DNS Resolver stops when WAN goes down so DNS Overrides don't work when there is no Internet connection.

jvantslot

When our WAN Internet connection goes down, the DNS Resolver stops working. We have a number of internal servers that we use that become unreachable due to no DNS resolution for these services. These services are defined in the Host Override section of the DNS Resolver config so when the DNS Resolver service stops working so does any resolution of DNS queries for any of these hosts.

I've seen on this post: dns resolver stop problem! that a work-around would be to add a network switch between the WAN interface and the Modem. However, this has it's own behavioral issues as noted in the topic. It also adds a point of failure (the switch) between WAN and the Modem.

Is there any feature request out there that would change this behavior of DNS Resolver to continue to resolve DNS Overrides even if the Internet is down on a a WAN interface? It seems this should be a basic feature of pfSense. I don't know if the Resolver was designed to do this purposefully or if it was a requirement that was overlooked.

Is there anyone else who would like to see this default behavior change?

bmeeks

Have you tried removing the WAN interface selection from the drop-down list of Network Interfaces under SERVICES > DNS RESOLVER?

The default selection in that drop-down is All, but you can instead click individual interfaces by holding the CRTL key while clicking multiple choices. This is the list of interfaces that unbound listens on for queries from clients. It is NOT the list of interfaces used for sending replies. That's the Outgoing Network Interfaces box in the next section.

When unbound is configured to listen on an interface, it will not start up if that interface is not available. When All or WAN is selected in the Network Interfaces drop-down, that means unbound will go down when the WAN interface drops and be unable to restart until the WAN interface is back.

Removing WAN as a selected choice should prevent the behavior you are seeing. And unless you have configured your unbound to respond to public DNS queries from outside via your WAN, then there is no reason for unbound to listen on the WAN interface.

For outgoing interfaces, normally you are fine with selecting just localhost there. That will then result in the traffic getting to where it needs to go out the WAN, but since the localhost interface never goes down, unbound can always restart.

jvantslot

@bmeeks Ah! Yes! I don't know why that setting slipped my mind through all of this. I will give that a try.

Thank you!

bmeeks

@jvantslot said in DNS Resolver stops when WAN goes down so DNS Overrides don't work when there is no Internet connection.:

@bmeeks Ah! Yes! I don't know why that setting slipped my mind through all of this. I will give that a try.

Thank you!

Post back and let us know if that solves your problem, then someone stumbling across this thread in the future having the same issue will know what works (or does not ).

RobbieTT

@bmeeks said in DNS Resolver stops when WAN goes down so DNS Overrides don't work when there is no Internet connection.:

then someone stumbling across this thread in the future having the same issue will know what works (or does not ).

That future came very quickly - so in that same effort to learn (and I do have the odd Unbound gremlin) I've had my resolver set as below for longer than I can recall setting it:

The Network Interfaces is set to listen on 3 networks plus Localhost. The network labelled 'MAN(agement)' is set but normally I don't have this active or even a cable attached. I presumed this would be ok but maybe I am incorrect given your guidance above?

For Outgoing Network Interfaces I have both WAN and Localhost set on the logic that it should go out on WAN but if that interface is down (ie when my ISP drops it from time to time) I still want everything internal to resolve. However, occasionally when the WAN goes down the resolver stops internal queries for a while before resetting itself and starting again - do my setting contribute to this behaviour?

Finally, whilst I use IPv6 most of the time I have never set any link-local addresses in either Interface field. Do these options add anything worthwhile or will Localhost pick-up everything anyway?

Questions that I never usually get around to asking... usually because I am battling Unbound reseting itself for no obvious reason (although I have found a way around that for now).

️

bmeeks

@RobbieTT said in DNS Resolver stops when WAN goes down so DNS Overrides don't work when there is no Internet connection.:

@bmeeks said in DNS Resolver stops when WAN goes down so DNS Overrides don't work when there is no Internet connection.:

then someone stumbling across this thread in the future having the same issue will know what works (or does not ).

That future came very quickly - so in that same effort to learn (and I do have the odd Unbound gremlin) I've had my resolver set as below for longer than I can recall setting it:

The Network Interfaces is set to listen on 3 networks plus Localhost. The network labelled 'MAN(agement)' is set but normally I don't have this active or even a cable attached. I presumed this would be ok but maybe I am incorrect given your guidance above?

For Outgoing Network Interfaces I have both WAN and Localhost set on the logic that it should go out on WAN but if that interface is down (ie when my ISP drops it from time to time) I still want everything internal to resolve. However, occasionally when the WAN goes down the resolver stops internal queries for a while before resetting itself and starting again - do my setting contribute to this behaviour?

Finally, whilst I use IPv6 most of the time I have never set any link-local addresses in either Interface field. Do these options add anything worthwhile or will Localhost pick-up everything anyway?

Questions that I never usually get around to asking... usually because I am battling Unbound reseting itself for no obvious reason (although I have found a way around that for now).

️

I'm not sure there is any advantage to having WAN selected as an outgoing interface. Localhost should suffice as the firewall will route it automatically based on the destination IP address. I have mine set to Localhost only and it resolves just fine automatically routing out to the root servers on the web via my WAN.

I don't know about the IPv6 link-local addresses. Have not researched that in unbound.

As for the MAN interface, I suspect unbound may wait a bit while starting and then ignore it. You could enable detailed logging and see what the unbound daemon logs about that normally disconnected interface.

dpinger can be a sort of enemy here as it monitors the WAN connectivity by periodically pinging the configured monitor IP (usually the default gateway, but configurable as any IP address you choose). If gateway monitoring is enabled, then dpinger will detect if the WAN does down and initiate the "restart all packages" command in pfSense. That command will restart unbound for you each time dpinger triggers it. Restarting unbound is going to disrupt DNS lookups for sure while it is restarting. You can disable that by setting options under the Gateway monitoring section when editing a gateway under SYSTEM > ROUTING.

I see you have pfBlockerNG installed as well (the virtual IP is showing up under the DNS Resolver interface selections). If you are using DNSBL with large IP lists, that exacerbates the unbound restart problem because it can take a long time for unbound to start if it has a bunch of DNSBL names to sort through.

RobbieTT

@bmeeks

Ok, didn't realise there was a dpinger setting at play - TVM!

Presumably you mean this one:

I've not noticed a delay with pfBlockerNG although that may be due to having a small list or just a decent CPU & bandwidth to mask it.

bmeeks

@RobbieTT said in DNS Resolver stops when WAN goes down so DNS Overrides don't work when there is no Internet connection.:

@bmeeks

Ok, didn't realise there was a dpinger setting at play - TVM!

Presumably you mean this one:

I've not noticed a delay with pfBlockerNG although that may be due to having a small list or just a decent CPU & bandwidth to mask it.

Yes. That setting will disable the "restart all packages" and "cycle the interface" actions. That may or may not be desirable depending on your situation.