Project

General

Profile

Actions

Todo #14980

closed

Update Unbound to 1.18.0_1 to address looping UDP retries when ENOBUFS is returned

Added by Brett Keller about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Category:
DNS Resolver
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.09.1
Release Notes:
Default

Description

Ever since upgrading to pfSense 2.7.0, our organization has been experiencing recurring problems with unbound suddenly becoming unresponsive and running at 100% CPU. Restarting the unbound service brings pfSense back to normal for a while, but then in the next one to three days, unbound freaks out again at 100% CPU until we can manually intervene. A "truss" of unbound while it is locked up shows it in what appears to be an infinite loop trying to send to a UDP socket and getting back "No buffer space available" errors. We did not experience this problem back in pfSense 2.6.0.

I believe the bug we're experiencing is the same one identified upstream and fixed in unbound 1.19.0 here:
https://github.com/NLnetLabs/unbound/commit/0ee44ef384593ed0382d1ce6048d5a9c9440b45c

FreeBSD has backported the patch to make unbound 1.18.0_1:
https://www.freshports.org/dns/unbound/?page=1#history

We are currently testing out pfSense 2.7.1-RC (2.7.1.r.20231110.0600), but I see that the version of unbound included in that build appears to be just vanilla 1.18.0 without the backported patch.

Can you please update the unbound package to at least 1.18.0_1 in pfSense 2.7.1-RC so that we can benefit from upstream's bugfix in the soon-to-be pfSense 2.7.1 release? (unbound 1.19.0 would also contain the fix, but I don't know if that's considered too great of a change at this point in the release cycle.) This bug has made unbound and, by extension, pfSense pretty unusable for us since upgrading from pfSense 2.6.0 to 2.7.0, so we're pretty desperate to see this patch land in 2.7.1. Thanks for your consideration.

Actions #1

Updated by Jim Pingle about 1 year ago

  • Subject changed from Update Unbound from 1.18.0 to 1.18.0_1 in pfSense 2.7.1-RC to Update Unbound to 1.18.0_1 to address looping UDP retries when ENOBUFS is returned
  • Assignee set to Christian McDonald
  • Target version set to 2.7.1
  • Plus Target Version set to 24.03

We were already looking into doing this. If we can't get it in the release, we can pull it in shortly after so that users who are affected by the issue could update it independently.

Actions #2

Updated by Jim Pingle about 1 year ago

  • Status changed from New to Feedback

This has been committed

Actions #3

Updated by Jim Pingle about 1 year ago

  • % Done changed from 0 to 100
Actions #4

Updated by Jim Pingle about 1 year ago

  • Tracker changed from Bug to Todo
  • Affected Version deleted (2.7.x)
Actions #5

Updated by Brett Keller about 1 year ago

Thank you! I'll keep my eyes peeled for it in either the next RC or the final release.

Actions #6

Updated by Jim Pingle about 1 year ago

  • Status changed from Feedback to Resolved

The latest 2.7.1 RC build contains unbound-1.18.0_1 and it appears to be working so far. If there is still a problem with the service we can look into additional updates separately.

Actions #7

Updated by Jim Pingle about 1 year ago

  • Target version changed from 2.7.1 to 2.7.2
  • Plus Target Version changed from 24.03 to 23.09.1
Actions #8

Updated by Jim Pingle about 1 year ago

  • Target version changed from 2.7.2 to 2.7.1
Actions

Also available in: Atom PDF