OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: supercm on December 09, 2021, 04:30:33 pm

Title: Unbound Issues
Post by: supercm on December 09, 2021, 04:30:33 pm

I have a new installation and am finding that DNS stops working randomly and I could use some advise on where to go to troubleshoot.

Unbound was serving up requests last night and this morning I was seeing DNS errors in a browser. So I went into diagnostics to perform a DNS lookup and it shows failed to 127.0.0.1 but the other external DNS servers (set up in the General section) resolve. A restart of Unbound resolves the issue.

These are the logs (I didnt cut anything out) from the point they last wrote until when I kicked off the restart

2021-12-09T06:21:22   unbound[87125]   [87125:0] info: service stopped (unbound 1.13.2).   
2021-12-08T21:39:19   unbound[87125]   [87125:0] info: generate keytag query _ta-4f66. NULL IN   
2021-12-08T14:39:41   unbound[87125]   [87125:1] info: generate keytag query _ta-4f66. NULL IN   
2021-12-08T14:39:41   unbound[87125]   [87125:0] info: generate keytag query _ta-4f66. NULL IN   
2021-12-08T14:39:41   unbound[87125]   [87125:0] info: start of service (unbound 1.13.2).

While I want to get to the root of the issue and could use pointers to further troubleshoot as I'm stuck, I could also use some pointers on how to detect and automatically remediate in the short term.

Thank you.

Title: Re: Unbound Issues
Post by: supercm on December 09, 2021, 05:28:18 pm

Adding now that DNS is currently not responding. I have not made any firewall changes but I cannot make a DNS request on my lan currently. Restarting Unbound (and the machine) has not resolved the issue. I am able to make a DNS request on a VLAN but not on the LAN network.

Title: Re: Unbound Issues
Post by: supercm on December 09, 2021, 05:47:36 pm

I was able to restore access by adding the attached firewall rule (though I had not made any firewall changes and have an allow all rule already)

Title: Re: Unbound Issues
Post by: supercm on December 09, 2021, 06:07:50 pm

The response doesnt seem super healthy though.

> bing.com
Server:  UnKnown
Address:  192.168.2.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    bing.com
Addresses:  204.79.197.200
          13.107.21.200

Title: Re: Unbound Issues
Post by: cookiemonster on December 09, 2021, 09:28:00 pm

The default installation and enabling Unbound will not require adding or changing firewall rules so your new rule might be only masking a problem, which sounds like is to be in Unbound.
If it helps, leave the rule for now.
But, Unbound might be choking somewhere. I would start with

Code: [Select]

% unbound-checkconf .
And it would help to post your Unbound setup & System > Settings > General: Networking

Title: Re: Unbound Issues
Post by: supercm on December 09, 2021, 10:48:28 pm

Running the requested command found no issues

  <unbound>
    <enable>1</enable>
    <noreglladdr6>1</noreglladdr6>
    <cache_max_ttl/>
    <cache_min_ttl/>
    <incoming_num_tcp>10</incoming_num_tcp>
    <infra_cache_numhosts>10000</infra_cache_numhosts>
    <infra_host_ttl>900</infra_host_ttl>
    <jostle_timeout>200</jostle_timeout>
    <log_verbosity>2</log_verbosity>
    <msgcachesize>4</msgcachesize>
    <num_queries_per_thread>4096</num_queries_per_thread>
    <outgoing_num_tcp>10</outgoing_num_tcp>
    <unwanted_reply_threshold/>

   
DNS Server   Use gateway
94.140.14.14    WIRELESS1_DHCP - opt2 -
94.140.15.15    WIRELESS1_DHCP - opt2 -
94.140.14.14    WAN12_DHCP - opt1 -
94.140.15.15    WAN12_DHCP - opt1 -
94.140.14.14    WAN18_DHCP - wan -
94.140.15.15    WAN18_DHCP - wan

Nothing checked on this page

Title: Re: Unbound Issues
Post by: supercm on December 10, 2021, 05:44:24 pm

I created another server that didnt seem to have this same problem (so far) and rebuilt the problematic one in a CARP configuration.

I'm assuming this is now resolved.