OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: wodec on September 05, 2022, 01:27:55 pm
-
Hi,
Have been experiencing regular issues while using the unbound DNS service with DNS blocklists.
More specifically: let's say I want to add some blocklists and download&apply them (see attachment - 1.PNG).
It proceeds with downloading as seen in the unbound log, which seems to complete successfully. (2.png and 3.png)
However, the DNS console shows an error (see 4.png).
In the logs, the only thing I can find is "Timeout (120) executing: inbound dnsbl". (see 6.png)
Now, in this case, I'm lucky, my DNS service still seems to be running, despite the error message.
More often than not, once I click away the error message and refresh, I see the red arrow at top right indicating stopped service. (as in 7.png)
Anyways, to be sure, I manually restart the unbound DNS service.
I'm again seeing error messages in logs: see 8.png.
But the service seems to start and to resolve DNS queries, taking into account the blocklists (e.g. known porn lists are blocked based on the selected porn blacklists).
The above behavior occurs EVERY time I manually trigger a download & apply on the DNS blacklists.
I also have a cron job which refreshes the blocklists every night in the middle of the night.
When I go online in the morning, DNS resolving still seems to work, so it seems the service does not stop in the night when updating the blocklists.
So I'm a bit in doubt here.
Is there an issue with the unbound DNS blocklist, is this only an issue when doing a manual trigger, ...
Thanks for any insight you can provide!
-
Ok, sorry for this, but seems I can't upload all attachments in one post.
-
I was running into a time out like this. I ended up reducing the list of the DNSBL listing in "Type of DNSBL". I would rather have kept my long-ish list, but this was the only work around I found.
-
You mean using less lists?
I'm wondering where this timeout is occurring. It doesn't seem to be in the dowloading of the lists themselves from what I can see.
In the processing?
Why not increase this timeout?
I mean, if you provide all these blacklists in the dropdown selection field, then shouldn't the opnsense script that processes them be written in such a way that worst case a full selection of the entire list is possible?
-
I think I found the same issue via the github repo's.
https://github.com/opnsense/core/issues/5639
https://github.com/opnsense/core/commit/28e7d49380624e787319ca4ca8bb59b7d15e231f
So, looking at the reporter there, my machine has similar specs.
Considering the feedback:
"The machine isn't fast enough to wait for the action to complete (120 seconds), 28e7d49 changes the log level to notice (which is more suitable)."
Does this mean that the dns blocklists actually work as expected, this isn't really a fatal error and we can safely ignore this?
It's because the machine isn't the most performant one, that this triggers a timeout but actually finishes correctly in the background anyways?