Messages

And none of that was clear from the OP, hence why I had originally asked.

It was perfectly clear, this is why I've provided txt files.

I was just posting as a counterpoint because I've seen people commenting that the reason unbound isn't working correctly is due to DHCP, DoT, DNSSEC, the upstream resolver, DNSBL, etc.  And I've had none of these issues dispute using all of those.

I did not use DoH/DoT :) just plain old DNS.

I will note that in the other thread, it seems that a lot of the people having issues with Unbound have a PC directly connected to OPNsense instead of through a switch.  The only direct connects that I have are APs and they're always on, but even so, I've not had a problem when swapping them out.

Since I only have two interfaces everything on the LAN side is behind a switch (or two).

Regarding Unbound temporarily not resolving, enabling the DNS reporting and higher log levels can help with troubleshooting that.  But I would think a new thread would be in order as this one is about Unbound crashing and not just temporarily having an issue.

I agree, a new thread would be needed.

What do they think they're getting by using a random IP

not random. it is possible to specify the desired ip address which, for example, will lead to a page explaining the reason for the blocking (and collect statistics  ;))

This is exactly what server behind IP visible on my screenshot does. It's a service provided free of charge by national CERT of Poland.

tested with  https://hole.cert.pl/domains/v2/domains.txt
works

Either 24.1.3_1 or reboots/Unbound reloads fixed it, now it works for me too. Case closed I guess ;)

How are you testing?  What leads you to believe that it's not working?

I'm testing by using dig (eg. dig @routerIP notwanted.domain), it should resolve to a predefined IP (as shown on screenshot) effectively blocking that domain. That's what blocklists are for, right?

In regards to your destination IP, what are you expecting to accomplish?

Please read my original post again, it'll clarify everything. By blocking selected domains (or actually redirecting them to "wrong" IP, as shown on screenshot) instead of allowing access to malicious service, let's say a web page something else will be provided by a non-malicious server. Very simple solution.

I'm trying to use the blocklist available at https://hole.cert.pl/domains/v2/domains.txt (also https://hole.cert.pl/domains/v2/domains_hosts.txt in hosts format) with Unbound - it is ignored despite using the correct settings. Check hosts version of the blocklist to understand why I've used this exact destination IP.

Now Unbound sometimes (twice a day?) just stops resolving (response timeout) and it fixes itself after 5 minutes or so.

This issue persists on 24.1.2 :(

But my Unbound isn't crashing, just not always resolving a domain.

It appears that it doesn't die per se for me too, it just stops resolving whatsoever for few minutes.

The only Unbound issues I've seen with Quad9 are some weirdness with DNSSEC and Quad9 returning different results per resolver.

Neither Cloudflare's 1.1.1.1 nor ControlD at 76.76.2.0 seem to have this issue afaik.

I dont know if this is a unbound or quad9 issue.

It's probably not Quad9 issue. I'm using ControlD as traditional DNS provider, I didn't even bother trying DNS over TLS after very bad experience on OpenWrt (it was painfully unstable).

I find that quite often (several times week/day) DNS have stopped working due to Unbound being stopped as well.

Under system->general->logfiles it seems like the reason is a segfault:
<6>pid 57337 (unbound), jid 0, uid 59: exited on signal 11

It has been like this since 23.7 and also now with 24.1.

I have this issue with 24.1.1 and on 23.7.12 it worked fine, rock stable. Now Unbound sometimes (twice a day?) just stops resolving (response timeout) and it fixes itself after 5 minutes or so.

I do not have any blocklists engaged and DNS over TLS isn't used either. There's nothing whatsoever related to Unbound crashing in logs (levels set to default). There's plenty of RAM available (around 6GB out of 8GB) and CPU load is low (around 0.23).

Yes but.. what is the exact metric for ignoring something that is not a disk after all? ;)

The ses0 device probably can't fail (it's not a real disk) so it can be ignored.

This is how "smartctl" sees devices and things

I assume this could be safely ignored then (eg. only aesthetic issue). Thanks for rapid reply and have a great day :)

Hello,

I've just upgraded my router from 23.1.11_1 to 23.7 release. Everything seems to work fine but I see a non-existent device named ses0 within SMART widget on dashboard. How do I remove it? This device is not visible in SMART menu, just ada0 (SSD system drive, the only storage available for this machine).

Thanks in advance for any help.

A device with two network interfaces will be much better suited alternative to what you've provided. Buy relatively modern (6th gen of Intel CPUs and later will be a great choice, 4th gen if you really need it to be dirt cheap) SFF or even USFF desktop from manufacturer of your choice (HP for example) and install OPNsense on it.

I don't have this device but as far as I can see it has SSD inside and those are known to produce sounds comparable to coil whine during normal operation. Is your environment very silent (eg. enough to hear those faint SSD noises)?

1- i want WebGUI access allow on internet (like my cellphone gsm access to my home opnsense)
2- i want ping hosts in lan (like in lan, ping pc1 to pc2)
3- i want reach lan host to lan2 (like in lan(lan) pc1 to lan2(securitycams) nvrdevice)

1) exposing any administrative panels to the Internet is not a good idea
2) this is default behaviour
3) allow traffic between these networks in firewall rules

Versions = OPNsense 22.7.11_1-amd64
CPU type = Intel(R) Pentium(R) Dual CPU E2140 @ 1.60GHz (2 cores, 2 threads)
real memory  = 1074790400 (1025 MB)
avail memory = 991195136 (945 MB)

I think you should consider upgrading your hardware at least to meet current hardware requirements (eg. 2GB RAM). Your platform most likely uses DDR3 memory which can be obtained extremely cheap nowadays (eg. less than espresso in semi-decent cafe per gigabyte).

If you can't upgrade then stay on UFS, if you can then get at least 4GB (this should be enough for single 128GB SSD) and migrate to ZFS.