Unbound - restarted when interface wakes up? (is delay and BlackLists)

[Fright]

sorry, let's clarify..
OPN interface UP\DOWN or some clients interfaces up\down?
clients interfaces states should not triggeer undound restart. unless they make changes to the unbound zones

[lar.hed]

Client ethernet port, in this case my PC connected to the LAN interface with cable 1:1, will be turned off during client powersave. Nothing changes on that client, or in OPNsense. It is just a powersave off/on cycle.

[Scanline]

Just wanted to let you know that I had an old, invalid entry under System - Gateways - Single. Since I removed it, the problem is gone.

[lar.hed]

Thanks for the tip. The only two entries I have are WAN_FTTH and WAN_LTE (failover) - they have to exist.

[Fright]

PC connected to the LAN interface with cable 1:1, will be turned off during client powersave

Oh. it explains ..
can you try to bind unbound only to constantly raised interfaces and use nat?

[Fright]

upd. not works with "always-UP" interface binding on test VM, sorry
looks like OPN configure hosts record on unbound and kills unbound process if any interface change state to up
(it is logical that the service binding is not taken into account. but the existence of a record or a static address is also not checked)

[lar.hed]

Okay, so why does Unbound depend som much on interface status, that it needs to restart all the time?

I guess if I would set up pi-hole which - if my memory is correct - also uses Unbound, don't seem to need to restart?

[Fright]

so why does Unbound depend som much on interface status, that it needs to restart all the time?

if I understand correctly, OPN scripts try to keep the content of the zones up to date. but unbound only loads them on start - that's the problem. almost imperceptible if the config is small and PITA if it is large.
(probably it would be possible to compare the configurations and apply them (by restarting unbound) only if they really changed. this would reduce the number of restarts)

guess if I would set up pi-hole which - if my memory is correct - also uses Unbound, don't seem to need to restart?

its on dnsmasq if I remember it right.can't say much about pi-hole

[lar.hed]

guess if I would set up pi-hole which - if my memory is correct - also uses Unbound, don't seem to need to restart?

its on dnsmasq if I remember it right.can't say much about pi-hole

You are correct, of course. I have read a number of articles that use pi-hole as filter and then uses a local Unbound installation. That is why I remember it incorrect.

I do have an Ubuntu server that could be used for a pi-hole installation and do all the filtering, then use OPNsense with Unbound DNS. But it feels so wrong, like going over the river for the water.....

[Fright]

But it feels so wrong, like going over the river for the water.....

so you may can try to use switch(es), less DNSBLs and update dnsbls at night? )

[lar.hed]

DNSBL are only updated once a week, at 03.00. So no that will not change anything. The only way to work around this is by removing all DNSBL lists, and simply never use OPNsense for DNS resolution.

[lar.hed]

Just to verify, I disabled Unbound, installed BIND (I'm not a fan of BIND), set it up, and yes it works without loosing DNS while wakeup of interface. However there is no support for DoT on forward, and no custom blocklists, and maybe more...

[Fright]

no support for DoT on forward, and no custom blocklists

I think this is fixable: a couple of changes and hooks in the template and dnsbl script. plus nginx or stunnel for tls proxy.
but I cannot understand just one thing: if the problems starts with powersave clients, why not use a switch so that the OPN interface does not goes down/up?

[lar.hed]

but I cannot understand just one thing: if the problems starts with powersave clients, why not use a switch so that the OPN interface does not goes down/up?

Since 2 (two) out of 8 (eight) ports will have direct connection: LAN which has a direct hard line, if I might use that term, to one particular PC and Printer/Scanner to another one. The rest are servers (online 24x7) and switches (runs also, of course, 24x7). Now I have not tested the printer/scanner if it goes down into powersave in that sense - however I have tested LAN, and I have no plans to get a switch for that one since that is the one controlling (so to speak) OPNsense.

And again, switches are just bandaids. I have been reading up on this issue (which I like to call it) and it turns out that when an DHCP address is changed there is a call to Unbound using HUP method - restart. And then we have the Zone change, which might occur anytime (?), which also seems to use HUP method - restart. Both can be handled with a Unbound reload local zone instead, but that has never materialized even though both pfsense and OPNsense has the same issue. I am not saying it is an easy fix (I have just started to try to look into the code, and so far not found what I am looking for - so for me it is impossible for the moment to even see if I could solve this), I think it is bigger than that. However I wanted to test if it could be solved with a change to BIND (which at least I have worked with, but like 10 years ago, at least that is how it feels...). For the moment I am thinking of changing to DNScypt-Proxy just to test that plugin out. However I still think it will not allow custom black lists. Although it does use DoH (instead of DoT) so it is a better solution on paper...

Best would be if, somehow, Unbound could be improved.

[Fright]

Best would be if, somehowe, Unbound could be improved.

true!