After restart, Unbound DNS Resolver don't work
-
@Unoptanio said in After restart, Unbound DNS Resolver don't work:
Do you have any ideas on how to fix this?
Look at the the system and resolver logs, note down the last entries (timestamp).
Now, restart the system.
Get back to the logs and list every line added since.
I'm pretty sure unbound did start, but it failed ? Or do you really saw a 'stop' without a subsequent 'start' ?
Can you use these two default settings ?
You are forwarding to who ?
No issues reaching these remote revolvers ?edit : I has no issues with 24.11, and can tell you now, after month of usage : 25.07.1 is also ok.
-
-
U Unoptanio referenced this topic
-
This looks nice, but doesn't 'show' what needs to be seen.
The command is good, though.
So, use pfSense best interface : ssh or the console (menu option 8) :grep -E 'start|stop' /var/log/resolver.logThis will only show when is stopped and started.
Not if there was an error logged that could explain the 'why it stopped'.So,
ee /var/log/resolver.logand have a look ^^
Try this one :
tail -f /var/log/resolver.logedit : When you say "Unbound DNS Resolver don't work" :
Check this first :[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: ps aux | grep 'unbound' .... unbound 99926 0.0 3.8 176100 156044 - Ss 03:53 5:15.43 /usr/local/sbin/unbound -c /var/unbound/unbound.conf ...so I know it runs.
[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: sockstat | grep 'unbound' unbound unbound 99926 3 udp6 *:53 *:* unbound unbound 99926 4 tcp6 *:53 *:* unbound unbound 99926 5 udp4 *:53 *:* unbound unbound 99926 6 tcp4 *:53 *:* unbound unbound 99926 7 tcp6 *:853 *:* unbound unbound 99926 8 tcp4 *:853 *:* unbound unbound 99926 10 tcp4 127.0.0.1:953 *:* ....This tells me on what interfaces (== "all") and which ports is listens = TCP & UDP, port 53 and and 853 and 953.
Let's talk to it 'localhost' or '127.0.0.1' is included in the "All Interfaces" :
[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: dig @127.0.0.1 goofle.com +short 162.210.199.65Again, but this time using my LAN interface (which is the default 192.168.1.1/24 - yours might be diffrent ) :
[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: dig @192.168.1.1 goofle.com +short 162.210.199.65Now, visit a LAN device like a Windows PC :
Command line, of course, and :[25.07.1-RELEASE][root@pfSense.brit-hotel-fumel.net]/root: dig @192.168.1.1 goofle.com +short
162.210.199.65PS C:\Users\Gauche> nslookup gogol.com Serveur : pfSense.bhf.tld Address: 2a01:cb19:abcd:a7e2:92ec:77ff:fe29:392c Réponse ne faisant pas autorité : Nom : gogol.com Address: 34.117.176.22This tells me that my PC uses 192.168.1.1/24 (actually the IPv6 counterpart) as a DNS source.
It tells me the host name of my pfSense, so I know my PC can reach the pfSense DNS the resolver.
It also manged to tell me that gogol.com exists (!!?!) and that is has an IPv4. -
I can confirm, I'm having the same problem (PfSense 25.07.1)
Initially, I thought it only occurred after an irregular shutdown.
This evening, I performed an HALT on PfSense, then restarted it.The daemon was green, but DNS didn't work.
Restart DNS... all good.
-
@Luca-De-Andreis said in After restart, Unbound DNS Resolver don't work:
but DNS didn't work.
can't say much about that.
Can you detail ? See tests above.No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan
As soon as I can I'll do the tests and update you. -
Hello,
i have change this config with ALLL and ALL:
Before i have this configuration:
I had read somewhere that under "Outgoing Network Interfaces" only WAN should be selected, and under "Network Interfaces" everything should be selected EXCEPT the WAN.Then, after trying various things, I also added "LAN_SEDE" to the "Outgoing" section. But the problem persisted. In addition to the WAN I had added the "LAN SEDE" where pfsense is connected
Than:
Today 14 September 2025 at 08:32 i have restart pfsense.after reboot this time everything seems to work
I just did another reboot and it's working fine
It seems that the problem occurs when selecting items inside "network interface" or inside "outgoing network interfaces"
-
I can confirm that my configuration does not have a default setting either.
The interfaces are not configured in ALL:ALL mode and the problem occurs. -
@Luca-De-Andreis
Have you tried setting ALL, ALL?I only did restarts and not system shutdowns.
-
Yes, its true.
Setting ALL:ALL the DNS works correctly from system restart without manually restart daemon (after reboot) !
I've just tried now. -
@Luca-De-Andreis said in After restart, Unbound DNS Resolver don't work:
Yes, its true.
Setting ALL:ALL the DNS works correctly from system restart without manually restart daemon (after reboot) !
I've just tried now.This is a known issue which I reported a couple of years ago now. (Forum thread and also opened a redmine ticket that was not resolved)
It's to do with boot time sequencing of interfaces being brought up and services starting. Basically there are some race conditions in the boot up scripts that would need a significant redesign of the boot sequencing to fix properly...not an easy task on FreeBSD that lacks any kind of dependency based service scheduler and sequencer like systemd on Linux.
It can also happen if you have interfaces dynamically going up and down for example due to gateway groups.
The TL;DR is choose "All" for network interfaces for Unbound (DNS resolver) to cause it to bind to listen on all interfaces (even interfaces that don't exist yet when unbound starts) and instead use firewall rules to control access to the DNS server from networks/VLAN's that should not have access. (Put explicit block rules to port 53 on interfaces that you previously did not have bound)
-
@Luca-De-Andreis said in After restart, Unbound DNS Resolver don't work:
Yes, its true.
Setting ALL:ALL the DNS works correctly from system restart without manually restart daemon (after reboot) !
I've just tried now.Wow, just tried this too and after years of dealing with it - it's fixed. Thank you!
