Unbound errors after 24.11 update

Raffi_

Hi, I haven't been on here for some time, but I'm still around.

I recently updated to 24.11 and noticed that unbound has been running into trouble after some time (screen shot). I assume it has to do with the timing of pfblockerNG updates.

When I get these errors, restarting unbound fixes it until it fails again. I have already tried uninstalling and reinstalling pfblockerNG. That did not help. I had to enable forwarding mode for the time being to avoid DNS queries failing and/or being very delayed.

I haven't found info on this exact issue in the bug tracker or on here. Let me know if you need anything else.
Thanks.
unbound errors.png

Gertjan

@Raffi_ said in Unbound errors after 24.11 update:

reinstalling pfblockerNG

What pfBlockerng version ?

Run this :

[24.11-RELEASE][root@pfSense.bhf.tld]/root: md5sum /var/unbound/pfb_unbound.py
8089faa1c4ab9886995f36970811f6ea  /var/unbound/pfb_unbound.py

Do you also have 8089faa1c4ab9886995f36970811f6ea ?
That tells me that your /var/unbound/pfb_unbound.py is the same as my file.

/var/unbound/pfb_unbound.py gets called by unbound to do the DNSBL filtering.
Your unbound sends something (probably DNS request bits) that your /var/unbound/pfb_unbound.py and it can not handle it. Not sure if a 0xc0 is a valid ASCI char.

Any chance you've set up a host name somewhere with BOM encoding or some other host names name with UTF8 / UTF16 (characters with accents).

Btw : yeah, if /var/unbound/pfb_unbound.py fails, it probably takes unbound with it. That's bad for DNS business.

sgw

I have the same pfb_unbound.py but not the same error messages.
But I also notice DNS queries to fail ... and the succeed after pressing F5 in the browser a few times, for example.

Disabling DNSBL now for a basic A/B-test.

Raffi_

@Gertjan Thanks for the response!

What pfBlockerng version ?

Run this :
[24.11-RELEASE][root@pfSense.bhf.tld]/root: md5sum /var/unbound/pfb_unbound.py
8089faa1c4ab9886995f36970811f6ea  /var/unbound/pfb_unbound.py
Do you also have 8089faa1c4ab9886995f36970811f6ea ?
That tells me that your /var/unbound/pfb_unbound.py is the same as my file.

f1ea4381f1359cf1b68581eb37b25697 /var/unbound/pfb_unbound.py
That's what I got when running that command.

/var/unbound/pfb_unbound.py gets called by unbound to do the DNSBL filtering.
Your unbound sends something (probably DNS request bits) that your /var/unbound/pfb_unbound.py and it can not handle it. Not sure if a 0xc0 is a valid ASCI char.

Any chance you've set up a host name somewhere with BOM encoding or some other host names name with UTF8 / UTF16 (characters with accents).

Pretty sure not much changed on the network or settings other than the change to 24.11. I wouldn't even know how to get accent characters on my hosts to be honest.

Btw : yeah, if /var/unbound/pfb_unbound.py fails, it probably takes unbound with it. That's bad for DNS business.

Raffi_

@sgw said in Unbound errors after 24.11 update:

I have the same pfb_unbound.py but not the same error messages.
But I also notice DNS queries to fail ... and the succeed after pressing F5 in the browser a few times, for example.

Disabling DNSBL now for a basic A/B-test.

Thanks for the tip. Yes, that sounds like a similar issues to mine. I'm sure if I refreshed enough times it would eventually work also. I was thinking about disabling DNSBL, but I really rather not since it is still working to protect the office. I opted to enable forwarding mode and use a cloud flare public DNS. This made it so my DNS works and I get to keep pfblocker protection at least.

Gertjan

@Raffi_ said in Unbound errors after 24.11 update:

f1ea4381f1359cf1b68581eb37b25697 /var/unbound/pfb_unbound.py

Probably ok.
You are using version "16", I'm using the devel version :

Btw :

IMHO : a host name is being parsed and it contain none valid characters.
Be ware : probably not you typing the host name, but it culd be any device on you LAN asking to resolve something that contains invalid chars.
or, at least, the python scripts goes bananas.
It should be more reislient, I agree.

Also : fist time I see this kind of failure message on the forum. Must be something really something unique.
...wait ... (Let's search for it)

UnicodeDecodeError

sgw

@Raffi_ I still see these DNS issues even with pfblockerNG disabled.

My unbound does not forward DNS queries, it is set to resolve queries directly.

Raffi_

@sgw said in Unbound errors after 24.11 update:

@Raffi_ I still see these DNS issues even with pfblockerNG disabled.

My unbound does not forward DNS queries, it is set to resolve queries directly.

Interesting, what does your unbound log say? Is the error message similar to mine?
If so, you can try my temporary solution. Enter a public DNS of your choice in the general settings, and then enable forwarding mode in DNS resolver. This will still use the Unbound resolver by default, but it if fails, it will fallback to using the public DNS entries, at least that's my understanding of the description in the general settings.

sgw

@Raffi_ I tried something different to research this in more detail:

even when pfblockerNG is disabled, unbound can still have that python-module enabled.
I disabled that now in the settings of the "DNS resolver" (=unbound) and restarted it.

This lead to:

2024-12-16 17:31:05.867565+01:00	unbound	46083	[46083:0] info: [pfBlockerNG]: pfb_unbound.py script exiting

I will see if things change now. Right now I have to do other work, but I will report back.

Raffi_

@Gertjan said in Unbound errors after 24.11 update:

@Raffi_ said in Unbound errors after 24.11 update:

f1ea4381f1359cf1b68581eb37b25697 /var/unbound/pfb_unbound.py

Probably ok.
You are using version "16", I'm using the devel version :

Thank you for this, maybe I will try the devel version. For the longest time I was using the devel version since it was the latest. A few months ago I went to using non devel version since it seems like devel version is the actual development version and I figured non devel would be more stable.

Btw :

IMHO : a host name is being parsed and it contain none valid characters.
Be ware : probably not you typing the host name, but it culd be any device on you LAN asking to resolve something that contains invalid chars.
or, at least, the python scripts goes bananas.
It should be more reislient, I agree.

That is possible. I don't have insight into every device on the network even though it's a fairly small network. Maybe I will try looking into that.

Also : fist time I see this kind of failure message on the forum. Must be something really something unique.
...wait ... (Let's search for it)

UnicodeDecodeError

Thanks for that search, it didn't seem to bring up much.

Gertjan

@Raffi_ said in Unbound errors after 24.11 update:

Maybe I will try looking into that.

You could raise the debug level if unbound to

so the offending host name leaves a trace in the unbound logs.
Be ware : make your log file(s) big enough as this will log a huge quantity of lines.
Don't forget to set the log level back as soon as the issue is solved/ known.

Raffi_

@Gertjan Thanks, good idea. I will try increasing the log level. Unfortunately pfblockerNG-devel did not solve the issue.

Raffi_

It seems to have been resolved and not having any errors for the last 3 days. I had to switch pfblocker from python mode to unbound mode.

pfblocker is still working as well as unbound, so I'm ok with this.

Gertjan

@Raffi_ said in Unbound errors after 24.11 update:

I had to switch pfblocker from python mode to unbound mode.

Why Python mode was invented : read the end of this https://forum.netgate.com/topic/195824/after-updating-to-24-11-extremley-slow-apply-changes/10?_=1736231986710

I'm still convinced that you use a DNSBL "that no one else is using", or you've copied pasted a DNSBL yourself as a whitelist (just examples of what might have gone wrong) and that DNSBL (host name) contains invalid chars.
Result : the python script bails out.
What happens if you back you config.
Then remove all dnsbl and other stuff you've added.
I'll bet the error is now gone.
From that point on, add one by one - and test extensively between each step - what you've had before, up until the error comes back.

Raffi_

@Gertjan Thanks for the advice. I have tried as you suggested. I took screenshots and copied my pfblocker settings and made a full pfsense backup.
I unchecked the box to retain settings and enable pfblocker. Forced reload. Uninstalled the pfblockerng-devel package.

I installed pfblockerng and went through the setup wizard with defaults. I added nothing else to the config and only enabled python mode. Within several minutes, I saw the same python errors again in Unbound. By default, only the IPV4 list was added which I did not have enabled before. Then I believe only the Steven's black host list was there under DNSBL.

I still have no clue what is going on. I have no desire to wipe my entire system and start fresh over this. I will just leave it running in unbound mode, which also happens to be the default after the wizard is ran.

Gertjan

@Raffi_ said in Unbound errors after 24.11 update:

Then I believe only the Steven's black host list was there under DNSBL.

That's the one I'm using.
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

==

and as we both use the same "pfBlockerng" script code and the same DNSBL file, its more unlikely now that it isn't pfBlockerng, neither the DNSBL file.
Your pfSense 'files' and mine are also identical.

Btw : I'm using

You know what this mean :
Question : what is different between your pfSense and mine ?
Answer : our GUI settings ....

You could do this :
[get a pfSense config backup]
Remove all DNSBL feeds
Remove all IP feds
Remove pfSense package and do not retain settings.
I would even add : get a new copy of the pfSense config file, open it (notepad++) and remove all pfBlockerng traces.
Import this edited file and reboot.

Check for a while if the system is ok.

Then install pfBlockerng.
Activate it.

and don't do anything else.
So, now, pfBlockerng doesn't do anything.

Check for a while if the system is ok.

Now, get just one DNSBL : take the Steven list - just this list.

Check for a while if the system is ok.

Raffi_

@Gertjan That is what I did minus manually editing out config file. I wiped out the pfblocker settings and installed and started fresh with the setup wizard when it is fist launched. I even uninstalled pfblockerng-devel and installed pfblockerng during this process to add another variable of trying something different to the equation, but still the same.

I might have something weird going on with my setup because even when I try to change the view in the logs from displaying more or less lines, I get an error which says "Shouldn't be here". That is the weirdest error message I have seen. I haven't noticed other issues with the setup other than python mode and this so far. I might try to reboot overnight.

Gertjan

@Raffi_

Default is "1000", "3000" is what I have.
200 seems way to low.

Remember : the logs pages are the most important pages in the pfSense GUI.

Raffi_

@Gertjan Thanks, makes sense for it to be higher. It is currently at 1000, but the point is not the value, it's the fact that I can't change it. When I hit the save button to change it to any value, I get that message. I don't mean to take this thread into another topic. I just wanted to point out I have more than one really odd thing going on. So it could be something more than just pfblocker python mode which is broke.

Interestingly, if I go to the log settings tab which is for all logs I thought, I can change the value there. It appears to change if for nearly all tabs, except for System > general, DNS resolver and OpenVPN. The value does not change there and I can't change it via the wrench icon. Again, I'm not looking for a solution to this issue. I can open another thread for that if needed. Just pointing out odd things as I'm seeing them.