Auto Backup Error: Unable to resolve acb.netgate.com

digimd

I have been facing this error related to failure to autobackup my config. I have seen this message even when pfblocker is turned off but less often. Where is the problem? Thanks.

An error occurred while uploading the encrypted Netgate pfSense Plus configuration to https://acb.netgate.com/save ( Unable to resolve acb.netgate.com ) @ 2024-11-03 13:06:03

SteveITS

@digimd Does Diagnostics/DNS Lookup succeed?

stephenw10

Is it after rebooting? Like during boot?

digimd

@SteveITS Yes, it does without issues.

digimd

@stephenw10 said in Auto Backup Error: Unable to resolve acb.netgate.com:

Is it after rebooting? Like during boot?

I do not think so. I almost never rebooted this pfsense machine except for updates.

stephenw10

Does it fail every time? Like if you make a manual backup or try to view the available backups for the device?

digimd

@stephenw10
I believe it is hit or miss. Manual backup works. The only resolution I find for this is to disable pfblockerNG, then these random errors would disappear.

stephenw10

Hmm, anything in the pfBlocker logs?

Are you just using Unbound for local DNS?

digimd

@stephenw10 said in Auto Backup Error: Unable to resolve acb.netgate.com:

Hmm, anything in the pfBlocker logs?

I see in the error logs "validation failed" for some DNSBL types

Are you just using Unbound for local DNS?

Yes

stephenw10

What about in the dnsbl.log file? That's where I might expect to see it.

Otherwise do you see Unbound restarting a lot? It could be failing to resolve at that point and that could coincide with acb trying to send a config update.

digimd

@stephenw10
I checked both and I don't see errors.

Gertjan

@digimd

Can you execute

and list the last 20 lines or so ? (if any).

digimd

@Gertjan

Nov  5 11:25:03 pfsense unbound[1948]: [1948:0] info: start of service (unbound 1.19.3).
Nov  5 11:30:38 pfsense unbound[93372]: [93372:0] info: start of service (unbound 1.19.3).
Nov  5 11:40:25 pfsense unbound[1249]: [1249:0] info: start of service (unbound 1.19.3).
Nov  5 12:32:38 pfsense unbound[91078]: [91078:0] info: start of service (unbound 1.19.3).
Nov  5 12:33:03 pfsense unbound[39185]: [39185:0] info: start of service (unbound 1.19.3).
Nov  5 12:33:25 pfsense unbound[14094]: [14094:0] info: start of service (unbound 1.19.3).
Nov  5 12:33:48 pfsense unbound[47038]: [47038:0] info: start of service (unbound 1.19.3).
Nov  5 12:34:11 pfsense unbound[15742]: [15742:0] info: start of service (unbound 1.19.3).
Nov  5 12:34:32 pfsense unbound[30305]: [30305:0] info: start of service (unbound 1.19.3).
Nov  6 11:09:39 pfsense unbound[65438]: [65438:0] info: start of service (unbound 1.19.3).
Nov  6 11:11:31 pfsense unbound[99829]: [99829:0] info: start of service (unbound 1.19.3).
Nov  6 19:15:48 pfsense unbound[23707]: [23707:0] info: start of service (unbound 1.19.3).
Nov  6 22:30:28 pfsense unbound[39026]: [39026:0] info: start of service (unbound 1.19.3).

Gertjan

@digimd

It's restarting "all the time". Not a problem, but every time it restarts, you - and pfSense - loose DNS for a moment.
Restarting unbound takes some time.
You use pfBlockerng : restarting takes even more time.

Do you use "ISC DHP", and if so, you have this option checked (under Services > DNS Resolver > General Settings) ?

If so, uncheck it. save and Apply.

You can set pfBlockerng settings so DNSBL are reloaded less frequent, thus less DNS resolver restarts.

digimd

@Gertjan
Yes, I figured ;(

I still use the ISC DHCP. The other (newer) was crashing to my eye without even checking the logs. I don't have that option checked, but only for static mappings (the option just below). I will turn off pfblocker until I am able to troubleshoot the unbound issues. I have "Resolver Live Sync" option checked so it should not have to reload. Cron setting (under General menu) is set to hourly.

Gertjan

@digimd said in Auto Backup Error: Unable to resolve acb.netgate.com:

I still use the ISC DHCP. The other (newer) was crashing to my eye without even checking the logs. I don't have that option checked, but only for static mappings (the option just below)

Ok !
I was just checking. "DHCP Registration" when checked, restarts unbound(resolver) on every DHCP event. And, as already stated, unbound restating == temporary DNS outage.

@digimd said in Auto Backup Error: Unable to resolve acb.netgate.com:

I have "Resolver Live Sync" option checked so it should not have to reload.

I'm not so sure about that.
I read "Resolver Live Sync" as "restart unbound" to have it taken in effect new DNSBL info.

"Resolver Live Sync" only is available if you use the old "Unbound mode".
The newer Python mode is waaaay faster (with more options etc ^^).

It's worth trying Python mode.
Select it, save, and do a Firewallpf > BlockerNG > Update reload all.

@digimd said in Auto Backup Error: Unable to resolve acb.netgate.com:

Cron setting (under General menu) is set to hourly.

That's a choice.

Mine is set to :

so one a day.
As that's fine for me
see here : it's the unbound cache size, which shows ... the cache size and the frequency of unbound restarting.

digimd

@Gertjan
Awesome! I switched to Python mode. I must have used some outdated tutorial. I changed the Message Cache Size from 4mg to 20 mg (is this enough?) to test this intesreting point you brought up; thank you. FYI, I don't have DHCP Registration checked, so I am fine there.

Gertjan

@digimd

Wait a day or so, then re execute

cat /var/log/resolver/log | grep 'start'

as I've shown above, and see that unbound restarts (way) less times a day.

digimd

This post is deleted!

stephenw10

You could also try adding a host override for acb.netgate.com as a test. I wouldn't leave it like that because the IP might change at some point in the future. But it's been the same until now!