Todo #14980
closedUpdate Unbound to 1.18.0_1 to address looping UDP retries when ENOBUFS is returned
100%
Description
Ever since upgrading to pfSense 2.7.0, our organization has been experiencing recurring problems with unbound suddenly becoming unresponsive and running at 100% CPU. Restarting the unbound service brings pfSense back to normal for a while, but then in the next one to three days, unbound freaks out again at 100% CPU until we can manually intervene. A "truss" of unbound while it is locked up shows it in what appears to be an infinite loop trying to send to a UDP socket and getting back "No buffer space available" errors. We did not experience this problem back in pfSense 2.6.0.
I believe the bug we're experiencing is the same one identified upstream and fixed in unbound 1.19.0 here:
https://github.com/NLnetLabs/unbound/commit/0ee44ef384593ed0382d1ce6048d5a9c9440b45c
FreeBSD has backported the patch to make unbound 1.18.0_1:
https://www.freshports.org/dns/unbound/?page=1#history
We are currently testing out pfSense 2.7.1-RC (2.7.1.r.20231110.0600), but I see that the version of unbound included in that build appears to be just vanilla 1.18.0 without the backported patch.
Can you please update the unbound package to at least 1.18.0_1 in pfSense 2.7.1-RC so that we can benefit from upstream's bugfix in the soon-to-be pfSense 2.7.1 release? (unbound 1.19.0 would also contain the fix, but I don't know if that's considered too great of a change at this point in the release cycle.) This bug has made unbound and, by extension, pfSense pretty unusable for us since upgrading from pfSense 2.6.0 to 2.7.0, so we're pretty desperate to see this patch land in 2.7.1. Thanks for your consideration.
Updated by Jim Pingle about 1 year ago
- Subject changed from Update Unbound from 1.18.0 to 1.18.0_1 in pfSense 2.7.1-RC to Update Unbound to 1.18.0_1 to address looping UDP retries when ENOBUFS is returned
- Assignee set to Christian McDonald
- Target version set to 2.7.1
- Plus Target Version set to 24.03
We were already looking into doing this. If we can't get it in the release, we can pull it in shortly after so that users who are affected by the issue could update it independently.
Updated by Jim Pingle about 1 year ago
- Tracker changed from Bug to Todo
- Affected Version deleted (
2.7.x)
Updated by Brett Keller about 1 year ago
Thank you! I'll keep my eyes peeled for it in either the next RC or the final release.
Updated by Jim Pingle about 1 year ago
- Status changed from Feedback to Resolved
The latest 2.7.1 RC build contains unbound-1.18.0_1
and it appears to be working so far. If there is still a problem with the service we can look into additional updates separately.
Updated by Jim Pingle about 1 year ago
- Target version changed from 2.7.1 to 2.7.2
- Plus Target Version changed from 24.03 to 23.09.1
Updated by Jim Pingle about 1 year ago
- Target version changed from 2.7.2 to 2.7.1