Now I have read the threads that is about latest, and well, I might have something else, but strange it is anyway:
This morning started with my KEF LSX2 Speakers not having any connection to internet. I was a bit tired so I just pulled the powecord on the main speaker, and hardbooted so to say the speakers - everything worked again.
Then I decided later on the day to do upgrade to latest and greatest - and then everything went i the wrong direction. Slowly...
First my LAN port (I have 8 ports on my OPNsense firewall hardware, bare metal so nothing in between) stoped working. Well I could connect to my OPNsense box, and my Home Assistant - they are both IP adresses...
Then my WAN droped somwhow so my dual wan took over (LTE).
Then my server droped.
And my WiFI (Unifi AP).
And then my Home Assistant.
And finaly my LTW WAN backup.
Well, I could still use IP adresses - so I could do some stuff but it was not working as it used to.
After reading, on my mobile (this got to be the first time I loved to have a folding phone!) I read up on OPNsense issues here in this forum, and decided ye let's reinstall and apply config backup. So I did. This was becuase of other reports. But do note two things: a) the IP adress resolution seemed to work (one could enter 1.1.1.1 and get that web page) and b) my firewall hardware was VERY hot, something was runnig maxed out and I could not figure out what it was, since well, the Dashboard seemed just fine...
...until later this evening when service after service also started to fail - when I did the reinstall I think there was 8 red boxes on services that stoped. Something was waaay of.
Now I did not prepp for this scenario so I had to download everything. But reinstall I did. 23.7.
And no DNS service STILL. IP worked, and my hardware was once again cool.
So I just decided let's try the DNS Masq version instead of Unbound DNS.
And now everything is back to normal I think - I will have to check tomorrow and so on.
But the thing I would like to share here is:
1) Double check that IP adress like 1.1.1.1 (which is a web page) might work - then look at the DNS solution one has choosed, and change just for the sake of testing to one of the others.
2) Be a bit reserved on the latest patch. This got very bad after upgrade, however it seems to be Unbound that might overwrite something, since it seems to kill port after port slowly....
And if I am wrong in anything above, well then I do appologize in advanced - this is how it behaved for me this evening, and I did lack the energy to debug the crap out of it.
Same happening to me when (I think i upgraded from 23.7.3 or 4 to 23.7.7_1, then 23.7.7_3) on OPNsense 23.7.7_3. After that random stopping/crashing of dns (unbound) and had to switch to Dnsmasq and add DNS Servers under Settings -> General -> DNS Servers to make my router work again.
When I remember correctly a ping works, which means it definitely looks like a DNS issue...eventually only with DoT users with DNSSec enabled or also people without it? I use DoT to quad9 (9.9.9.9 and 149.112.112.112) but not sure if this is relevant. Can someone confirm that also stops and crashes without DoT and DNSSec enabled?
No clue where to look for as It does not look like Unbound DNS throws any errors.
I also did not find a matching issue report on
- https://github.com/opnsense/core/issues
- https://github.com/NLnetLabs/unbound/issues
Another thread maybe following the same issue might be the one here: https://forum.opnsense.org/index.php?topic=35527.75 (https://forum.opnsense.org/index.php?topic=35527.75)
Would be realy nice to have at least a clue about the progress or what the cause could be...
Yes I was running DoT (Unbound), but turned it off. No difference. Since I also run DNSSEC I guess I should have tested to turn that off also, I did not (to tired).
I just compared an old (2023-08-07) config xml file with new one from last night when all problems started, when I still had Unbound DNS enabled. A few things noted:
1) There is a section in old that is missing in the new one:
<unbound>
<enable>1</enable>
<custom_options/>
<dnssec>1</dnssec>
<regdhcp>1</regdhcp>
<regdhcpstatic>1</regdhcpstatic>
<stats>1</stats>
</unbound>
2) Unbound DNS was 1.0.4 on old version and 1.0.8 on the new. And it is a lot more on the new version under unboundplus section.
Here is the OLD one (yes at this time I had only two DoT servers defined):
<unboundplus version="1.0.4">
<service_enabled/>
<advanced>
<hideidentity>0</hideidentity>
<hideversion>0</hideversion>
<prefetch>0</prefetch>
<prefetchkey>0</prefetchkey>
<dnssecstripped>0</dnssecstripped>
<serveexpired>0</serveexpired>
<serveexpiredreplyttl/>
<serveexpiredttl/>
<serveexpiredttlreset>0</serveexpiredttlreset>
<serveexpiredclienttimeout/>
<qnameminstrict>0</qnameminstrict>
<extendedstatistics>0</extendedstatistics>
<logqueries>0</logqueries>
<logreplies>0</logreplies>
<logtagqueryreply>0</logtagqueryreply>
<logverbosity>1</logverbosity>
<privatedomain/>
<privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
<insecuredomain/>
<msgcachesize/>
<rrsetcachesize/>
<outgoingnumtcp/>
<incomingnumtcp/>
<numqueriesperthread/>
<outgoingrange/>
<jostletimeout/>
<cachemaxttl/>
<cacheminttl/>
<infrahostttl/>
<infracachenumhosts/>
<unwantedreplythreshold/>
</advanced>
<dnsbl>
<enabled>1</enabled>
<type>bla0,bla,blc,bld,blf,blf0,blg,blm,blp,blp0,blp1,blr,blr0,bls,blt,blt0,blt1,el,ep,nc,pt,sa,st,sb,ws,yy</type>
<lists>https://raw.githubusercontent.com/larhedse/hostnamelistan/master/BaraHostLista.txt</lists>
<whitelists/>
<address/>
<nxdomain>0</nxdomain>
</dnsbl>
<forwarding>
<enabled>0</enabled>
</forwarding>
<dots>
<dot uuid="9dc79fd6-5c5e-41bc-b193-f94b5cb007bc">
<enabled>1</enabled>
<type>dot</type>
<domain/>
<server>1.1.1.3</server>
<port>853</port>
<verify>cloudflare-dns.com</verify>
</dot>
<dot uuid="d9de93d8-a4ed-4283-b44b-aea29794de07">
<enabled>1</enabled>
<type>dot</type>
<domain/>
<server>1.1.1.2</server>
<port>853</port>
<verify>cloudflare-dns.com</verify>
</dot>
</dots>
<hosts/>
<aliases/>
<domains/>
</unboundplus>
And then the NEW one with all the extras:
<unboundplus version="1.0.8">
<general>
<enabled>1</enabled>
<port>53</port>
<stats>1</stats>
<active_interface/>
<dnssec>1</dnssec>
<dns64>0</dns64>
<dns64prefix>64:ff9b::/96</dns64prefix>
<noarecords>0</noarecords>
<regdhcp>1</regdhcp>
<regdhcpdomain/>
<regdhcpstatic>1</regdhcpstatic>
<noreglladdr6>0</noreglladdr6>
<noregrecords>0</noregrecords>
<txtsupport>0</txtsupport>
<cacheflush>0</cacheflush>
<local_zone_type>transparent</local_zone_type>
<outgoing_interface/>
<enable_wpad>0</enable_wpad>
</general>
<advanced>
<hideidentity>0</hideidentity>
<hideversion>0</hideversion>
<prefetch>0</prefetch>
<prefetchkey>0</prefetchkey>
<dnssecstripped>0</dnssecstripped>
<serveexpired>0</serveexpired>
<serveexpiredreplyttl/>
<serveexpiredttl/>
<serveexpiredttlreset>0</serveexpiredttlreset>
<serveexpiredclienttimeout/>
<qnameminstrict>0</qnameminstrict>
<extendedstatistics>0</extendedstatistics>
<logqueries>0</logqueries>
<logreplies>0</logreplies>
<logtagqueryreply>0</logtagqueryreply>
<logservfail>0</logservfail>
<loglocalactions>0</loglocalactions>
<logverbosity>1</logverbosity>
<valloglevel>0</valloglevel>
<privatedomain/>
<privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
<insecuredomain/>
<msgcachesize/>
<rrsetcachesize/>
<outgoingnumtcp/>
<incomingnumtcp/>
<numqueriesperthread/>
<outgoingrange/>
<jostletimeout/>
<cachemaxttl/>
<cachemaxnegativettl/>
<cacheminttl/>
<infrahostttl/>
<infrakeepprobing>0</infrakeepprobing>
<infracachenumhosts/>
<unwantedreplythreshold/>
</advanced>
<acls>
<default_action>deny</default_action>
</acls>
<dnsbl>
<enabled>1</enabled>
<safesearch>0</safesearch>
<type>bla0,bla,blc,bld,blf,blf0,blg,blm,blp,blp0,blp1,blr,blr0,bls,blt,blt0,blt1,el,ep,nc,pt,sa,st,sb,ws,yy</type>
<lists>https://raw.githubusercontent.com/larhedse/hostnamelistan/master/BaraHostLista.txt</lists>
<whitelists/>
<blocklists/>
<wildcards/>
<address/>
<nxdomain>0</nxdomain>
</dnsbl>
<forwarding>
<enabled>0</enabled>
</forwarding>
<dots>
<dot uuid="9dc79fd6-5c5e-41bc-b193-f94b5cb007bc">
<enabled>1</enabled>
<type>dot</type>
<domain/>
<server>1.1.1.3</server>
<port>853</port>
<verify>cloudflare-dns.com</verify>
</dot>
<dot uuid="d9de93d8-a4ed-4283-b44b-aea29794de07">
<enabled>1</enabled>
<type>dot</type>
<domain/>
<server>1.1.1.2</server>
<port>853</port>
<verify>cloudflare-dns.com</verify>
</dot>
<dot uuid="2fef985d-b3a5-42fc-9665-3bca6e5bee6b">
<enabled>1</enabled>
<type>dot</type>
<domain/>
<server>9.9.9.9</server>
<port>853</port>
<verify>dns.quad9.net</verify>
</dot>
<dot uuid="8e309da4-9864-4442-ba6f-76c7d409109c">
<enabled>1</enabled>
<type>dot</type>
<domain/>
<server>149.112.112.112</server>
<port>853</port>
<verify>dns.quad9.net</verify>
</dot>
</dots>
<hosts/>
<aliases/>
<domains/>
</unboundplus>
I guess the next thing for me to do is to replace the NEW unbound stuff with the OLD ones to see if that works. I would say that for the moment the OPNsense update is breaking Unbound...
Also, running 23.7 means I can not install any plugins since they ALL "23.7.7_3 is required." - How funny is that?
sorry to interfere. I wouldn't replace new config with old one after an update/upgrade of the software/application that uses it. It's normal to have different configs from one version to another.
You really need to diagnose the setup that post update doesn't seem to work correctly, if there is time or rollback but not a partial rollback that will just make it worse (most likely).
I agree. My fault. It was logic in my head, but reality is exactly like you say (write).
So I upgraded to latest again, but NOT Unbound enabled - I need to see and understand what destroyed Unbound before I enable Unbound again.
For the moment everthing works - well except for Unbound of course.
OK. First I'd do a checkconfig Unbound-checkconf as a very basic sanity check.That tells you it won't bomb out and the configuration of itself is OK.
Then you need to look around it. What rules are in place in the firewall that might be problematic.
Frankly shouldn't be a problem from one minor OPN version to the next.
Any chance of diagraming your setup? See, "my wan/lan/ect dropped" doesn't give anything to work with :)
You'd want to consider when it happens, drop to a shell on the affected client, do dig or nslookup requests and follow the packet on the firewall live session with adequate logging set or a packet capture.
For what it is worth: I have not touched Unbound for "ages" - that is it has been running just fine for months. At least around 6 months...
The ONLY thing I have added about two months ago was "IoT" interface, which is VLAN for IoT stuff running over my Unifi AP. And that has nothing in my mind to do with DNS at all.
And this is a bit why I "blamed" the upgrade at first - nothing has really changed lately....
For anyone reading up on my issue: Unbound seems to break when upgrade to 23.7.7.x. Unbound worked perfect before latest and greatest - and now it just don't. I am not sure when I did the latest upgrade before 23.7.7 so I can not say exactly which level broke Unbound. But something sure did.
Does it work if you disable the blocklists ?
I don't know, and for the moment I hesitate to even try - I would love to see that my OPNsense setup (with DNSmasq) works for more than 24h at least before I try anything else. To get proof kind-of that it is/was Unbound that killed it self so to speak....
Hi,
may this helps?
https://forum.opnsense.org/index.php?topic=36688.msg179833#msg179833 (https://forum.opnsense.org/index.php?topic=36688.msg179833#msg179833)
br
Okay, after close to 40 hours or so, my connection was lost again. However, DNSmasq was still in use so no reference to Unbound DNS. And this time I lost all - could only get partial connection on outside (some web pages loaded part of page - and then everything just stoped). Like last time it kicked in on the first port on my firewall, and all other worked. This time I just did a reboot direct to see if / what - and now it is back online. For how long I do not know. What I do know is that DNS seems not to be involved.
I would love to be able to rollback to an older version, and not to be forced to use latest, since latest does not work.
Where can I download 23.7.5 or .6 - I would like to be able to validate something.... I just found a somewhat odd error in one of all logfiles, but well I would like to be able to separate things out....
Okay I have (at least) two different issues here....
Unbound DNS stopped working after upgrade - I will return to this later....
link down/up = no connection at all. This issue I will write about in a separate thread so I can handle them better...
Since link down/up seem to resolved itself somehow ??? I decided to return to my Unbound issue.
After disable of DNSmasq, and enable Unbound - no name resulotion on any device. Did for the sake of testing a reboot of OPNsense h/w. No difference. Disabled Unbound, turned on DNSmasq - everything works like a charm. Go figure.
tcpdump of the request and reply packets while the regular DNS debug tools like dig, drill, nslookup ... would be helpful. Also the output of netstat -a etc.
I might be able to get them tomorrow. However, be assured that browsing on IP address intranet and internet (1.1.1.1) work perfect. Name resolution does not - and it is firewall wide, no unit has name resolution no matter what segment or VLAN for that matter.
You need to check which addresses have an active socket on port 53 and which packets flow where. I am not aware of any other technique to debug this.
Patrick, very large thanks for your help and suggestion. For the moment I will put this on hold, and rebuild my firewall from scratch. This is more of a ProxMox thing now - I will install ProxMox to get the ability to more easily revert back to previous version with snapshot and stuff like that - and when OPNsense is installed back ontop of ProxMox of course, I will start hunting whatever is giving me challenges. However as I rebuild with ProxMox alot of stuff will change, as interface port assignments - so there will not be any way for me to restore my config file....
However, I will store my old config just-in-case I decide to revert back to bare metal again. Better safe than sorry (and after all, I just did re-install of OPNsense bare metal....).
I want to give some update about my issue as I am facing the same issue with unbound dns stopping to work randomly.
I freshly installed OPNsense 23.7 from scratch and did a configuration restore via backup restore process, after that I upgraded again to the latest Version 23.7.8. After that I switched back from Dnsmasq to Unbound DNS with DoT and DNSSEC enabled.
After aprox. 5min DNS stopped working again and after various restarts and switching from Dnsmasq and Unbound back and forth, always after some short random time DNS stopped working on Unbound DNS again.
After this (I was pretty sure a fresh install would help, because migration could have screwed things up maybe), I decided to disable DNSSEC and DoT, but leave Unbound DNS as default DNS.
This setup is now stable for at least 24 hours!
As a side note, before fresh install, when I was troubleshooting the issue, I can remember that I got SERVFAILS when checking with tcpdump eg.
tcpdump -v -i igb0 dst port 53 # LAN showing SERVFAILS, when DNS stopped working
tcpdump -v -i igb1 dst port 853 # WAN when DoT enabled
P.S: I have a PC-Engines APU4 Board.
P.P.S: I did a health check of the system, I did even try a check unbound config based on https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#testing-the-setup (https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#testing-the-setup). All checks good and logs do not seem to indicate an issue, which makes this thing hard to troubleshoot.
Running now 7/24 without interruption.
Still without DNSSEC and DoT?
Yes without having these set, which leads me to believe that the problem lies there. But that's just my personal amateur opinion. If I find time, which is rare these days, I will investigate further.
Its also worth noting, that a new OPNsense Release 23.7.9 is out now with a new Unbound Version 1.18.0 -> 1.19.0, with some bugfixes https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0 (https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0) however not finding anything related to DoT or DNSSEC in the bugs section, but I also do not know the library itself and its code, so I will give it a try and check if it will work again with DoT and DNSSEC enabled.
Quote from: Tschabadu on November 18, 2023, 07:34:13 PM
After this (I was pretty sure a fresh install would help, because migration could have screwed things up maybe), I decided to disable DNSSEC and DoT, but leave Unbound DNS as default DNS.
This setup is now stable for at least 24 hours!
Can you try disabling DNSSEC while using DoT? It should be disabled as your DoT/DoH server is the one ensuring DNSSEC anyway.
Hi, valid point and thanks for the advice, I can give it a try and based on the setup guide on quad9 its anyway not mentioned https://www.quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls (https://www.quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls).
I'm using Quad9 DoT without DNSSEC with no problems, but I'm still on 23.7.6. May give that an update today.
Quote from: Tschabadu on November 26, 2023, 12:09:57 PM
Hi, valid point and thanks for the advice, I can give it a try and based on the setup guide on quad9 its anyway not mentioned https://www.quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls (https://www.quad9.net/support/set-up-guides/setup-opnsense-and-dns-over-tls).
I've had issues with Quad9 DoT and DNSSEC, too. They explicitly say to disable it in their Pfsense guide:
https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/
Not sure why it's not mentioned for Opnsense.
I just had a look into my settings for Unbound / DoT / DNSSEC - and sure enough I use Quad and Cloudflare, two IPs from each. Now I use 4 Custom Forward, since I got into problems with only Quad active. So I used all four of them - but I guess the Quad IPs are never used since they are last in the list.
That being said, I will later today when I am alone on the network (trying to be nice here....) re-enable Unbound, but without DNSSEC. And see what happens.
And I also wonder which DoT servers one should use nowadays...
Is Googles the only ones that work?
Nope - no matter what I do Unbound just refuses to resolve any names.
I disabled DNSSEC
And then disabled DoT
And then disabled BlockLists
It seems to be ghost in the system when it can not even work empty so to speak.
Is there any easy way to kind-of-restore-default to only Unbound settings, like hacking the config file and just remove everything - is that doable to make a "cold reset" so to speak so I know that I am not fighting anything old that just "hangs-around-the-corner-that-I-forgett-or-can-not-see" thing?
Edit: Worth noting in all this: This config Used to work, and did so for what 6 months since last change (and it worked before that to). So I find it very strange that it all of a sudden, just because of upgrade of OPNsense, and most likly Unbound, it just stops resolving names. It is at least one ghost in the system......
I don't have a problem with my DoT on Unbound and I am still on OPN ver 23.1.11_2 but looking at these last posts in this thread makes me wonder if people are putting a problematic mix of resolvers in Unbound.
Especifically DNSSEC:
Cloudflare only mentions DNSSEC on their main resolver 1.1.1.1 https://developers.cloudflare.com/1.1.1.1/encryption/dnskey/ (https://developers.cloudflare.com/1.1.1.1/encryption/dnskey/). Encryption is mentioned on two ips only.
Quad9 mentions that a DNSSEC auth failure will be reported by their resolver as SERVFAIL just as an inexistent one, and a way to differentiate https://docs.quad9.net/FAQs/ (https://docs.quad9.net/FAQs/)
In other words, if you have a mix of capable/uncapable DNSSEC upstream resolvers, Unbound might not be able to work properly. Just a thought, I haven't had a need to diagnose, but aligment of those upstreams might be helpful in this thread.
Okey, well, I have found what was error in my configuration, and it is not what I expected....
Short "executive summery" is: Under Services, Unbound, Access Lists there is a "Default Action" drop down selection. This was for some fuggly reason selected to BLOCK - that was the error in my case. Replaced with ALLOW - problem gone, and now I am running Unbound, DoT, DNSSEC and Block Lists. And maybe something more.
The thing I can not get my head around is WHY that was changed in my config. I just can not think I have changed that my self.
So I went back in my config files, to one from 2023-08-07 - before the upgrade thingi started. There are NO records in my config backup file at all about Access Lists. So clearly, until someone points me in the right direction, I have to think that this BLOCK selection was part of the upgrade process - and not something I did or have done. If this is how the upgrade "disabled" Unbound, then this is the Ghost In the System. My current guess is that it is.
Sorry, but I spoke to soooooooooon....
Yes Unbound works, but it pins one (of 8 ) cores to 100% load all the time, no matter what. Something is running hard in that Unbound process....
So I am back on DSN Masq....
And I am back on Unbound DNS without DoT.
Disabling DNSSEC did not work, it stopped working again after a very short period of time with DoT enabled and using Quad9. I probably will try cloudflare to eliminate the fact that quad9 itself can be the issue, but I doubt it.
However it is not absolutely clear how to disable DNSSEC at all for me except from the flag under Services -> Unbound -> General -> Enable DNSSEC Support (uncheck and apply) and Services -> Unbound -> Advanced -> Harden DNSSEC Data (uncheck and apply), but I think thats it.
I have OPNsense 23.7.9 installed (latest as for now) with unbound 1.19.0. No change in issue.
My unbound config (as is configured over UI), but probably not very helpful and DoT disabled!
/var/unbound/unbound.conf
##########################
# Unbound Configuration
##########################
##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
include: /var/unbound/advanced.conf
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "python iterator"
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes
# Private networks for DNS Rebinding prevention (when enabled)
private-address: 0.0.0.0/8
private-address: 10.0.0.0/8
private-address: 100.64.0.0/10
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.0.2.0/24
private-address: 192.168.0.0/16
private-address: 198.18.0.0/15
private-address: 198.51.100.0/24
private-address: 203.0.113.0/24
private-address: 233.252.0.0/24
private-address: ::1/128
private-address: 2001:db8::/32
private-address: fc00::/8
private-address: fd00::/8
private-address: fe80::/10
# Private domains (DNS Rebinding)
include: /var/unbound/private_domains.conf
# Static host entries
include: /var/unbound/host_entries.conf
# DHCP leases (if configured)
# Custom includes
include: /var/unbound/etc/*.conf
python:
python-script: dnsbl_module.py
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: /var/unbound/unbound_server.key
server-cert-file: /var/unbound/unbound_server.pem
control-key-file: /var/unbound/unbound_control.key
control-cert-file: /var/unbound/unbound_control.pem
And another "fun" fact is when DNS stops working when DoT is enabled.
I do not get any more packages over WAN when sniffing via
tcpdump -i igb1 'port 853' # WAN DoT
But i still get packages via
tcpdump -i igb0 'port 53' # LAN DNS
And Unbound Service still seems to be running as a process or is clearly visible in the GUI as a still running service...
And also my overrides list to my internal apps is still working, which means unbound generally works except for name resolution to the world wide web :o
In graphics this means
WWW <--DoT:853--> Unbound (DoT) <-x-BROKEN?-> Unbound (DNS) <--DNS:53-WORKS--> Lokal Clients
| |
-------------------- DNS:53-WORKS ----------------------
FWIW....
After I applied the patch that franco requested to be tested: https://forum.opnsense.org/index.php?topic=37243
I had no issues with Unbound - this is a bit unexpected, but I am happy anyway. My problems seems to be solved (and now I will run away and grab that egg timer until next challenge presents itself!).
@lar.hed Thank you for pointing this out.
Quote
After I applied the patch that franco requested to be tested: https://forum.opnsense.org/index.php?topic=37243
Glad it solves your issue 👍. I will probably wait for the new OPNsense release which hopefully will include this. Had no chance to apply the patch.
Right....
I can now say I still have this problem with Unbound. It just hanged at 100% on one core (of 8). I had to kill-9 to get it to release and stat to behave again. Trying restart the process from GUI just do not work.
No I do not know what is wrong... I would love to build a monit watchdog so kill-9 and restart when it hits CPU above 99% on one core.... Anyone know how to write such a thing?
Hmm anyone know how I can interpret this error:
Quote2023-12-03T19:58:27 Error unbound [24652:3] error: reading root hints /root.hints 2:6: Syntax error, could not parse the RR's type
Quote from: lar.hed on November 02, 2023, 11:22:54 AM
For anyone reading up on my issue: Unbound seems to break when upgrade to 23.7.7.x. Unbound worked perfect before latest and greatest - and now it just don't. I am not sure when I did the latest upgrade before 23.7.7 so I can not say exactly which level broke Unbound. But something sure did.
Hello i have the same issue with Opnsense 23.7. How can i fix the problem with unbound?
It´s al little bit strange. If i use only the default LAN unbound works perfect.
If i create a new network/VLAN on Opnsense with the same rules like default LAN unbound crashs.
I have only one LAN Interface and connect a new network/VLAN via this Interface.
Here are Some reports from unbound:
2024-01-28T10:46:57 Critical unbound [16075:3] fatal error: Could not initialize thread
2024-01-28T10:46:57 Critical unbound [16075:0] fatal error: Could not initialize main thread
2024-01-28T10:46:57 Error unbound [16075:0] error: Could not set root or stub hints
2024-01-28T10:46:57 Error unbound [16075:0] error: reading root hints /root.hints 24:4: Syntax error, could not parse the RR's TTL
2024-01-28T10:46:57 Error unbound [16075:3] error: Could not set root or stub hints
2024-01-28T10:46:57 Error unbound [16075:3] error: reading root hints /root.hints 2:8: Syntax error, could not parse the RR's type
2024-01-28T10:46:37 Critical unbound [69178:4] fatal error: Could not initialize thread
2024-01-28T10:46:37 Warning unbound [69178:1] warning: root hints /root.hints:29 skipping type A
2024-01-28T10:46:37 Error unbound [69178:4] error: Could not set root or stub hints
2024-01-28T10:46:37 Error unbound [69178:4] error: reading root hints /root.hints 2:11: Syntax error, could not parse the RR's type
2024-01-28T10:45:21 Critical unbound [91266:1] fatal error: Could not initialize thread
2024-01-28T10:45:21 Error unbound [91266:1] error: Could not set root or stub hints
2024-01-28T10:45:21 Error unbound [91266:1] error: reading root hints /root.hints 2:17: Syntax error, could not parse the RR's type
2024-01-28T10:43:48 Critical unbound [32545:2] fatal error: Could not initialize thread
2024-01-28T10:43:48 Critical unbound [32545:0] fatal error: Could not initialize main thread
2024-01-28T10:43:48 Error unbound [32545:2] error: Could not set root or stub hints
2024-01-28T10:43:48 Error unbound [32545:0] error: Could not set root or stub hints
2024-01-28T10:43:48 Error unbound [32545:0] error: reading root hints /root.hints 28:30: Syntax error, could not parse the RR's class
Regards
Kevin
I think I will quote myself from two other threads where this has been an standing challenge, which for the moment seems to be under control untill I find another challenge (16 days withut problem so far - do note the Monit scripts to help out if somethings happens anyway):
Quote from: lar.hed on January 26, 2024, 05:20:13 PM
Hi @Fright!
Thanks for helping out.
I can add this that I wrote in the other Unbound thread:
Quote from: lar.hed on January 23, 2024, 10:44:08 AM
I need to be more precis I think...
So, my current setup is OPNsense 23.7.11-amd64.
On this I have the two patches earlier referenced:
opnsense-patch a086f40b
opnsense-patch 845fbd384fe
The I have removed a two plugins: mDNS and IGMP Proxy - and is only running UDP Broadcast Relay: https://forum.opnsense.org/index.php?topic=38114.0
Also, since in my case there seem to be some kind of connection to IP adress changes or something I decided to uncheck "Register DHCP Leases" and "Register DHCP Static Mappings".
So in all 6 changes. I can not say that each change has anything to do with this challenge I have with Unbound, however, the changes above has made Unbound stable from 100% CPU Bound. Which one I would vote for? Patches all day long....
I have had one Unbound stop which I have no reference to why. Monit restarted Unbound directly and since I'm not at home where the OPNsense is installed, I have not been able to check anything....
I have not had any more 100% CPU on one core since I changed the above. Currently I do not know exactly which one that is most likely to have solved this. Although I have to say that removing the extra plugins should not be the reason....
Quote from: lar.hed on January 28, 2024, 11:22:10 AM
I think I will quote myself from two other threads where this has been an standing challenge, which for the moment seems to be under control untill I find another challenge (16 days withut problem so far - do note the Monit scripts to help out if somethings happens anyway):
Quote from: lar.hed on January 26, 2024, 05:20:13 PM
Hi @Fright!
Thanks for helping out.
I can add this that I wrote in the other Unbound thread:
Quote from: lar.hed on January 23, 2024, 10:44:08 AM
I need to be more precis I think...
So, my current setup is OPNsense 23.7.11-amd64.
On this I have the two patches earlier referenced:
opnsense-patch a086f40b
opnsense-patch 845fbd384fe
The I have removed a two plugins: mDNS and IGMP Proxy - and is only running UDP Broadcast Relay: https://forum.opnsense.org/index.php?topic=38114.0
Also, since in my case there seem to be some kind of connection to IP adress changes or something I decided to uncheck "Register DHCP Leases" and "Register DHCP Static Mappings".
So in all 6 changes. I can not say that each change has anything to do with this challenge I have with Unbound, however, the changes above has made Unbound stable from 100% CPU Bound. Which one I would vote for? Patches all day long....
I have had one Unbound stop which I have no reference to why. Monit restarted Unbound directly and since I'm not at home where the OPNsense is installed, I have not been able to check anything....
I have not had any more 100% CPU on one core since I changed the above. Currently I do not know exactly which one that is most likely to have solved this. Although I have to say that removing the extra plugins should not be the reason....
I have installed opnsense Version 23.7.12 with Monit it looks like unbound service is now permanently online (But it´s a workaround). But DNS within VLANs doesn´t work (local Network & WAN). On my VLANs i can connect to every client with IP but not DNS Name. I can ping 1.1.1.1 and 8.8.8.8.
If i connect via SSH to my opnsense i try a ping to my local clients but only IP works. But a ping to google works with DNS Name....
It´s a little bit strange i have installed a fresh Opnsense Version 23.7 and everything works fine with the default LAN Interface and same rules. I have only one LAN Interface. If i create new VLANs/Network and connect them to my singel NIC (Default LAN interface) it seems to be unbound crashed.
I have the same rules for every VLAN/Network like the default LAN Network.
Regards
Kevin
If you have unchecked the "Register DHCP Leases" and "Register DHCP Static Mappings" - then DNS name resolution on your intranet will not work.
I have installed Version 24.1 with the same configuration and now it seems to be fine.
Unbound doesn´t crash since 1 day.
Quote from: lar.hed on January 29, 2024, 03:36:47 PM
If you have unchecked the "Register DHCP Leases" and "Register DHCP Static Mappings" - then DNS name resolution on your intranet will not work.