Netgate SG-1000 microFirewall

Author Topic: Unbound DNS intermittent failure  (Read 459 times)

0 Members and 1 Guest are viewing this topic.

Offline Grimson

  • Sr. Member
  • ****
  • Posts: 302
  • Karma: +46/-3
    • View Profile
Re: Unbound DNS intermittent failure
« Reply #15 on: February 08, 2018, 12:10:03 am »
I use pfblockerng also but even if I stop it I still have this strange behaviour. I understand that unbound could be restarted when a dhcp client register itself to the dns but it should not take 30 sec to the dns to work again...

Are you using the TLD feature of pfBlockerNG? If yes, did you read the infoblock? Especially this:
Quote
The 'Unbound Resolver Reloads' can take several seconds or more to complete and may temporarily interrupt DNS Resolution until the Resolver has been fully Reloaded with the updated Domain changes.

Offline Liath.WW

  • Full Member
  • ***
  • Posts: 141
  • Karma: +1/-0
    • View Profile
Re: Unbound DNS intermittent failure
« Reply #16 on: February 08, 2018, 11:08:56 pm »
Myself, I have 3 aliases with domains in them.
The biggest one is the eve online one, the other two point to voice servers and only resolve to one place.

Also, since switching off unbound and using the forwarder only, I've not had a single peep with browsing issues, and my family is off my butt.

This further points to unbound being part of the problem. Not sure how or why, but if unbound is the only thing that fails then that kinda points to unbound being at fault either itself, or by failing due to some other process and its inability to not choke on it.

However, I would like to use unbound dns as dnssec is something that i believe in, and my clients would require.  If only we could get to the bottom of the issue, and put me in a place of confidence in the product again, I'd start pitching it.  Heck I have one client that lately requests daily changes to rules that consume time by requiring a login on each sonicwall individually over 18 sites... with differing firmware to make life more interesting.  If I could run all of the sites with small appliances running pfsense, it would cut down at least 12 hours a week of unproductive time.
« Last Edit: February 08, 2018, 11:21:43 pm by Liath.WW »

Offline romainp

  • Full Member
  • ***
  • Posts: 139
  • Karma: +6/-0
    • View Profile
Re: Unbound DNS intermittent failure
« Reply #17 on: February 09, 2018, 09:13:39 am »
Thanks for the infos.

Because I use PfblockerNG and need unbound but event if I stop it I still have the issue. I will try to set the debug level higher and have the stats and logs managed by telegraf (I saw a plugin for unbound but not sure if it can work) or use collected (I see an article on how to use collectd on pfsense).
If I can output those logs and the stats to an ELK stack I can at least see a pattern because I do not see any error messages in the logs...

R.

Offline Liath.WW

  • Full Member
  • ***
  • Posts: 141
  • Karma: +1/-0
    • View Profile
Re: Unbound DNS intermittent failure
« Reply #18 on: February 11, 2018, 12:07:42 pm »
If you can come up with why its crashing on your end I'd love to hear about it.  I wonder if it is something hardware related, or some obscure setting that we've used.

I just can't figure it out.

Offline romainp

  • Full Member
  • ***
  • Posts: 139
  • Karma: +6/-0
    • View Profile
Re: Unbound DNS intermittent failure
« Reply #19 on: February 11, 2018, 12:29:15 pm »
Hi,
I do not have a proof of it but it seems related to the fact that when some dhcp client request a new IP, the dhcp server send a signal to the dns server (which is correct since I ask the dns resolver to accept that, somewhere in the config), but when the sighup occurs, the dns do not proceed any request for 20-30 secs.

I will try to have some logs/detail info about that but I am pretty sure of this.

R.