Smooth update to 23.05 w/ a few comments on DNS Resolver forwarding over SSL/TLS
-
Note: the upgrade went fine overall, my comments are specifically related to using the optional SSL/TLS to query DNS Forwarding servers. OK, that said; upgraded 6100 Max. Backup taken then uninstalled what few pkgs were present, including pfBlockerNG at which point I noticed that DNS Resolver was no longer starting up. Planning to throw in a pre-upgrade reboot anyway but that didn't straighten out the DNS Resolver service but had read about (and previously hitting) DNS failing issues running Quad9 and possibly others, simply (temporarily) unchecked: "Use SSL/TLS for outgoing DNS Queries to forwarding servers". Obviously had to try to get DNS back anyway. No problem; just unchecked the SSL/TLS option in Forwarder, saved that and DNS was fine... continued the upgrade from the console to monitor progress. Once back online, re-checked the SSL/TLS option and Resolver seems happy. Additional appliances to get to later with similar configs.
-
Seems like that might have been more related to removing/adding pfBlocker and maybe your config still referenced something in pfBlocker that was no longer there.
Toggling DNS over TLS likely didn't do anything but trigger saving the DNS resolver settings without whatever pfBlocker-specific thing was picked there, like a Python mode script.
-
@jimp True, de-installation of PfBlockerNG was immediately followed by DNS Resolver failing to run/restart but re-saving DNS Resolver without SSL/TLS to Forwarding DNS Servers seemed like a next best try to me (since i had run into that quad9 issue along with others reporting essentially the same thing). Assuming you're right then I guess my question would be how else could I have otherwise restored DNS Resolver at that point? Just re-saving the DNS Resolver settings as-is/ no further changes? If so i could try that on at least 1 other not yet upgraded NG appliance later today.
-
@goulou said in Smooth update to 23.05 w/ a few comments on DNS Resolver forwarding over SSL/TLS:
Assuming you're right then I guess my question would be how else could I have otherwise restored DNS Resolver at that point? Just re-saving the DNS Resolver settings as-is/ no further changes? If so i could try that on at least 1 other not yet upgraded NG appliance later today.
Yes, just re-saving the settings without pfBlockerNG installed would normally be enough. You might want to double check that the custom options area is empty (or at least has no pfBlocker settings) and that the Python mode script is not set to something for pfBlocker.
