Unbound errors after 24.11 update
-
@Gertjan said in Unbound errors after 24.11 update:
@Raffi_ said in Unbound errors after 24.11 update:
f1ea4381f1359cf1b68581eb37b25697 /var/unbound/pfb_unbound.py
Probably ok.
You are using version "16", I'm using the devel version :Thank you for this, maybe I will try the devel version. For the longest time I was using the devel version since it was the latest. A few months ago I went to using non devel version since it seems like devel version is the actual development version and I figured non devel would be more stable.
Btw :
IMHO : a host name is being parsed and it contain none valid characters.
Be ware : probably not you typing the host name, but it culd be any device on you LAN asking to resolve something that contains invalid chars.
or, at least, the python scripts goes bananas.
It should be more reislient, I agree.That is possible. I don't have insight into every device on the network even though it's a fairly small network. Maybe I will try looking into that.
Also : fist time I see this kind of failure message on the forum. Must be something really something unique.
...wait ... (Let's search for it)Thanks for that search, it didn't seem to bring up much.
-
@Raffi_ said in Unbound errors after 24.11 update:
Maybe I will try looking into that.
You could raise the debug level if unbound to
so the offending host name leaves a trace in the unbound logs.
Be ware : make your log file(s) big enough as this will log a huge quantity of lines.
Don't forget to set the log level back as soon as the issue is solved/ known. -
@Gertjan Thanks, good idea. I will try increasing the log level. Unfortunately pfblockerNG-devel did not solve the issue.
-
It seems to have been resolved and not having any errors for the last 3 days. I had to switch pfblocker from python mode to unbound mode.
pfblocker is still working as well as unbound, so I'm ok with this.
-
@Raffi_ said in Unbound errors after 24.11 update:
I had to switch pfblocker from python mode to unbound mode.
Why Python mode was invented : read the end of this https://forum.netgate.com/topic/195824/after-updating-to-24-11-extremley-slow-apply-changes/10?_=1736231986710
I'm still convinced that you use a DNSBL "that no one else is using", or you've copied pasted a DNSBL yourself as a whitelist (just examples of what might have gone wrong) and that DNSBL (host name) contains invalid chars.
Result : the python script bails out.
What happens if you back you config.
Then remove all dnsbl and other stuff you've added.
I'll bet the error is now gone.
From that point on, add one by one - and test extensively between each step - what you've had before, up until the error comes back. -
@Gertjan Thanks for the advice. I have tried as you suggested. I took screenshots and copied my pfblocker settings and made a full pfsense backup.
I unchecked the box to retain settings and enable pfblocker. Forced reload. Uninstalled the pfblockerng-devel package.I installed pfblockerng and went through the setup wizard with defaults. I added nothing else to the config and only enabled python mode. Within several minutes, I saw the same python errors again in Unbound. By default, only the IPV4 list was added which I did not have enabled before. Then I believe only the Steven's black host list was there under DNSBL.
I still have no clue what is going on. I have no desire to wipe my entire system and start fresh over this. I will just leave it running in unbound mode, which also happens to be the default after the wizard is ran.
-
@Raffi_ said in Unbound errors after 24.11 update:
Then I believe only the Steven's black host list was there under DNSBL.
That's the one I'm using.
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts==
and as we both use the same "pfBlockerng" script code and the same DNSBL file, its more unlikely now that it isn't pfBlockerng, neither the DNSBL file.
Your pfSense 'files' and mine are also identical.Btw : I'm using
You know what this mean :
Question : what is different between your pfSense and mine ?
Answer : our GUI settings ....You could do this :
[get a pfSense config backup]
Remove all DNSBL feeds
Remove all IP feds
Remove pfSense package and do not retain settings.
I would even add : get a new copy of the pfSense config file, open it (notepad++) and remove all pfBlockerng traces.
Import this edited file and reboot.Check for a while if the system is ok.
Then install pfBlockerng.
Activate it.
and don't do anything else.
So, now, pfBlockerng doesn't do anything.Check for a while if the system is ok.
Now, get just one DNSBL : take the Steven list - just this list.
Check for a while if the system is ok.
-
@Gertjan That is what I did minus manually editing out config file. I wiped out the pfblocker settings and installed and started fresh with the setup wizard when it is fist launched. I even uninstalled pfblockerng-devel and installed pfblockerng during this process to add another variable of trying something different to the equation, but still the same.
I might have something weird going on with my setup because even when I try to change the view in the logs from displaying more or less lines, I get an error which says "Shouldn't be here". That is the weirdest error message I have seen. I haven't noticed other issues with the setup other than python mode and this so far. I might try to reboot overnight.
-
Default is "1000", "3000" is what I have.
200 seems way to low.Remember : the logs pages are the most important pages in the pfSense GUI.
-
@Gertjan Thanks, makes sense for it to be higher. It is currently at 1000, but the point is not the value, it's the fact that I can't change it. When I hit the save button to change it to any value, I get that message. I don't mean to take this thread into another topic. I just wanted to point out I have more than one really odd thing going on. So it could be something more than just pfblocker python mode which is broke.
Interestingly, if I go to the log settings tab which is for all logs I thought, I can change the value there. It appears to change if for nearly all tabs, except for System > general, DNS resolver and OpenVPN. The value does not change there and I can't change it via the wrench icon. Again, I'm not looking for a solution to this issue. I can open another thread for that if needed. Just pointing out odd things as I'm seeing them.
