[SOLVED] Unbound domain overrides failing since 1.7.1

erickufrin · June 18, 2018, 05:30:56 PM

DNS queries to my override domain/server have been failing consistently (sporadic) since the last update which included unbound 1.7.1

It appears there is a newer version (1.7.2) now of unbound. Maybe that fixes this??

Here is a chart showing the DNS queries failing ever since the last opnsense uppdate.

(red lines are where its failing)

In my efforts too overcome this I have turned TTL for Host cache entries from 15min to 1min. That helps a little I think but does not solve the problem.

Please help!

va176thunderbolt · June 19, 2018, 12:15:28 PM

If you've configured Cloudflare's dns (or any other) in Unbound using a port other than 53, you'll need to add @53 to the end of the dns server up. I ran into this with my overrides - they stopped working after adding the Cloudflare dns over TVs config.

erickufrin · June 19, 2018, 02:32:08 PM

I will try adding @53 and see if it makes a difference.

My overide dns is my personal domain name hosted on a VM inside my network. It is resolving fine when I point my clients directly at the dns server.

When the names will not resolve through my opnsense unbound service I restart unbound and they immediately work again.

My override configuration was working perfectly for months and months. The 18.1.9 release included unbound 1.7.1 is the only change to point to.

franco · June 21, 2018, 10:48:47 AM

FYI: 1.7.2 was shipped today, after non-reboot update the Unbound service requires a manual restart.

Cheers,
Franco

AndyX90 · June 21, 2018, 11:10:56 AM

Quote from: erickufrin on June 19, 2018, 02:32:08 PM
I will try adding @53 and see if it makes a difference.

My overide dns is my personal domain name hosted on a VM inside my network. It is resolving fine when I point my clients directly at the dns server.

When the names will not resolve through my opnsense unbound service I restart unbound and they immediately work again.

My override configuration was working perfectly for months and months. The 18.1.9 release included unbound 1.7.1 is the only change to point to.

The *override-feature never worked reliable for me...

erickufrin · June 21, 2018, 01:58:19 PM

Quote from: franco on June 21, 2018, 10:48:47 AM
FYI: 1.7.2 was shipped today, after non-reboot update the Unbound service requires a manual restart.

Cheers,
Franco

Thank you! I have installed the update & rebooted. Will let you know if this has solved the issue.

erickufrin · June 21, 2018, 04:30:07 PM

The problem does not appear to be resovled in unbound 1.7.2. Made it a few hours before seeing DNS queries to my override are failing.

I have turned up Logging on Unbound to Level 5. Maybe I will see something that can pinpoint the problem. :-/

If I wished to go back to 18.1.8 - what is the procedure - is there a KB article? thx...

franco · June 22, 2018, 11:00:50 AM

Docs are on your installation:

# man opnsense-revert

More specifically:

# opnsense-revert -r 18.1.8 unbound

Meanwhile 1.7.3 was released, maybe it gives another clue:

http://www.unbound.net/download.html

Cheers,
Franco

erickufrin · June 22, 2018, 03:53:06 PM

In the Unbound log I am seeing "useless dp but cannot go up, servfail"

It appears #4100 bug listed in the release notes relates to this.

https://github.com/NLnetLabs/unbound/commit/d3866418208f9a16c7bab09b424dbd90a973df0c

https://github.com/NLnetLabs/unbound/commit/53b1e11eba0614fa0c9196edda92d557286fde59

The logfile message I am receiving appears to be the command that is getting hit due to the code above it...

I am no programmer, but to me 1.7.3 looks kinda promising.

franco · June 23, 2018, 10:27:06 AM

I can provide a test version of 1.7.3 on Monday to find out :)

Or you can compile your own:

# opnsense-code tools ports
# cd /usr/ports/dns/unbound
# make package deinstall install

Cheers,
Franco

erickufrin · June 23, 2018, 11:54:04 AM

A test version would be great. I have been dealing with this for a little while, so monday or next week for a test version is definetly fine! Thank you

franco · June 25, 2018, 06:21:41 PM

Here you go, for OpenSSL/amd64:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/latest/All/unbound-1.7.3.txz

or LibreSSL/amd64:

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/libressl/All/unbound-1.7.3.txz

Cheers,
Franco

Reiter der OPNsense · June 30, 2018, 10:56:07 AM

Hi Franco,
thanks for the 1.7.3, which fixed another problem I have had since 1.7.2. Behind two boxes I had no more access to OneDrive and the Microsoft Store didn't work anymore (error 0x80072EE7).

Greetings, Stefan

franco · June 30, 2018, 09:26:47 PM

Hi Stefan,

Good, 1.7.3 will be in 18.1.11 early next week.

Cheers,
Franco

erickufrin · July 05, 2018, 06:23:11 PM

Want to close the loop on this issue. I have been running 1.7.3 unbound since last friday and have not had a single recurrence of the problem. The issue is solved with 1.7.3 confirmed! Thanks!!

Quote from: franco on June 30, 2018, 09:26:47 PM
Hi Stefan,

Good, 1.7.3 will be in 18.1.11 early next week.

Cheers,
Franco

[SOLVED] Unbound domain overrides failing since 1.7.1

erickufrin

June 18, 2018, 05:30:56 PM Last Edit: July 06, 2018, 07:31:10 AM by franco

va176thunderbolt

June 19, 2018, 12:15:28 PM #1

erickufrin

June 19, 2018, 02:32:08 PM #2

franco

June 21, 2018, 10:48:47 AM #3

AndyX90

June 21, 2018, 11:10:56 AM #4

erickufrin

June 21, 2018, 01:58:19 PM #5

erickufrin

June 21, 2018, 04:30:07 PM #6 Last Edit: June 21, 2018, 04:34:27 PM by erickufrin

franco

June 22, 2018, 11:00:50 AM #7

erickufrin

June 22, 2018, 03:53:06 PM #8

franco

June 23, 2018, 10:27:06 AM #9

erickufrin

June 23, 2018, 11:54:04 AM #10

franco

June 25, 2018, 06:21:41 PM #11

Reiter der OPNsense

June 30, 2018, 10:56:07 AM #12

franco

June 30, 2018, 09:26:47 PM #13

erickufrin

July 05, 2018, 06:23:11 PM #14