[SOLVED] Unbound domain overrides failing since 1.7.1

[erickufrin]

DNS queries to my override domain/server have  been failing consistently (sporadic) since the last update which included unbound 1.7.1

It appears there is a newer version (1.7.2) now of unbound. Maybe that fixes this??

Here is a chart showing the DNS queries failing ever since the last opnsense uppdate.

(red lines are where its failing)

In my efforts too overcome this I have turned TTL for Host cache entries from 15min to 1min. That helps a little I think but does not solve the problem.

Please help!

[va176thunderbolt]

If you’ve configured Cloudflare’s dns (or any other) in Unbound using a port other than 53, you’ll need to add @53 to the end of the dns server up. I ran into this with my overrides - they stopped working after adding the Cloudflare dns over TVs config.

[erickufrin]

I will try adding @53 and see if it makes a difference.

My overide dns is my personal domain name hosted on a VM inside my network. It is resolving fine when I point my clients directly at the dns server.

When the names will not resolve through my opnsense unbound service I restart unbound and they immediately work again.

My override configuration was working perfectly for months and months. The 18.1.9 release included unbound 1.7.1 is the only change to point to.

[franco]

FYI: 1.7.2 was shipped today, after non-reboot update the Unbound service requires a manual restart.


Cheers,
Franco

[AndyX90]

I will try adding @53 and see if it makes a difference.

My overide dns is my personal domain name hosted on a VM inside my network. It is resolving fine when I point my clients directly at the dns server.

When the names will not resolve through my opnsense unbound service I restart unbound and they immediately work again.

My override configuration was working perfectly for months and months. The 18.1.9 release included unbound 1.7.1 is the only change to point to.

The *override-feature never worked reliable for me...

[erickufrin]

FYI: 1.7.2 was shipped today, after non-reboot update the Unbound service requires a manual restart.


Cheers,
Franco

Thank you! I have installed the update & rebooted. Will let you know if this has solved the issue.

[erickufrin]

The problem does not appear to be resovled in unbound 1.7.2. Made it a few hours before seeing DNS queries to my override are failing.

I have turned up Logging on Unbound to Level 5. Maybe I will see something that can pinpoint the problem. :-/

If I wished to go back to 18.1.8 - what is the procedure - is there a KB article? thx...

[franco]

Docs are on your installation:

# man opnsense-revert

More specifically:

# opnsense-revert -r 18.1.8 unbound

Meanwhile 1.7.3 was released, maybe it gives another clue:

http://www.unbound.net/download.html


Cheers,
Franco

[erickufrin]

In the Unbound log I am seeing "useless dp but cannot go up, servfail"

It appears #4100 bug listed in the release notes relates to this.

https://github.com/NLnetLabs/unbound/commit/d3866418208f9a16c7bab09b424dbd90a973df0c

https://github.com/NLnetLabs/unbound/commit/53b1e11eba0614fa0c9196edda92d557286fde59

The logfile message I am receiving appears to be the command that is getting hit due to the code above it...

I am no programmer, but to me 1.7.3 looks kinda promising.

[franco]

I can provide a test version of 1.7.3 on Monday to find out

Or you can compile your own:

# opnsense-code tools ports
# cd /usr/ports/dns/unbound
# make package deinstall install


Cheers,
Franco

[erickufrin]

A test version would be great. I have been dealing with this for a little while, so monday or next week for a test version is definetly fine! Thank you

[franco]

Here you go, for OpenSSL/amd64:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/latest/All/unbound-1.7.3.txz

or LibreSSL/amd64:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/libressl/All/unbound-1.7.3.txz


Cheers,
Franco

[Reiter der OPNsense]

Hi Franco,
thanks for the 1.7.3, which fixed another problem I have had since 1.7.2. Behind two boxes I had no more access to OneDrive and the Microsoft Store didn't work anymore (error 0x80072EE7).

Greetings, Stefan

[franco]

Hi Stefan,

Good, 1.7.3 will be in 18.1.11 early next week.


Cheers,
Franco

[erickufrin]

Want to close the loop on this issue. I have been running 1.7.3 unbound since last friday and have not had a single recurrence of the problem. The issue is solved with 1.7.3 confirmed! Thanks!!

Hi Stefan,

Good, 1.7.3 will be in 18.1.11 early next week.


Cheers,
Franco