OPNsense Forum
Archive => 23.1 Legacy Series => Topic started by: Christophe999s on February 05, 2023, 04:34:12 pm
-
Hi all,
Unbound isn't downloading my blocklists after a reboot.
The logs show 'Name does not resolve', but DNS seems to work fine.
I've tried disabling IPv6, using recursive DNS and disabling DoT, enabled query forwarding, changing the DNS servers in System: Settings: General, but I get the same result every time.
When I go into Services: Unbound DNS: Blocklist and click apply, the blocklist gets downloaded correctly.
Anybody have any idea what could be causing this?
-
I'm having the same problem. Unbound isn't downloading blocklists but for me it's because my unbuond can't resolve anything. I can ping 8.8.8.8 but anything that needs resolved by unbound isn't working for me. Yours seems to resolve stuff other than blocklists but mine doesn't.
-
@Christophe999s
Are you able to resolve those URLs on your machine, behind OPNsense?
Example URL: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
If not, if you choose an outside DNS server to resolve against, does that work?
-
Yes, no issues whatsoever. I'm able to reach those url's, from all my devices and from the firewall itself.
My guess is that unbound tries to download those blocklists when my internet (PPPoE) isn't fully up yet.
Maybe a test to see if the internet is reachable and if addresses can be resolved or a larger delay before attempting to download the blocklists could solve the issue.
-
My guess is that unbound tries to download those blocklists when my internet (PPPoE) isn't fully up yet.
imho this is possible (blocklists loading order changed with the py-module migration)
And "requests" library does not retry by default. in this case it might help:
opnsense-patch -a kulikov-a c669765(although I'm not convinced the devs would agree)
-
Hey, I've only just got around to testing, been a few busy days at work.
This seems to have fixed it for me. I can see in the logs that, if the blocklists aren't downloaded, there's a retry.
Rebooted 3 times, and every time the lists are downloaded, so for me the issue is fixed.
Thanks for looking into this!
-
@Christophe999s
thanks for feedback
Hm. this does not look like a patch work: the patch does not add new messages to the log and does not run the script again. It only makes 4 attempts to download the list with an increasing interval in case of failure (total delay is just under 30 seconds). if it works, then no errors should appear in the log at all, just the update process will take a little longer.
https://github.com/kulikov-a/core/commit/c669765
looks like something is triggering a new blocklist download execution (but it's not a patch)
the screenshot did not capture the beginning of the blocklist loading process at 20:21:**. can you share this part? interested in the time difference between the message "blocklist download : exclude domains matching .." and the first error. but judging by the intervals between the records, the patch is not applied
-
Not sure what happened, but I've rebooted twice now and this is my latest log.
Does seem to work, I'm not getting any errors.
-
comparing the previous logs with the last one, i can assume that a successful download starts on the third attempt (or second retry. the first retry always occurs without delay) with 4 sec delay. then it turns out that the patch works)
сool. thanks for the feedback!