Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound errors after 24.11 update

    Scheduled Pinned Locked Moved DHCP and DNS
    26 Posts 5 Posters 3.1k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sgw @Raffi_
      last edited by

      @Raffi_ I still see these DNS issues even with pfblockerNG disabled.

      My unbound does not forward DNS queries, it is set to resolve queries directly.

      Raffi_R 1 Reply Last reply Reply Quote 0
      • Raffi_R Offline
        Raffi_ @sgw
        last edited by Raffi_

        @sgw said in Unbound errors after 24.11 update:

        @Raffi_ I still see these DNS issues even with pfblockerNG disabled.

        My unbound does not forward DNS queries, it is set to resolve queries directly.

        Interesting, what does your unbound log say? Is the error message similar to mine?
        If so, you can try my temporary solution. Enter a public DNS of your choice in the general settings, and then enable forwarding mode in DNS resolver. This will still use the Unbound resolver by default, but it if fails, it will fallback to using the public DNS entries, at least that's my understanding of the description in the general settings.

        S 1 Reply Last reply Reply Quote 0
        • S Offline
          sgw @Raffi_
          last edited by

          @Raffi_ I tried something different to research this in more detail:

          even when pfblockerNG is disabled, unbound can still have that python-module enabled.
          I disabled that now in the settings of the "DNS resolver" (=unbound) and restarted it.

          This lead to:

          2024-12-16 17:31:05.867565+01:00	unbound	46083	[46083:0] info: [pfBlockerNG]: pfb_unbound.py script exiting
          

          I will see if things change now. Right now I have to do other work, but I will report back.

          1 Reply Last reply Reply Quote 1
          • Raffi_R Offline
            Raffi_ @Gertjan
            last edited by

            @Gertjan said in Unbound errors after 24.11 update:

            @Raffi_ said in Unbound errors after 24.11 update:

            f1ea4381f1359cf1b68581eb37b25697 /var/unbound/pfb_unbound.py

            Probably ok.
            You are using version "16", I'm using the devel version :

            Thank you for this, maybe I will try the devel version. For the longest time I was using the devel version since it was the latest. A few months ago I went to using non devel version since it seems like devel version is the actual development version and I figured non devel would be more stable.

            0d66d251-9f40-4298-a42c-8b8471c5cec0-image.png

            Btw :
            0743fdd1-0321-49a3-8cda-9d65ed101950-image.png

            IMHO : a host name is being parsed and it contain none valid characters.
            Be ware : probably not you typing the host name, but it culd be any device on you LAN asking to resolve something that contains invalid chars.
            or, at least, the python scripts goes bananas.
            It should be more reislient, I agree.

            That is possible. I don't have insight into every device on the network even though it's a fairly small network. Maybe I will try looking into that.

            Also : fist time I see this kind of failure message on the forum. Must be something really something unique.
            ...wait ... (Let's search for it)

            UnicodeDecodeError

            Thanks for that search, it didn't seem to bring up much.

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG Online
              Gertjan @Raffi_
              last edited by

              @Raffi_ said in Unbound errors after 24.11 update:

              Maybe I will try looking into that.

              You could raise the debug level if unbound to

              78891b81-b130-4f47-8014-6556597e324d-image.png

              so the offending host name leaves a trace in the unbound logs.
              Be ware : make your log file(s) big enough as this will log a huge quantity of lines.
              Don't forget to set the log level back as soon as the issue is solved/ known.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              Raffi_R 1 Reply Last reply Reply Quote 1
              • Raffi_R Offline
                Raffi_ @Gertjan
                last edited by

                @Gertjan Thanks, good idea. I will try increasing the log level. Unfortunately pfblockerNG-devel did not solve the issue.

                1 Reply Last reply Reply Quote 0
                • Raffi_R Offline
                  Raffi_
                  last edited by

                  It seems to have been resolved and not having any errors for the last 3 days. I had to switch pfblocker from python mode to unbound mode.

                  pfblocker is still working as well as unbound, so I'm ok with this.

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG Online
                    Gertjan @Raffi_
                    last edited by

                    @Raffi_ said in Unbound errors after 24.11 update:

                    I had to switch pfblocker from python mode to unbound mode.

                    Why Python mode was invented : read the end of this https://forum.netgate.com/topic/195824/after-updating-to-24-11-extremley-slow-apply-changes/10?_=1736231986710

                    I'm still convinced that you use a DNSBL "that no one else is using", or you've copied pasted a DNSBL yourself as a whitelist (just examples of what might have gone wrong) and that DNSBL (host name) contains invalid chars.
                    Result : the python script bails out.
                    What happens if you back you config.
                    Then remove all dnsbl and other stuff you've added.
                    I'll bet the error is now gone.
                    From that point on, add one by one - and test extensively between each step - what you've had before, up until the error comes back.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    Raffi_R 1 Reply Last reply Reply Quote 1
                    • Raffi_R Offline
                      Raffi_ @Gertjan
                      last edited by Raffi_

                      @Gertjan Thanks for the advice. I have tried as you suggested. I took screenshots and copied my pfblocker settings and made a full pfsense backup.
                      I unchecked the box to retain settings and enable pfblocker. Forced reload. Uninstalled the pfblockerng-devel package.

                      I installed pfblockerng and went through the setup wizard with defaults. I added nothing else to the config and only enabled python mode. Within several minutes, I saw the same python errors again in Unbound. By default, only the IPV4 list was added which I did not have enabled before. Then I believe only the Steven's black host list was there under DNSBL.

                      I still have no clue what is going on. I have no desire to wipe my entire system and start fresh over this. I will just leave it running in unbound mode, which also happens to be the default after the wizard is ran.

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • GertjanG Online
                        Gertjan @Raffi_
                        last edited by

                        @Raffi_ said in Unbound errors after 24.11 update:

                        Then I believe only the Steven's black host list was there under DNSBL.

                        That's the one I'm using.
                        https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

                        ==

                        83434f97-1f6a-4028-8475-a81d1556d4fd-image.png

                        and as we both use the same "pfBlockerng" script code and the same DNSBL file, its more unlikely now that it isn't pfBlockerng, neither the DNSBL file.
                        Your pfSense 'files' and mine are also identical.

                        Btw : I'm using

                        4fe1ff94-a0c1-4372-a180-d53b2a7ee2b2-image.png

                        You know what this mean :
                        Question : what is different between your pfSense and mine ?
                        Answer : our GUI settings ....

                        You could do this :
                        [get a pfSense config backup]
                        Remove all DNSBL feeds
                        Remove all IP feds
                        Remove pfSense package and do not retain settings.
                        I would even add : get a new copy of the pfSense config file, open it (notepad++) and remove all pfBlockerng traces.
                        Import this edited file and reboot.

                        Check for a while if the system is ok.

                        Then install pfBlockerng.
                        Activate it.

                        06d901dc-63c3-47e1-a1ce-a2c68727a875-image.png

                        and don't do anything else.
                        So, now, pfBlockerng doesn't do anything.

                        Check for a while if the system is ok.

                        Now, get just one DNSBL : take the Steven list - just this list.

                        Check for a while if the system is ok.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        Raffi_R 1 Reply Last reply Reply Quote 0
                        • Raffi_R Offline
                          Raffi_ @Gertjan
                          last edited by

                          @Gertjan That is what I did minus manually editing out config file. I wiped out the pfblocker settings and installed and started fresh with the setup wizard when it is fist launched. I even uninstalled pfblockerng-devel and installed pfblockerng during this process to add another variable of trying something different to the equation, but still the same.

                          I might have something weird going on with my setup because even when I try to change the view in the logs from displaying more or less lines, I get an error which says "Shouldn't be here". That is the weirdest error message I have seen. I haven't noticed other issues with the setup other than python mode and this so far. I might try to reboot overnight.

                          ec55cdb7-79ea-4e30-8807-21497797a032-image.png

                          GertjanG 1 Reply Last reply Reply Quote 0
                          • GertjanG Online
                            Gertjan @Raffi_
                            last edited by

                            @Raffi_

                            Default is "1000", "3000" is what I have.
                            200 seems way to low.

                            Remember : the logs pages are the most important pages in the pfSense GUI.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            Raffi_R 1 Reply Last reply Reply Quote 0
                            • Raffi_R Offline
                              Raffi_ @Gertjan
                              last edited by Raffi_

                              @Gertjan Thanks, makes sense for it to be higher. It is currently at 1000, but the point is not the value, it's the fact that I can't change it. When I hit the save button to change it to any value, I get that message. I don't mean to take this thread into another topic. I just wanted to point out I have more than one really odd thing going on. So it could be something more than just pfblocker python mode which is broke.

                              Interestingly, if I go to the log settings tab which is for all logs I thought, I can change the value there. It appears to change if for nearly all tabs, except for System > general, DNS resolver and OpenVPN. The value does not change there and I can't change it via the wrench icon. Again, I'm not looking for a solution to this issue. I can open another thread for that if needed. Just pointing out odd things as I'm seeing them.

                              1 Reply Last reply Reply Quote 0
                              • Raffi_R Offline
                                Raffi_
                                last edited by

                                So I saw a very similar remine https://redmine.pfsense.org/issues/15723 but it seems this is already applied to 24.11. I tried to manually fetch it in case it somehow was missing in my instance. It does seem to be applied already after fetching it and it made no difference in my case.

                                So my question is, how does one go about posting this on redmine as a bug? I'm not seeing another entry with my exact errors.

                                S M 2 Replies Last reply Reply Quote 0
                                • S Offline
                                  SteveITS Galactic Empire @Raffi_
                                  last edited by

                                  @Raffi_ If you create an account on that site, on the Issues tab there is a small link:

                                  e35e1989-11e1-409d-b60c-62f2c51b1372-image.png

                                  The Project dropdown allows for pfSense vs choosing a Package+Category.

                                  Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                  When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                                  Upvote 👍 helpful posts!

                                  Raffi_R 1 Reply Last reply Reply Quote 1
                                  • M Offline
                                    marcosm Netgate @Raffi_
                                    last edited by

                                    @Raffi_ The input validation error is already fixed. Download the System Patches package and apply all the recommended patches.

                                    Raffi_R 1 Reply Last reply Reply Quote 0
                                    • Raffi_R Offline
                                      Raffi_ @marcosm
                                      last edited by

                                      @marcosm said in Unbound errors after 24.11 update:

                                      @Raffi_ The input validation error is already fixed. Download the System Patches package and apply all the recommended patches.

                                      Thanks, but I already have all recommend patches applied. Also, the one you mention about input validation errors applies to traffic shaping, which I'm not even using. But in any case that is also applied.

                                      My issue is specifically occurring when pfblockerng in python mode. In my case, the errors in my first post are reproducible every time it is switched to python mode.

                                      M 1 Reply Last reply Reply Quote 0
                                      • Raffi_R Offline
                                        Raffi_ @SteveITS
                                        last edited by

                                        @SteveITS Thank you, done.

                                        1 Reply Last reply Reply Quote 0
                                        • M Offline
                                          marcosm Netgate @Raffi_
                                          last edited by

                                          @Raffi_ I'm referring to the "Shouldn't be here" input validation message. You shouldn't see that with all recommended patches applied while on 24.11 with the latest version of the System Patches package.

                                          Raffi_R 1 Reply Last reply Reply Quote 1
                                          • Raffi_R Offline
                                            Raffi_ @marcosm
                                            last edited by

                                            @marcosm Oh yea, that error is definitely fixed by the patches. Thanks. I posted confirmation on that other thread in case someone else ran into it.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.