Unbound service routinely stopping/crashing following 20.7.7 update

[deejacker]

Pretty much as the subject states. All working fine before update, updated fine, but then noticed that Unbound service had just stopped. Managed to log into the GUI to restart, but this is now happening routinely. Anybody else experiencing this?

[mimugmail]

Anything in the logs? Do you use DNSBL?

[deejacker]

No don’t use DNSBLs, just a Pi-hole.
Looking at the Unbound logs, I can’t see anything obvious which would suggest a service failure, but that may be my limited knowledge.


2020-12-18T08:09:47   unbound[36701]   [36701:0] info: start of service (unbound 1.13.0).   
2020-12-18T08:09:47   unbound[9063]   daemonize unbound dhcpd watcher.   
2020-12-18T08:09:46   unbound[36701]   [36701:0] notice: init module 0: iterator   
2020-12-18T07:53:33   unbound[81533]   [81533:2] notice: sendto failed: Permission denied   
2020-12-18T07:29:56   unbound[81533]   [81533:0] info: start of service (unbound 1.13.0).   
2020-12-18T07:29:55   unbound[48254]   daemonize unbound dhcpd watcher.   
2020-12-18T07:29:55   unbound[81533]   [81533:0] notice: init module 0: iterator   
2020-12-18T01:04:07   unbound[9402]   [9402:3] notice: sendto failed: Permission denied

[Gauss23]

Please check the interfaces it is listening to. Maybe there is something wrong. Change this setting and hit save. Then change it back and save again.

[miruoy]

Same/comparable issue on my end. Although my configuration is using DNSBL.

Code: [Select]

2020-12-18T09:20:51 kernel -> pid: 63934 ppid: 1 p_pax: 0xa50<SEGVGUARD,ASLR,NOSHLIBRANDOM,NODISALLOWMAP32BIT>
2020-12-18T09:20:51 kernel [HBSD SEGVGUARD] [unbound (63934)] Suspension expired.
2020-12-18T09:20:51 kernel pid 63934 (unbound), jid 0, uid 59: exited on signal 11
What additional info can I/we append to investigate this issue further? Should we revert to the previous version?

[brendanbank]

Same here, I've upgraded to 20.7.7 to get IPv6 prefix delegation working again, however, unbound crashed twice since I've upgraded:

Code: [Select]

root@fw:~ # dmesg | grep unbound
pid 85049 (unbound), jid 0, uid 59: exited on signal 11

Here is my unbound config:

Code: [Select]

  <unbound>
    <enable>1</enable>
    <custom_options/>
    <regdhcp>1</regdhcp>
    <cache_max_ttl/>
    <cache_min_ttl/>
    <incoming_num_tcp>10</incoming_num_tcp>
    <infra_cache_numhosts>10000</infra_cache_numhosts>
    <infra_host_ttl>900</infra_host_ttl>
    <jostle_timeout>200</jostle_timeout>
    <log_verbosity>1</log_verbosity>
    <msgcachesize>4</msgcachesize>
    <num_queries_per_thread>4096</num_queries_per_thread>
    <outgoing_num_tcp>10</outgoing_num_tcp>
    <unwanted_reply_threshold/>
    <hosts>
      <host>******</host>
      <domain>*********</domain>
      <rr>A</rr>
      <ip>***********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <hosts>
      <host>******</host>
      <domain>*********</domain>
      <rr>A</rr>
      <ip>**********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <hosts>
      <host>******</host>
      <domain>**********</domain>
      <rr>A</rr>
      <ip>**********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <hosts>
      <host>******</host>
      <domain>*********</domain>
      <rr>A</rr>
      <ip>**********</ip>
      <mxprio/>
      <mx/>
      <descr/>
      <aliases>
        <item/>
      </aliases>
    </hosts>
    <regdhcpstatic>1</regdhcpstatic>
  </unbound>


[brendanbank]

Interfaces setting was set to 'All' but that setting does not seem to be available anymore and I've enabled all interfaces manually. 

[Gauss23]

Stability is now better?

[deejacker]

I followed your suggestion of changing the interface and back again. Will monitor to see if this makes any difference.

[brendanbank]

I just had another crash. I'm considering downgrading at the end of our workday. As a workaround, I've disabled unbound and enabled Dnsmasq to do the DNS resolving.

[Fright]

can you try to set Log level verbosity to 5, disable DHCP registration (just in case), restart unbound and wait for crash?
share fresh logs please
looks like a unbound bug

[Fright]

related?
https://github.com/NLnetLabs/unbound/issues/376

[Fright]

can test with Log level 0?

[miruoy]

Setting the interfaces manually appears to have stabilized the issue. Will report back if the situation changes.

[franco]

Easy workaround for the affected:

# opnsense-revert -r 20.7.6 unbound

Looks like Unbound 1.13.0 has a number of issues but was necessary to fix CVE....


Cheers,
Franco