Messages

Hello All,
I have had my VPN running as the default outbound gateway.
I would then have some devices within a LAN rule which would route them to a specific gateway so these specific devices flow outside, the default VPN.
I also had a LAN rule with had the source of some specific domains also setup so that if a device was trying to access these domains they would do so outside of the VPN.
It would appear that somewhere along the lines of updates, these no longer work and everything seems to be going through the VPN.

I was wondering if there is anything that you can see within how I have the rules setup, that would indicate where I am now going wrong? (I have attached a screenshot)

If anyone cares: Had another 100% CPU from Unbound. This time around there was NO interface / link going up or down - my LAN PC had been turned off for hours before this incident.

So here I give up, the Monit script works by running kill -9 and then restart. It would be nice if this gets solved some day, but I have very low fate in that to happen. There does not seem to be anything to work on, no interface dependes, no blocklist, no DoT, no DNSSEC or anything - it just freaks out. Someone has made a change, and my prediction is that this will get worse.

I gave up as well...

Disabled unbound and moved over to the adguard plugin package... almost drop in replacement in the end.
Still get to keep all my router rules/settings, still get to keep my upsteam DOT/DOH. Just had to put the DNS server values as upstream into adguard and I was off...
Was even able to clean up some of my rewrites in the process.

Its been days since any sort of internet issue.

I had applied the 3 from the original thread that is linked in the 23.7 unbound thread.. However there was a hot fix update so not sure if they stuck as I never reapplied them - https://forum.opnsense.org/index.php?topic=35527.msg187426#msg187426

I then applied the patch in this thread  - https://forum.opnsense.org/index.php?topic=37973.msg188912#msg188912

I have been running this since I posted earlier.
I cleared all my logs.

Within the settings screen under general for unbound i only have ticked;
enable unbound
enable DNSSEC support
Flush DNS Cache during reload

I have not seen that error again so far since adding the patch, its been a few days so far. Device has been pretty stable so far.

@joshndroid
I'm not sure I completely understood you..
the built-in roots are exactly the same as in the file (https://github.com/NLnetLabs/unbound/blob/be27499d397e192bd43bff27bf0dcaa79020d024/iterator/iter_hints.c#L130), but no - afaik unbound-control will not allow to manage root hints. only forwarders

Excellent, thanks. I was unsure if the external one was going to update and the one used within this patch become old and cause different issues.

If the patch allows you to not use an external root hints, would it be possible, with this patch applied to manually pull the external root hints and override the internal one?

I am seeing the exact same thing.

I tried applying the patches within the 23.7 unbound thread here - https://forum.opnsense.org/index.php?topic=35527.msg187426#msg187426

These haven't appeared to make any real difference. There was a small hotfix update after i applied them so not sure if they get overwritten each time or depending on what the update was.

I have just applied the linked patch and enabled so will see how I go

So since re-doing the patches (and a minor update)
I have seen 2 x entries in the log of errors, however I have not actually seen any issues from a usability standpoint.

I have seen none for coming up to almost 20hours.

So as i was still seeing this happen on 23.7 after applying the patches (it was better just not as bad) I decided to give 24.1 a run and see if anything else had changed. I have been running it for the last few days.

I can't even get through a single day without multiple reboots due to instances of this.

So i am on 24.1 and have just re-run the patches and see how it goes from there.

Can also confirm that after a while I got the root.stubs issue again and unbound stopped resolving.
It seemed to have reduced the frequency of the issue, but not completely.

snip

Thanks for the thorough guide for installing the patches.
I had left it for a few days after migrating the hardware to see what would happen.
I had 1 definite show stopper style unbound crash as normal however it would appear that the service didn't restart on that one... looking at the logs I have had a couple others but its possible the monit workaround has helped in getting it to restart as it didn't appear to stop resolving on those times.

I jumped in on applying all 3 patches. Will clear the logs and see what pops up over the next few days

I don't know which patch.  I don't have this issue so I haven't been tracking all of the developments.  I just disagree with Josh's perception of things.  It appears the OPNsense team is attempting to fix the issue but aren't being provided enough information and testing support to be able to get it fixed.  Therefore anyone who has this problem should test the provided patches and provide feedback so the investigation can continue.

There appear to be others here who understand under the hood a lot more than I. I am unsure on what other logs are required, apart from the one within unbound? I can happily provide.

Anyone that has this issue with Unbound and 100% CPU on one core: May I ask if each and everyone of you could tell me (and everyone else) which CPU type / Bare metal / Virtualization you are running on? Reason: wonder if it could be a performance kind of thing that is part of this....

I'm on Intel i7-8550, 8 threads and 4 cores (yea I know I say 8 cores all the time - but that is another story...). Baremetal, 16GB.

Edit: And also, let me know if any of the interfaces has a direct connection to the OPNsense, for example a PC connected direct to LAN interface (the one used for setup for example) without any switch or anything between?

I was running on a AMD 2700, 16GB on an SSD... Plenty of horsepower.

I decided to try and reduce power consumption around my place so I have today moved to a Intel 8500T dell micro setup with an m.2 to intel ethernet setup, 16gb ram. Also may as well try a switch from AMD to Intel to see if that makes any difference at all.

LAN setup has always been from the router into a switch

It would appear that our issue may not get any real love based on this reply....

might be the nail in the coffin for opnsense for me....
Its been a good few years

Thanks again for the help.
I believe I now have everything setup as required, hopefully see less issues

thanks for the replies.

At this time i believe i have the service test setup correctly (i have attached an image).
I just am unsure how to setup the monit service settings entry correctly. TBH i have never really understood how to setup monit properly. Do you have a screenshot of your monit service settings entry for the unbound killer/etc so i can set mine up correctly?