settings tab. This restarts unbound each time a DHCP client renews its lease.
One of your physical interfaces is flapping (going offline and then online repeatedly). Most often this is the WAN interface. But when any interface unbound is listening on for requests bounces, unbound can stop running and need a restart.
Using pfBlockerNG or pfBlockerNG-devel with the DNSBL configuration. This can result in unbound restarts when updating lists, although this is minimized somewhat in the latest package with changes to Python mode.

johnpoz · Feb 20, 2023, 2:24 PM

@gertjan said in Intermittent DNS Problem 23.01:

why would my unbound restart xxx times a day

Exactly...

I updated to 23.01 yesterday morning... If I look to how long my unbound has been running

[23.01-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf status
version: 1.17.1
verbosity: 1
threads: 4
modules: 2 [ validator iterator ]
uptime: 91248 seconds
options: control(ssl)
unbound (pid 93928) is running...
[23.01-RELEASE][admin@sg4860.local.lan]/root:

91k seconds, lets do the math.. 25.34666 Hours, what do you know.. As long as my pfsense has been up ;)

Uptime 	1 Day 01 Hour 24 Minutes 27 Seconds

If your unbound is constantly restarting - you going to have a bad time of it..

bmeeks · Feb 20, 2023, 2:33 PM

@johnpoz said in Intermittent DNS Problem 23.01:

If your unbound is constantly restarting - you going to have a bad time of it..

I'll 100% agree with John here. I've never had an unscheduled unbound restart on my firewall.

From perusing all the unbound/DNS trouble posts here on the forum, it has pretty much always come down to the fact the user began making changes to the out-of-the-box unbound/DNS Resolver setup, or they installed an add-on package that makes somewhat radical changes to the stock unbound setup for them. Then things broke or unbound became unstable by restarting frequently.

Gertjan · Feb 20, 2023, 2:46 PM

@bmeeks said in Intermittent DNS Problem 23.01:

the user began making changes to the out-of-the-box unbound/DNS Resolver setup

Isn't this one enabled out of the pfSense box :

🔒 Log in to view

and, out of the box, you two, @bmeeks and @johnpoz, - and me - have disabled this option ;)

bmeeks · Feb 20, 2023, 2:47 PM

@gertjan said in Intermittent DNS Problem 23.01:

@bmeeks said in Intermittent DNS Problem 23.01:

the user began making changes to the out-of-the-box unbound/DNS Resolver setup

Isn't this one enabled out of the pfSense box :

🔒 Log in to view

and, out of the box, you two, @bmeeks and @johnpoz, - and me - have disabled this option ;)

No, I don't think it is enabled out-of-the-box. But then I don't use DHCP in pfSense since I have Active Directory.

johnpoz · Feb 20, 2023, 3:07 PM

@gertjan I believe is or was default yes.. I wish they would change that really.. At least until there is a way to not restart every time a lease is touched, etc. Might have to do a clean install of 2.6 or 2.7 again to check if in fact default.

In a small network, and not a lot of dhcp leases, etc and unbound restarting in faction of second sort of thing - other than the loss of cache prob not going to be too much of an issue.

But yeah this seems to be common issue with users having problems.

But if they did default it to off, prob just have just as many questions if not more to why they can not resolve some dhcp client, etc.

IMHO they should also default dnssec to off when the user clicks on do forwarding option. Or at least make a note on the setting that it can be problematic if forwarding, should be unchecked if forwarding.

I have made a few changes to unbound settings that is for sure. I serve 0, I set min cache to 3600 - yeah its bad practice to mess with the ttl set by the owner of the record.. Its also bad practice to set ttls of 30 seconds, or 5 minutes as well.. So screw um ;) I have yet to ever see any issue with setting the floor for ttl to 1 hour..

I also do qname minimization, I do prefetching of records, I have set to static zone vs transparent - also imho static should be the default vs transparent for the zone type. The zone type normally wouldn't matter, but I see no point in trying to resolve host.mydomain.tld when I do not have a local host.mydomain.tld - public internet sure isn't going to known anything about my local domain hosts ;) So it just keeps noise off the public internet - doing my part, just like I don't let traffic to rfc1918 out my wan via a floating rule. Would it hurt anything if did, no just pointless and again doing my part to keep noise off the internet.

But then again been working with dns for really since has been even a thing ;) so am fairly confident in my ability to troubleshoot anything that might be going on with dns.. I also fully understand exactly what these settings do and made a conscious choice to set them, etc. Other than if dhcp registration is default or not - most users would most likely have no problems if they just left the default, or at least fewer problems.

But if for whatever reason unbound is restarting X times a day/hour etc.. More than likely it will be problematic at some point for the user.

stephenw10 · Feb 20, 2023, 3:18 PM

No that's never been enabled by default AFAIK. We're forever having to tell people to enable it because they expect to be able to connect to things with just the hostname.

The Unbound restarting situation with DHCP is.... suboptimal! It's definitely something we have on the list for 23.05.

SteveITS · Feb 20, 2023, 3:23 PM

@gertjan said in Intermittent DNS Problem 23.01:

Isn't this one enabled out of the pfSense box

I'm pretty certain DHCP Registration is not enabled by default. A lot of people do set it though. The "Note" there is a bit unclear as it does stop/start not reload its config.

manjotsc · Feb 21, 2023, 12:50 AM

@steveits @bmeeks @Gertjan @bmeeks @johnpoz @stephenw10 Unchecking the "Enable DNSSEC Support" seems to have fixed the issue, it's been more than 24 hours, DNS hasn't caused any issue so far.

Thanks,

SteveITS · Feb 21, 2023, 12:54 AM

@manjotsc Great!

I'm just going to reference this other thread on the same topic, same solution.