Unbound stops resolving, no error in logs, works immediately on restart



  • I'm using unbound as my only resolver and I'm having the following issue

    Perodically, it will stop resolving.
    Doing a drill command directly from pfsense will return blank results.

    If I go to services and restart unbound, it immediately begins working again.

    Things to note:

    • I have "Service Watchdog" installed and set to watch unbound, but this does nothing because when this happens, the service is still running
    • The drill command works in both states, but returns a completely blank result when this occurrs
    • Internet access is not affected, just DNS, so I am able to connect to sites via IP as well as remotely connect to my firewall to restart the service
    • There is nothing in the logs at all that indicate what might have happened


  • I just had the exact same issue. Restarting the unbound service fixed it and I have not found any useful log information. This is with pfsense 2.2. It was running non stop for about a week before it happened and have only seen it once so far but I haven't been using unbound on 2.2 for much longer than that. I upgraded from 2.1.5 so I had to turn off dnsmasq and turn on unbound.

    I have the resolver configured to not forward and DNSSEC is enabled. I also have prefetch and prefecth dns key advanced options enabled. Others are all default.



  • @rkcin:

    I just had the exact same issue. Restarting the unbound service fixed it and I have not found any useful log information. This is with pfsense 2.2. It was running non stop for about a week before it happened and have only seen it once so far but I haven't been using unbound on 2.2 for much longer than that. I upgraded from 2.1.5 so I had to turn off dnsmasq and turn on unbound.

    I have the resolver configured to not forward and DNSSEC is enabled. I also have prefetch and prefecth dns key advanced options enabled. Others are all default.

    It's happened twice today and I've had to restart it both times.

    I have it configured not to forward, and DNSSEC is enabled.
    Other than specifying which interfaces it can reply on, the only other settings I have on are DHCP registration and Static DHCP.



  • I have the same exact problem a couple times per day since upgrading to 2.2

    dnssec enabled, forwarding mode not enabled, restarting unbound immediately fixes the issue


  • Banned

    Nothing on 2.1.5 running unbound for 81 Days 11 Hours 55 Minutes 34 Seconds :D



  • Now I had a couple of these failures in one day. Again, no crash but unbound simply stops resolving certain hostnames. This time I had the resolver set to log level 2 and see many of these in the logs around the time it wasn't working:
    unbound: [91740:0] info: query response was nodata ANSWER

    and one of these:
    unbound: [91740:1] info: NSEC3s for the referral proved no DS.
    unbound: [91740:1] info: Verified that unsigned response is INSECURE

    I switch back to dnsmasq for now until I have more time to test.



  • @rkcin:

    Now I had a couple of these failures in one day. Again, no crash but unbound simply stops resolving certain hostnames. This time I had the resolver set to log level 2 and see many of these in the logs around the time it wasn't working:
    unbound: [91740:0] info: query response was nodata ANSWER

    and one of these:
    unbound: [91740:1] info: NSEC3s for the referral proved no DS.
    unbound: [91740:1] info: Verified that unsigned response is INSECURE

    I switch back to dnsmasq for now until I have more time to test.

    This just happened again

    Feb 5 10:40:16 	filterdns: failed to resolve host myspace.com will retry later again.
    Feb 5 10:40:16 	filterdns: failed to resolve host facebook.com will retry later again.
    Feb 5 10:40:16 	filterdns: failed to resolve host wtfast.com will retry later again.
    Feb 5 10:40:16 	filterdns: failed to resolve host www.wtfast.com will retry later again.
    Feb 5 10:35:17 	filterdns: failed to resolve host facebook.com will retry later again.
    Feb 5 10:35:16 	filterdns: failed to resolve host myspace.com will retry later again.
    Feb 5 10:35:16 	filterdns: failed to resolve host wtfast.com will retry later again.
    Feb 5 10:35:16 	filterdns: failed to resolve host www.wtfast.com will retry later again.
    Feb 5 10:30:17 	filterdns: failed to resolve host facebook.com will retry later again.
    Feb 5 10:30:16 	filterdns: failed to resolve host myspace.com will retry later again.
    Feb 5 10:30:16 	filterdns: failed to resolve host wtfast.com will retry later again.
    Feb 5 10:30:16 	filterdns: failed to resolve host www.wtfast.com will retry later again.
    Feb 5 10:25:17 	filterdns: failed to resolve host facebook.com will retry later again.
    Feb 5 10:25:16 	filterdns: failed to resolve host myspace.com will retry later again.
    Feb 5 10:25:16 	filterdns: failed to resolve host wtfast.com will retry later again.
    Feb 5 10:25:16 	filterdns: failed to resolve host www.wtfast.com will retry later again.
    Feb 5 10:20:17 	filterdns: failed to resolve host facebook.com will retry later again.
    Feb 5 10:20:17 	filterdns: failed to resolve host wtfast.com will retry later again.
    Feb 5 10:20:17 	filterdns: failed to resolve host myspace.com will retry later again.
    Feb 5 10:20:16 	filterdns: failed to resolve host www.wtfast.com will retry later again.
    Feb 5 10:15:17 	filterdns: failed to resolve host facebook.com will retry later again.
    Feb 5 10:15:16 	filterdns: failed to resolve host myspace.com will retry later again.
    Feb 5 10:15:16 	filterdns: failed to resolve host wtfast.com will retry later again.
    Feb 5 10:15:16 	filterdns: failed to resolve host www.wtfast.com will retry later again.
    Feb 5 10:10:16 	filterdns: failed to resolve host facebook.com will retry later again.
    Feb 5 10:10:16 	filterdns: failed to resolve host myspace.com will retry later again.
    Feb 5 10:10:16 	filterdns: failed to resolve host wtfast.com will retry later again.
    Feb 5 10:10:16 	filterdns: failed to resolve host www.wtfast.com will retry later again.
    Feb 5 10:05:17 	filterdns: failed to resolve host myspace.com will retry later again.
    Feb 5 10:05:17 	filterdns: failed to resolve host facebook.com will retry later again.
    Feb 5 10:05:16 	filterdns: failed to resolve host wtfast.com will retry later again.
    Feb 5 10:05:16 	filterdns: failed to resolve host www.wtfast.com will retry later again.
    Feb 5 10:00:18 	filterdns: failed to resolve host facebook.com will retry later again.
    Feb 5 10:00:18 	filterdns: failed to resolve host myspace.com will retry later again.
    Feb 5 10:00:16 	filterdns: failed to resolve host www.wtfast.com will retry later again.
    Feb 5 09:55:18 	filterdns: failed to resolve host myspace.com will retry later again.
    

    It was trying to resolve an alias.
    The two aren't related as it doesn't coincide with that usually, but it just happened at the same time so I do have an idea of the timespan here.  Had I restarted the unbound service during that, it would immediately have began working.



  • I'm curious for people having this issue.

    Can you make a Match+Log floating rule and see if any of these IP ranges are being contacted in the general timespan before this occurs?

    212.6.128.0/17
    195.22.0.0/19
    54.72.8.183/32
    


  • @Trel:

    I'm curious for people having this issue.

    Can you make a Match+Log floating rule and see if any of these IP ranges are being contacted in the general timespan before this occurs?

    212.6.128.0/17
    195.22.0.0/19
    54.72.8.183/32
    

    I just did a packet capture and I found a DNS query for:```
    api-nyc01.exip.org

    
    Shortly after that, it happened again.  It seems to be connected in some way to querying for that name.

Log in to reply