i am actually running OPNsense 21.7.7-amd64 which was running quite fine so far.
for 2 days now, i notice the problem that suddenly, there is no more internet access.
the only way to recover is to reboot OPNsense.
i have analyzed the issue and i think i found the reason for the dead internet access as well as a way to reproduce it:
when doing interface/diagnostics/dns lookup, i can see that while this looks fine before the issue. but after accessing this URL, there is no more DNS response from 127.0.0.1 (see attachments).
this looks to me like unbound DNS has stopped working.
so i tried to restart or stop/start unbound DNS, but at this time, this does not work anymore.
while restarting unbound under normal conditions may take a few seconds, restarting or stopping does not seem to be possible anymore after the issue. this operation seems to take forever. so the only option to get out of the desaster is to reboot OPNsense.
and then i found a way to reproduce it. accessing the url
https://map.avnet.com/NzMwLU5TVC05ODgAAAGBFA1NilLbyUEK3gAZrRcq_H1vQSUw6YKLgiaWywfAnsO3q__MfAu5OYc9BbiQVI9hOk_Ve64=
seems to be the source of all evil. while this was no problem so far, for 2 days now, this seems to kill unbound, as soon as i access this url.
the short solution for sure is to no longer access this url, but i'm quite sure that there will be more url's like this killing my DNS server, but then i probably won't be able to reproduce. that's why i would like to solve this issue as soon as possible.
unfortunately, i have no idea on how to go on now...
do i need to reconfigure something or is there a bug in unbound resulting in this issue?
thanx for your help!
I went to the link and not able to reproduce your issue. ??
I am using OPNsense 21.7.7-amd64 with Unbound as resolver.
i retried this morning and it looks quite strange.
today, i was no longer able to crash the unbound dns when opening this url, but for the last 2 days, this immediately crashed unbound.
but there is something looking suspicious to me:
so far, i always used firefox.
to check if this issue might be browser dependent, i today tried chrome first.
while doing so, i checked the dns accesses from the client pc to the OPNsense firewall using live view. opening this page resulted in about 100 dns requests. this looks a bit hige to me for opening just one web page.
as unbound didn't crash this time, i retried with firefox. surprisingly, opening the page with firefox for the first time today resulted in several 100 dns requests.
but at least, it also did not crash with firefox today.
so it looks like i'm no longer able to reproduce this issue, while opening this url yesterday morning crashed unboud each time.
QUESTIONS:
- is it usual that opening a single url may result in that many dns requests?
- is it possible that unbound is flooded with dns requests and therefor fails to operate later on?
- and if yes, how can this be avoided?
Hi,
I have same problem several days ago.
Not every day, but last two days.
The only solution was reboot OpnSense.
I have no problem the day, only the morning (process the night ?).
This problem was since 21.7.6-amd64 but now more frequent.
I have no idea where searching ...
Quote from: bongo on December 25, 2021, 09:46:17 AM
- is it usual that opening a single url may result in that many dns requests?
If you open the URL in a browser, then yes. There might be CDNs involved and ads/tracking as well, if you don't use an adblocker. This can lead to hundreds of domains being contacted before the page is loaded.
I recommend you to install an adblocker.
I would recommend unblock origin with easylist and easy privacy filter lists as a minimum to avoid unnecessary traffic and protect your privacy:
https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=de
https://addons.mozilla.org/de/firefox/addon/ublock-origin/
There are also adblocker extensions for OPNsense, which are a good layer of extra security (i. e. support in apps), but in the browser, the addon works better, since it can also block images and HTML elements.
Quote from: bongo on December 25, 2021, 09:46:17 AM
- is it possible that unbound is flooded with dns requests and therefor fails to operate later on?
You can DoS a DNS server however that is very likely that you get that done by accident. You are likely needing more than 1000 concurrent connections.
One thing to note here: most DNS servers are actually made for high load, since they usually have that in enterprise networks.
Especially servers such as bind, unbound and powerdns.
Quote from: bongo on December 25, 2021, 09:46:17 AM
- and if yes, how can this be avoided?
* Raise server limits
* Enable caching
* Reduce DNS lookups
* Load Balance DNS
* ...