Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Concurrent/Rapid DNS queries fail randomly after 23.01 upgrade

    DHCP and DNS
    4
    5
    751
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wujj123456
      last edited by

      One of my common workflow is to open a bookmark folder, which is usually 7-10 sites. After 23.01 upgrade, if I open lots of domains at once, many of them would fail to get the name resolved. The domains fail to resolve spreads randomly and this happens both in Edge and Firefox (with trr.mode=5). It takes a few seconds or longer before I can retry to get the failed domains resolved correctly, but other domains resolve fine in the meantime. At the same time, the failed domains would also fail on other browser too until some time later, so they seem to be negatively cached. Otherwise, DNS is generally reliable so long as I don't do this kind of rapid queries. There are no additional logs or crashes in unbound when this happens.

      I am quite confident this only happened after 23.01 upgrade, since that's my daily route and the list of sites hasn't changed, nor did I change any pfsense settings after upgrade until I started debugging this.

      My settings:

      • DNS servers: quad9 and cloudflare. Both IPv4 and IPv6 ones.
      • DNS resolver: Enable DNSSEC support, Enable Forwarding Mode, Use SSL/TLS for outgoing DNS Queries to Forwarding Servers, Custom options "server:include: /var/unbound/pfb_dnsbl.*conf".

      Here are the few things I've tried.

      • I've tried various combinations of DNS servers and the issue remains.
      • I have pfblockerNG installed but disabling it doesn't help. The other three packages I have doesn't mess with DNS (Status_Traffic_Totals, squid, sudo).
      • Switching from DNS resolver to forwarder solves the issue.

      Anyone running into the same? Is there any specific settings I should provide or try that could be relevant to this issue?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @wujj123456
        last edited by johnpoz

        @wujj123456 said in Concurrent/Rapid DNS queries fail randomly after 23.01 upgrade:

        Enable DNSSEC support, Enable Forwarding Mode, Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

        This has been shown in multiple threads to be a bad config.. If your going to forward there is little reason to have dnssec enabled - its only going to lead to failures to query..

        https://support.quad9.net/hc/en-us/articles/4409274993677-DNS-Forwarders-Best-Practices

        1. Disable DNSSEC Validation

        Since Quad9 already performs DNSSEC validation, DNSSEC being enabled in the forwarder will cause a duplication of the DNSSEC process, significantly reducing performance and potentially causing false BOGUS responses.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        W 1 Reply Last reply Reply Quote 1
        • W
          wujj123456 @johnpoz
          last edited by

          @johnpoz Thank you for the help. Looks like the upgrade just exposed my bad configuration. Not sure how I missed it but it's also called out in the doc:

          DNSSEC is not generally compatible with forwarding mode, with or without DNS over TLS.

          What's interesting though, is that disabling forward mode while enabling DNSSEC fully resolves my issue, but disabling DNSSEC and leaving forward mode and DNS over TLS doesn't. If I disable "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers", it works well too.

          The 4 DNS servers I have are 2620:fe::fe, 2606:4700:4700::1112, 1.1.1.2, 9.9.9.9 and they all support DNS over TLS. DNS Lookup also can query all of them with forward mode + DNS over TLS. I've verified in state page that port is 53 without DNS over TLS and 853 with the feature.

          Guess I will give up DNS over TLS for now, but if there are more suggestion that I should try, please let me know.

          S GertjanG 2 Replies Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @wujj123456
            last edited by

            @wujj123456 There have been others saying they need to disable TLS as well. I have not seen that myself but am at home with probably lower volume…your comment on a fast set of lookups is interesting. Perhaps some sort of connection limit?

            I did hit the DNSSEC issue on 23.01, not an issue on prior versions.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @wujj123456
              last edited by

              @wujj123456 said in Concurrent/Rapid DNS queries fail randomly after 23.01 upgrade:

              but disabling DNSSEC and leaving forward mode and DNS over TLS doesn't.

              Been using 1.1.1.1 (host name one.one.one.one) and 2606:4700:4700::1111 (host name one.one.one.one), port 853 = TLS. Just to test, for 3 weeks.
              DNSSEC disabled of course.
              I didn't detect any issue.

              Went back to default : resolving (= not forwarding), DNSSEC actif.
              Empty

              8c9b4d01-81ac-4223-8339-67f8e85eb782-image.png

              as : if all choices work well, the one with no settings is the one to prefer 😊

              See here.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.