Bug #16217: Memory exhaustion in ``kea2unbound`` when pfBlockerNG DNSBL is enabled in "Unbound mode" instead of "Unbound python mode" - pfSense - pfSense bugtracker

Custom queries

2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Target - All Closed Issues
25.03 Plus - All Closed Issues
25.03 Plus - All Open Issues
25.03 Plus - Feedback Issues
25.03 Plus - Needs Attention/Work
25.03 Plus - New/Confirmed/In Progress Issues
25.03 Plus - Pull Request Review
25.03 Plus - Waiting on Merge
25.03 Target - All Closed Issues
25.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - CE Target Version (DO NOT EDIT)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #16217

open

Memory exhaustion in ``kea2unbound`` when pfBlockerNG DNSBL is enabled in "Unbound mode" instead of "Unbound python mode"

Added by Kevin Burge 7 days ago. Updated 3 days ago.

Status:

New

Priority:

Very Low

Assignee:

Category:

DHCP (IPv4)

Target version:

Start date:

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Default

Affected Version:

2.8.0

Affected Architecture:

amd64

Description

Upgraded to 2.8.x yesterday:

2.8.0-RELEASE (amd64)
built on Wed May 21 18:12:00 CDT 2025
FreeBSD 15.0-CURRENT

I am receiving frequent crashes reported:

[29-May-2025 11:08:56 US/Central] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 4096 bytes) in /usr/local/bin/kea2unbound on line 524

I have several VLANs as well as a VPN set up. I'm using IPv4 / IPv6 DHCP servers.

Files

PHP_errors.log (34.3 KB) PHP_errors.log

Kevin Burge, 05/29/2025 04:23 PM

History
Notes
Property changes

Actions

Copy link

Updated by Jim Pingle 7 days ago

Priority changed from Normal to Very Low

Most users who have encountered this were using pfBlockerNG and were not using python mode. Changing pfBlockerNG to python mode eliminated any errors as it does not load all of that data into Unbound directly.

While it may be possible for kea2unbound to somehow detect/skip entries from pfBlockerNG in the future, it may not be viable. Using python mode in pfBlockerNG is much more efficient and the best practice workaround.

Actions

Copy link

Updated by Kevin Burge 7 days ago

Switched. Thank you!

Actions

Copy link

Updated by Jim Pingle 3 days ago

Subject changed from kea2unbound memory exhaustion in to Memory exhaustion in ``kea2unbound`` when pfBlockerNG DNSBL is enabled in "Unbound mode" instead of "Unbound python mode"

Actions

Copy link

Updated by Troy R 3 days ago

Why did this change in 2.8.0? I never had errors about memory before the update..

Actions

Copy link

Updated by Troy R 3 days ago

Jim Pingle wrote in #note-1:

Priority changed from Normal to Very Low

Should this be a HIGH protity. If I was getting crash log error message like this I'd want an update pushed out to explain WHY its crashing. Maybe update kea2unbound to say "Hey if your getting this error, and using PFblockerNG try changing your unbound mode from unbound to unbound python mode"
Or maybe update PFblockerNG to default to unbound python mode, or simular to how you told us the old DHCP was being depraticated and to switch to kea. Maybe say "Hey you should update this"...

Actions

Copy link

Updated by Jim Pingle 3 days ago

kea2unbound is new in CE 2.8.0. Kea did not have DNS registration functionality before.

You can easily switch pfBlockerNG DNSBL modes to work around it, it does not necessarily require a fix in kea2unbound, I left this open in case we can find a way to make kea2unbound more tolerant of that situation in the future.

If the pfBlockerNG developer wants to detect that and change the pfBlockerNG behavior based on the DHCP daemon, that's up to them, but that's not a high priority base system issue.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #16217

Memory exhaustion in ``kea2unbound`` when pfBlockerNG DNSBL is enabled in "Unbound mode" instead of "Unbound python mode"

Updated by Jim Pingle 7 days ago

Updated by Kevin Burge 7 days ago

Updated by Jim Pingle 3 days ago

Updated by Troy R 3 days ago

Updated by Troy R 3 days ago

Updated by Jim Pingle 3 days ago