pfSense English Support > DHCP and DNS

Unbound DNS intermittent failure

(1/4) > >>

Liath.WW:
It would seem that DNS is failing intermittently, and it has really started to impact my day to day operation.

I'm using an old 2nd gen I5, board is fine but the built-in NIC only runs at 400MBps before bottlenecking, added an intel d33682 2-port NIC, Intel logo and all that because I know there were some Chinese cheapo clones with crap capacitors and such.

The machine has had this setup for well, since 2nd get i5's were new. Haven't had much issue with pfSense until this latest build, with the new interface and loss of rrd graphs.  DNS since that upgrade has been a bit of an issue.  Lately its so bad I'm pulling aggro from my family because 'the internet is broke'.

Only real hints I can think of are that I have an AT&T modem with IP-passthrough turned on, modem has all filtering off.
The logs will occasionally spam llinfo arp resolution issues with the modems IP even though the link is up and passing traffic.
I also see in logs>system>DNS resolver that every 5 minutes like clockwork, it is evaluating and dropping some aliases:

--- Code: ---.....lots of similar entries like
Feb 2 13:01:08 filterdns adding entry 54.239.172.202 to pf table Eve for host launcher.eveonline.com
Feb 2 12:56:08 filterdns IP address 52.84.128.4 already present on table Eve as address of hostname launcher.eveonline.com
...lots more of the same
Feb 2 12:56:08 filterdns adding entry 52.84.27.39 to pf table Eve for host resources.eveonline.com
Feb 2 12:51:08 filterdns clearing entry 52.84.133.166 from pf table Eve on host binaries.eveonline.com
....
Feb 2 12:51:08 filterdns adding entry 52.84.128.4 to pf table Eve for host launcher.eveonline.com
Feb 2 12:46:09 filterdns clearing entry 54.192.7.112 from pf table Eve on host resources.eveonline.com

--- End code ---
In StatusSystem LogsDHCP

--- Code: ---Feb 2 13:15:33 dhclient Creating resolv.conf
Feb 2 13:15:33 dhclient RENEW
Feb 2 13:10:33 dhclient Creating resolv.conf
Feb 2 13:10:33 dhclient RENEW
Feb 2 13:05:33 dhclient Creating resolv.conf
Feb 2 13:05:33 dhclient RENEW
Feb 2 13:00:33 dhclient Creating resolv.conf
Feb 2 13:00:33 dhclient RENEW
Feb 2 12:55:33 dhclient Creating resolv.conf
Feb 2 12:55:33 dhclient RENEW

--- End code ---
System/Gateways

--- Code: ---Feb 2 02:59:51 dpinger WAN_DHCP6 2001:4860:4860::8888: Clear latency 10158us stddev 1982us loss 16%
Feb 2 02:59:34 dpinger WAN_DHCP6 2001:4860:4860::8888: Alarm latency 9857us stddev 1487us loss 21%

--- End code ---
I was up late last night trying to figure this out while family was asleep. In my tiredness I cleared logs for a fresh view since I was testing new cables, re-tipped even the factory tipped ones, etc. etc.  Wishing now I'd not done so.

When the DNS is on the fritz, connections that were already made continue passing traffic as normal. Streams keep streaming, SIP calls keep working, etc.  That rules out the connection dropping as the issue.  Only DNS seems to fail, so new connections can't be made.

Any clue what's going on and how to fix it?

Info that might be useful:
packages:
bandwidthd
darkstat
iperf   
mtr-nox11
openvpn-client-export
Service_Watchdog       << Added to *try* and resolve dns issues, thought maybe the service was dying? Possibly related to 5-minute interval with filterdns? I believe i added because before I did unbound just died and stayed dead.

toluun:
Does a restart of unbound solve the issue? I have been having major issues with DNSSEC on unbound causing DNS failures. Same thing would happen to me, streams would continue, WAN gateways were shown as still open, etc...  Only new new DNS lookups would fail.  Once I restarted Unbound everything would go back to normal for a short period of time, then BOOM DNS failures. I am still trying to solve my issue (see a couple posts down) but I did find that disabling DNSSEC stopped the DNS failures.  Not sure if this helps, but your problems seemed very similar to mine so I thought I would comment with my temporary fix.

Liath.WW:
I am going to say "yes" to this one. I'd been having issues with it dying before, and installed the watchdog package to automatically restart it.

From last night until shortly before I made this thread, the internet was generally unbrowsable due to constant DNS issues.  I reboot the pfSense box a few hours ago, and have had no more issues since, however this is a repeat issue that seems to get worse until I get tired of it and reboot the entire network.

It really concerns me because I have business clients who I *really* want to migrate from SonicWall to pfSense, but if I replace them and DNS is going to act like this in a business production environment, I'll be looking for new clients.

toluun:
Well at least yours sound a lot more uncommon then mine.  My DNS would go down every 10 - 30 min. Do you have DNSSEC enabled on unbound? 

Gertjan:
@Liath.WW : filterdns : Take a look at "binaries.eveonline.com" :


--- Code: ---[code]root@ns311465:~# host binaries.eveonline.com
binaries.eveonline.com is an alias for d17ueqc3zm9j8o.cloudfront.net.
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.137
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.7
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.11
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.177
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.52
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.156
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.186
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.181

--- End code ---
[/code]
A couple of seconds later, the list changes ! :

--- Code: ---root@ns311465:~# host binaries.eveonline.com
binaries.eveonline.com is an alias for d17ueqc3zm9j8o.cloudfront.net.
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.11
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.137
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.52
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.181
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.7
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.177
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.156
d17ueqc3zm9j8o.cloudfront.net has address 13.32.153.186
--- End code ---
so it's normal that filterdns is very busy every 5 minutes with removing IP's, and adding new ones.
filterdns is payed to do so.

UP to you to remove "inaries.eveonline.com" from your alias list, or complain against them ;)

DNS : You are using the DHCP client to obtain a new WAN IP ? Somethings goes very wrong with that. When I see it recreates "resolv.conf" I wouldn't be surprised that your local DNS server (unbound) is restarting. Every 5 minutes. Yep, you're right, consider your DNS in very bad state. But this is not his fault.

Find out why your DHCP clients (is forced ?!) to renew evey 5 minutes - like when filterdns is running ... Strange, it's time to describe your setup completely.

Btw : unbound resolves up against the root DNS servers, and is ROCK solid as a DNS server.
Your issues is not DNSSEC related. DNSSEC activated for unbound works for thousands if not tens of thousands of pfSense installs, and all other servers that use unbound.

Navigation

[0] Message Index

[#] Next page

Go to full version