DNS Cache Flushed during Cron

Nitsuj19

Hello Friends!

I have pfBlockerNG-devel to run cron once a day and it clears the DNS cache. pfBlocker is in python mode and restore resolver cache is checked. None of my DHCP leases or static leases register with the resolver. I have checked how often the resolver restarts and it only restarts at the time of the pfBlocker cron event. Serve Expired and Prefetch is enabled.

pfSense 2.8.1
pfBlockerNG-devel 3.2.14_1

Past few days. The 28th is from a power outage. The 29th and 30th the cache was cleared

Apr 28 04:47:44 pfSense unbound[25]: [25:0] info: start of service (unbound 1.24.2).
Apr 29 00:01:37 pfSense unbound[60909]: [60909:0] info: start of service (unbound 1.24.2).
Apr 30 00:01:26 pfSense unbound[45090]: [45090:0] info: start of service (unbound 1.24.2).

Stats
4/29/26 4:27PM

total.num.queries=48065
total.num.queries_ip_ratelimited=0
total.num.queries_cookie_valid=0
total.num.queries_cookie_client=0
total.num.queries_cookie_invalid=0
total.num.queries_discard_timeout=32
total.num.queries_wait_limit=0
total.num.cachehits=24329
total.num.cachemiss=23736
total.num.prefetch=1516
total.num.queries_timed_out=0
total.num.expired=0
total.num.recursivereplies=23704
total.num.dnscrypt.crypted=0
total.num.dnscrypt.cert=0
total.num.dnscrypt.cleartext=0
total.num.dnscrypt.malformed=0
total.num.dns_error_reports=0code_text

4/30/26 8:19PM

total.num.queries=57330
total.num.queries_ip_ratelimited=0
total.num.queries_cookie_valid=0
total.num.queries_cookie_client=0
total.num.queries_cookie_invalid=0
total.num.queries_discard_timeout=29
total.num.queries_wait_limit=0
total.num.cachehits=15085
total.num.cachemiss=42245
total.num.prefetch=1202
total.num.queries_timed_out=0
total.num.expired=1
total.num.recursivereplies=42216
total.num.dnscrypt.crypted=0
total.num.dnscrypt.cert=0
total.num.dnscrypt.cleartext=0
total.num.dnscrypt.malformed=0
total.num.dns_error_reports=0

tinfoilmatt

This is expected behavior since Unbound is stopped and (re)started as part of pfBlockerNG's update process. You can view the service start/stop in the pfblockerng.log file.

Nitsuj19

I am expecting Unbound to restart. The log states the cache is restored but it is not.

Saving DNSBL statistics... completed [ 04/30/26 00:01:23 ]
Reloading Unbound Resolver (DNSBL python).
Stopping Unbound Resolver.
Unbound stopped in 2 sec.
Additional mounts (DNSBL python):
  No changes required.
Starting Unbound Resolver... completed [ 04/30/26 00:01:26 ]
Resolver cache restored
DNSBL update [ 1362515 | PASSED  ]... completed [ 04/30/26 00:01:27 ]

This setting is enabled

Gertjan

@Nitsuj19

See here. Not numbers but charts, but you see the same thing.

The resolver's memory usage charts is what I tend to see as an indication of what might be in the cache.
The resets are normally the pfBlockerng reloads/restarts - I've set my two DNSBL to update one a week or so.

I'm sharing the resolver's cache with my captive portal users (a bunch of random people visiting random sites), so, if the cache never flushes it should grow indefinitely as I also use prefetching (which means : ones a host is in, it will be kept up to date).
In theory, over time, I would have all Internet's hosts avaible locally ..... Humm, maybe I don't want that

What gets reset when ... I admit, I don't have a clue.
I never figured out what this really does :

@Nitsuj19 said in DNS Cache Flushed during Cron:

Resolver cache restored

tinfoilmatt

Ah, I see that pfBlockerNG option now (i.e., Firewall > pfBlockerNG > DNSBL [tab] > DNSBL Configuration [section] > Resolver cache).

Here's the cache backup and cache restore parts of the update script if it helps you to troubleshoot further.

Gertjan

@tinfoilmatt

That's PHP doing it's thing.
It execute this to export = dump the cache into a file':

unbound-control -c /var/unbound/unbound.conf dump_cache > /var/tmp/unbound_cache_

Mine has 17k lines == hosts (rrset lines not counted).

And loading it back in again :

unbound-control -c /var/unbound/unbound.conf load_cache < /var/tmp/unbound_cache_

I seems to work ....

Nitsuj19

@Gertjan

I attemped this and it didin't work for me,

I ran

unbound-control -c /var/unbound/unbound.conf dump_cache > /var/tmp/unbound_cache_

Stopped Unbound > Started Unbound

Ran

unbound-control -c /var/unbound/unbound.conf load_cache < /var/tmp/unbound_cache_

It did not restore the cache. Honestly, I am not concerned with how much my resolver grows but I would like pfBlocker to be able to maintain the cache similar to Unbound mode with resolver live sync. From what I am understanding, this is not an option unless I switch to Unbound mode?

Nitsuj19

I may have found a solution.. I turned off Python blocking mode and enabled live sync. It does use about 8% more RAM with TLD enabled. I have 8GB so I am not concerned about that. I am going to check it tomorrow morning after cron.

Thank you so much @tinfoilmatt and @Gertjan!

Gertjan

@Nitsuj19

Strange.
Setting :

removes (doesn't show in the GUI) this option for me :

---

Checking the cache export / import :

unbound-control -c /var/unbound/unbound.conf dump_cache > /var/tmp/unbound_cache_1

Check the exported file, /var/tmp/unbound_cache_1, is very readable.

Now stop unbound manually.
This should do it :

unbound-control -c /var/unbound/unbound.conf stop

Then start it manually :

unbound-control -c /var/unbound/unbound.conf stop

Now, export the cache again, to another file :

unbound-control -c /var/unbound/unbound.conf dump_cache > /var/tmp/unbound_cache_2

Compare /var/tmp/unbound_cache_2 with /var/tmp/unbound_cache_1
/var/tmp/unbound_cache_2 should be much smaller as /var/tmp/unbound_cache_1

Nitsuj19

@Gertjan I disabled this to get live sync.

I have not switched back to DNSBL python mode yet. Basically, you are saying the numbers from the command below are not accurate after cron and the cache is somewhere else? Sorry, just trying to understand how python mode works

unbound-control -c /var/unbound/unbound.conf stats_noreset | grep total.num