Issue with UnboundDNS not answering DNS requests for local hostnames

Started by gyrex, November 04, 2024, 02:41:17 AM

Previous topic - Next topic
Hi guys,

I've got a strange issue where DNS lookup requests to UnboundDNS/opnSense aren't being answered. The only way I can get it working again is to restart the UnboundDNS service. These are requests to hostnames which should have been registered in DNS by DHCP. There's nothing of interest in the unbound logs.

Any ideas on how I can troubleshoot this?

Original dig request before restarting unbound:

dig @10.11.12.1 buildserver.lan

; <<>> DiG 9.10.6 <<>> @10.11.12.1 buildserver.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40384
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;buildserver.lan. IN A

;; AUTHORITY SECTION:
. 2111 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2024110301 1800 900 604800 86400

;; Query time: 3 msec
;; SERVER: 10.11.12.1#53(10.11.12.1)
;; WHEN: Mon Nov 04 11:31:42 AEST 2024
;; MSG SIZE  rcvd: 119


After restarting unbound service:

dig @10.11.12.1 buildserver.lan

; <<>> DiG 9.10.6 <<>> @10.11.12.1 buildserver.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56202
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;buildserver.lan. IN A

;; ANSWER SECTION:
buildserver.lan. 3600 IN A 10.11.12.225

;; Query time: 4 msec
;; SERVER: 10.11.12.1#53(10.11.12.1)
;; WHEN: Mon Nov 04 11:32:27 AEST 2024
;; MSG SIZE  rcvd: 60


Here are my unbound DNS settings:


I wish that I had an answer for you, but I'm experiencing the same issue and I have virtually identical settings in unbound.  I'm also using the ISC DHCP server and having unbound register those leases for DNS lookups.  It seems to work fine for some amount of time -- I haven't seen a pattern exactly, but seemingly on the order of at least days -- after a reboot or a restart of the unbound service.

I guess my next step will be to enable some more verbose logging in unbound to see if I can get any more information that way.  I'm on a fully updated opnsense installation of 24.7.8.

Type opnsense
Version 24.7.8
Architecture amd64
Commit 9a689f238
Mirror https://pkg.opnsense.org/FreeBSD:14:amd64/24.7

This sounds like the same issue: https://github.com/opnsense/core/issues/7376

and possibly this: https://github.com/opnsense/core/issues/6982

Also, apparently the registered leases should have entries in the /var/unbound/dhcpleases.conf file, so I will check that next time the issue occurs.

I'm glad I'm not the only person experiencing this issue. Maybe we should open a new github issue for this since the other issues appear to have been automatically closed by a bot?

Quote from: rage_311 on November 20, 2024, 12:47:39 AM
This sounds like the same issue: https://github.com/opnsense/core/issues/7376

and possibly this: https://github.com/opnsense/core/issues/6982

Also, apparently the registered leases should have entries in the /var/unbound/dhcpleases.conf file, so I will check that next time the issue occurs.

I've created a new github issue here: https://github.com/opnsense/core/issues/8075

Can you please add to the issue so that the devs know it's not just one person experiencing this issue?

My intention was to collect logs, observe process statuses, etc. and report to the github issue once it reared its head again, but I significantly increased the DHCP lease time in OPNsense and it hasn't happened again (knock on wood).  For reference, I've set the "default lease time" to 604,800 seconds (7 days) and the "maximum lease time" to 1,814,400 seconds (21 days).  These settings are acceptable for me on my home LAN, but your mileage may vary.  I'm pretty sure I had the default OPNsense values for both of those settings previously.

After running just fine for almost two months now, I think that config change fixed it for me.  So if there is a bug in the hostname registration script, it might be triggered by a relatively short lease time and a subsequent lease expiration.

If it comes up again or I find more information, I will report back.

Maybe try this:
Go to Services -> UnboundDNS -> Advanced
Then in "Rebind protection networks" remove 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
And then hit Apply button

Sorry it wont work, I missed that it's about Registering static Mappings