Update to latest OPNsense 24.7.9_1-amd64, now have 2 issues

[Mpegger]

After updating to OPNsense 24.7.9_1-amd64 via GUI, I'm having 2 issues, 1 very similar to a previous issue in the previous version(s) (22.x-23.x).

First issue; netdata daemon in both the Dashboard>Services info box, and under Services>Netdata>General, shows as not running (Stopped with option available to start), when in fact it is running and available. Attempting to resolve the discrepency in the Opnsense GUI by either Restarting the service, or Stopping then Starting the service, results in Netdata failing to restart at all, and it wont restart until Opnsense itself is rebooted.

This was similar to an issue in 22.x-23.x when certain VPN services would exhibit the same exact issues. I don't believe it was ever fixed. There was a work around but I didn't know how to perform it since there were never any clear instrustions given on how to do so.

Issue 2; ever since update to 24.7.9_1, I now have over 11.5k DNS queries for "<html" and "<!doctype" every 24 hours orginating from my Opnsense box. I'm still going through the various services I have running on some of VMs in my network, but so far it does seem to be Opnsense making those queries, not any of my other VM/PC in my network.

Neither issue is affecting my network or causing downtime, both appear to be just annoyances.

[Mpegger]

Just adding in some pictures to show what I'm talking about:

[Mpegger]

Updated to latest 24.7.11_2 and the DNS issue is still ongoing. Still averaging around 11.5k requests daily each for "<html" and "<!doctype".

[pfry]

Huh. That looks kinda like someone dumping partial/parsed output of "curl [url]" (or similar) into nslookup or dig. Apparently that hits the server (I can see a session). I don't log queries... I may poke at it later. Note that I have no DNS services running on OPNsense.

[Mpegger]

If this information helps:
I am running Pihole DNS server in its own dedicated VM. No other daemons or services run on it.
All clients on my network use the Pihole as their DNS server, both IPv4 and IPv6.
Opnsense is running Unbound as the primary DNS server that Pi-Hole uses, and I've configured firewall rules to only allow the Pihole access to Unbound, and only Unbound is allowed out the WAN to make DNS queries. Opnsense itself is configured to use the Pihole as a DNS server. So everything on my network is always:
DNS query > Pihole > Unbound > WAN
So afaik, Opnsense itself is making those wierd queries.

As I stated in my first post on this, Opnsense versions prior to 24.7.9_1, didn't have this issue.

[pfry]

I checked my server. I did see anomalous queries related to a config issue, posted in another thread (Anomalous DNS queries from OPNsense), but I did not see queries resembling yours. I only ran the querylog for 30 minutes or so, but I figured with the rate you saw, something would show up.

So: Absence of evidence. Have you checked your OPNsense logs?

[Mpegger]

I'm not even sure where to begin to look or what logs to enable. I don't think it's Unbound making the query to the Pihole, but something else in Opnsense. Is there a "catch-all" log I might enable where I could possible see the requests?

[Mpegger]

I found it! Looks like the Spamhaus alias I have from ages ago is causing the issue.

Code Select Expand

http://localhost/scrape.php?v=4&url=https://www.spamhaus.org/drop/drop_v4.json
I'm guessing the local php file that was parsing the link isn't working any longer with the newer version of Opnsense, or was removed when I upgraded. For now I'll just disable it and figure out what to do. Didn't even think it was something firewall related, I thought it may have just been a bad link somewhere else.

Now that I think back, I believe that at the time I had added those aliases, Spamhaus didn't have a list that was compatible with the way Opnsense normally parsed URL lists, so the php script was used to parse it. Looks like thats changed since there is now a setup guide in Opnsense docs.

I guess this can be considered closed as the other issue with the service not appearing active in the main dashboard appears to have gone away about 2 updates ago as well.

[pfry]

I found it!
[...]

Nice. I malformed the Spamhaus DROP link myself, using an older URL that I had. I'll have to keep a better eye on my logs (the Firewall -> General mainly, but everything under System, too).