DNS failures after upgrade to 25.7 series - NOT solved as I thought

[pseudonym3k]

I was getting a lot of "server not found" browser messages after the upgrade to 25.7. All would seem OK for a while, then there'd be a period of failures. (Multiple devices, wired and wireless, and multiple browsers on those devices). Also, most devices were laggy at intervals, without any error messages. It would just take a long time before any result would appear (in the case of browsing).

I previously had Unbound enabled (it came that way by default). I did nothing further with it other than specify three DNS server IPs in Unbound. Nothing more for DNS. It's been this way for a couple of years, and no trouble here that I'm aware of.

After upgrade to 25.7, the problems came.

In searching the 'net for help, I stumbled on a setup post for Unbound that had me mark Enable DNSSEC Support, Register ISC DHCP4 Leases, and optionally Flush DNS Cache during reload, which I also marked. After applying the changes I rebooted.

It has now been several hours and I have not seen any DNS failures or experienced any lags. Performance is quite snappy again.

I assume what I had was a poorly configured DNS situation that was better tolerated before 25.7.

Most people here are far beyond me in config and expertise, I'm just posting in case it helps someone.

(Cable modem -> Protectli Vault with OPNsense -> Cisco switch -> wired clients and one wireless AP for the rest. Basic install setup plus some reserved DHCP LAN IPs.)


***ETA***: All had been working fine for more than 24 hours, when suddenly again nothing is getting DNS resolved. Unbound DNS reporting showed a sharp drop and 0% of queries resolving.

I tried restarting Unbound service, tried stopping/pause/starting, tried flushing the Unbound cache. Resorted to reboot OPNsense via WebUI menu and all is working again.

If anyone has any ideas on what else I can look at or do, I would really appreciate the help.


***ETA2***: Eight hours ago, I cleared Unbound's cache, disabled Unbound, rebooted, so OPNsense would use the DNS servers in System -> Settings -> General directly. All seems to be working fine so far, will continue to monitor. Did go more than 24 hours with the last change, though, so will check back in tomorrow. Meanwhile please let me know any ideas. Thank you.


***ETA3***: Fixed incorrect info.

[pseudonym3k]

It's a week later and everything is still working and stable with Unbound disabled. My setup is about as simple as it gets, so it just seems odd that it's not happening to more people. Not needing to use it is one thing, but being the default install it shouldn't cause problems. I will try again sometime in the next few weeks to enable it and see what happens.

[kentfielddude]

I'm having the same issue. Just installed opnsense for the first time to evaluate it. Couldn't reach opnsense.org to read documentation!. After I disabled Unbound and set dns listen port to blank in dnsmasq I can access this site.
Can I install older non-broken version of opnsense?

[pseudonym3k]

You can find them here: https://pkg.opnsense.org/releases/

I installed OPNsense initially on UFS filesystem. I did not know anything about ZFS, or using Proxmox VM for OPNsense. (I am familiar with VMs, I have a dozen+ running under VirtualBox for a variety of uses. Just didn't occur to me for OPNsense.)

I'm sticking with 25.7 for now, in case someone steps up with some ideas for getting Unbound working so I can try them. If I find myself wanting to downgrade, I'll definitely go ZFS filesystem now that I've read more about it, and maybe Proxmox VM as well. Suggest you read up and consider same if you're not familiar, unless you already have an easier recovery than a format and install.

Thanks for posting, I'm sorry it's happened to you but glad to know it's not just me.

[kentfielddude]

I ended up going going with pfsense and its been working great.

[someone]

did you select IPV4 gateway in settings general
Did you reset cable modem
Flush cache is fine
dnssec may cause trouble
Did you wait for your IPS dns connection, then connect your system>settings IPV4 gateway, and click apply
Thats when it shows up, unless they fixed it

[pseudonym3k]

did you select IPV4 gateway in settings general
Did you reset cable modem
Flush cache is fine
dnssec may cause trouble
Did you wait for your IPS dns connection, then connect your system>settings IPV4 gateway, and click apply
Thats when it shows up, unless they fixed it

I only have IPv4, ISP doesn't serve IPv6.
Cable modem has been reset many  times.
Flushed DNS cache many times.
Never enabled DNSSEC.
After cable modem is up and online, then I power on my Protectli box with OPNsense. After that is up and online, I power on my switches and wired devices. Then power on the wifi access points followed by wifi devices.

Not sure what that last item is in your list.

I'm still running without Unbound enabled, stable so far. I haven't tried to enable Unbound again, so I don't know if it would work.

[cookiemonster]

@pseudonym3k I read you are running a pretty "default" setup but it is an upgrade so worth visiting basics. What services do you have running on your infra and on OPN ?

[pseudonym3k]

@pseudonym3k I read you are running a pretty "default" setup but it is an upgrade so worth visiting basics. What services do you have running on your infra and on OPN ?

Literally took the defaults at install, except for very few changes. I recall switching ports so my WAN port was first, and LAN second. (It doesn't matter, really, I'm just anal about the order LOL). I added the three DNS servers into Unbound as mentioned. Set up the ISP type of connection. I don't remember anything else, unless there was another setting or two to finish up so OPNsense would start working. It was up and running well in minutes. I kept it updated and it remained rock solid until this upgrade.

I'm sorry, I don't understand the other part of your question, "services running on your infra?" What does that mean?

[cookiemonster]

Services like AdGuardHome but seems not.

I previously had Unbound enabled (it came that way by default). I did nothing further with it. In System->Settings->General, I had specified three DNS server IPs. Nothing more for DNS. It's been this way for a couple of years, and no trouble here that I'm aware of.

System->Settings->General is for OPN itself but take notice of the tooltips because then you can start pushing these to clients depending on other settings.
Then you look what you have in your selected  DHCP service. That gets passed to your clients. Say for instance ISC DHCPv4, expand your LAN interface settings there. Check the tooltip for "DNS servers" too: "Leave blank to use the system default DNS servers: This interface IP address if a DNS service is enabled or the configured global DNS servers." So that means that if you have Unbound enabled and as per default listening on all interfaces, the DHCP lease will have this interface's IP as the DNS server for the clients. But you can see you can also override things here.
As diagnostic, when it happens on your clients, check what ip they are using for dns.

[pseudonym3k]

System->Settings->General

Sorry that was my mistake. The DNS servers were in the Unbound area originally. I moved them to system->settings->general when I disabled Unbound.

I'm not having any problems with DHCP, including reserved leases, since the beginning and still today. Only the DNS with Unbound after the upgrade.