DNS Resolver (Unbound) Stops Working After Internet Outage – Requires Manual Restart
-
Hi,
I am experiencing an issue where the DNS resolver (Unbound) on pfSense stops working after an internet outage. This happens both during long outages and when there are multiple shorter disruptions in a short period of time. To get it working again, I have to manually restart the DNS resolver every time.
Sometimes, DNS resolution works directly on pfSense, but not on client devices. However, in other instances, DNS resolution fails even on pfSense itself. This inconsistency makes it difficult to pinpoint the exact problem.
I’ve seen similar issues reported on Reddit and other forums over the years, and I've tried several suggested solutions without success. Any insights or troubleshooting steps would be greatly appreciated.
-
Does the service stop?
Do you see anything logged?
How are you testing?
How is Unbound configured? Anything custom?
What pfSense version are you running.
Steve
-
-
No the service does not stop.
-
Nothing out of ordinary.
-
I use "dig" and it gives no A/AAAA records (blank), also webpages don't load. Firefox show this error: "Hmm. We’re having trouble finding that site."
-
No custom options used.
- pfSense CE 2.7.2
-
-
Hmm, so it responds no answer, NXDOMAIN? Rather than no response?
Try turning up the logging to level 3 so you can see what it;s doing when you query it in the failed state.
-
@stephenw10 My uplinks went down yesterday for 15 minutes but DNS resolution was working when it came back. These are the log (level 1) messages when it happened:
-
Nothing unexpected there. If you turn up the logs and wait for it to fail again the logs should show how it's failing at least.
Can you trigger the failure on demand?
-
@stephenw10 I can try by disconnecting the upstream router but I don't know how long it would take, maybe in 30 minutes, maybe hours.
-
A test, and you need the console or SSH to execute it :
On the main menu, use option 8.
Then :
dig @127.0.0.1 google.com
This test executes a dns request on port 53, 127.0.0.1. Unbound should be listening on that port.
Another test :
sockstat -4 | grep 'unbound'
This shows you on which interfaces unbound is listening.
I see :unbound unbound 83642 5 udp4 *:53 *:* unbound unbound 83642 6 tcp4 *:53 *:*
which means : unbound listens on every (like "all") interfaces, for IPv4 and IPv6, on port '53' (of course), using TCP and UDP.
This means that this :
dig @192.168.1.1 google.com
should0 give an answer = the IPv4 of Google
Btw : I presume your LAN IPv4 is 192.168.1.1 - take yours if yours is different.
This :
dig @192.168.1.1 google.com AAAA
should give the IPv6 is you have a working IPv6 setup.