Unbound not downloading blocklists after reboot

Started by Christophe999s, February 05, 2023, 04:34:12 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 05, 2023, 04:34:12 PM
Hi all,
Unbound isn't downloading my blocklists after a reboot.
The logs show 'Name does not resolve', but DNS seems to work fine.
I've tried disabling IPv6, using recursive DNS and disabling DoT, enabled query forwarding, changing the DNS servers in System: Settings: General, but I get the same result every time.
When I go into Services: Unbound DNS: Blocklist and click apply, the blocklist gets downloaded correctly.
Anybody have any idea what could be causing this?
February 06, 2023, 05:21:17 PM #1 Last Edit: February 06, 2023, 06:11:45 PM by jaydub
I'm having the same problem. Unbound isn't downloading blocklists but for me it's because my unbuond can't resolve anything. I can ping 8.8.8.8 but anything that needs resolved by unbound isn't working for me. Yours seems to resolve stuff other than blocklists but mine doesn't.
February 06, 2023, 08:39:21 PM #2
@Christophe999s

Are you able to resolve those URLs on your machine, behind OPNsense?
Example URL: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

If not, if you choose an outside DNS server to resolve against, does that work?
OPNsense 24.7.7 running on:
Dell Optiplex 3050
Intel I5-7600 @ 3.5Ghz (4 Cores)
Intel I350-T4 Nic
8G DDR4
256G SSD
February 07, 2023, 08:22:28 AM #3
Yes, no issues whatsoever. I'm able to reach those url's, from all my devices and from the firewall itself.
My guess is that unbound tries to download those blocklists when my internet (PPPoE) isn't fully up yet.
Maybe a test to see if the internet is reachable and if addresses can be resolved or a larger delay before attempting to download the blocklists could solve the issue.
February 07, 2023, 01:07:37 PM #4
QuoteMy guess is that unbound tries to download those blocklists when my internet (PPPoE) isn't fully up yet.
imho this is possible (blocklists loading order changed with the py-module migration)
And "requests" library does not retry by default. in this case it might help:
Code Select
opnsense-patch -a kulikov-a c669765
(although I'm not convinced the devs would agree)
February 08, 2023, 05:31:00 PM #5
Hey, I've only just got around to testing, been a few busy days at work.
This seems to have fixed it for me. I can see in the logs that, if the blocklists aren't downloaded, there's a retry.
Rebooted 3 times, and every time the lists are downloaded, so for me the issue is fixed.
Thanks for looking into this!
February 09, 2023, 07:10:03 AM #6 Last Edit: February 09, 2023, 07:51:37 AM by Fright
@Christophe999s
thanks for feedback
Hm. this does not look like a patch work: the patch does not add new messages to the log and does not run the script again. It only makes 4 attempts to download the list with an increasing interval in case of failure (total delay is just under 30 seconds). if it works, then no errors should appear in the log at all, just the update process will take a little longer.

https://github.com/kulikov-a/core/commit/c669765

looks like something is triggering a new blocklist download execution (but it's not a patch)

the screenshot did not capture the beginning of the blocklist loading process at 20:21:**. can you share this part? interested in the time difference between the message "blocklist download : exclude domains matching .." and the first error. but judging by the intervals between the records, the patch is not applied
February 09, 2023, 04:33:30 PM #7
Not sure what happened, but I've rebooted twice now and this is my latest log.
Does seem to work, I'm not getting any errors.
February 09, 2023, 06:17:53 PM #8
comparing the previous logs with the last one, i can assume that a successful download starts on the third attempt (or second retry. the first retry always occurs without delay) with 4 sec delay. then it turns out that the patch works)
сool. thanks for the feedback!
Print
Go Up Pages1
User actions