Project

General

Profile

Actions
Copy link

Bug #16425

open

After upgrading from pfSense CE 2.8.0 to 2.8.1, the system encountered unstable DNS response issues via the CARP VIP.

Added by Xuân Sơn Nguyễn 1 day ago. Updated about 19 hours ago.

Status:
Incomplete
Priority:
Normal
Assignee:
-
Category:
Upgrade
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.8.x
Affected Architecture:

Description

After upgrading from pfSense CE 2.8.0 to 2.8.1, the system encountered unstable DNS response issues via the CARP VIP. When using the VIP (192.168.0.254) as both the gateway and DNS server, internal clients often need to refresh the webpage 1–3 times before it loads successfully.
Troubleshooting steps already attempted:
- Disabled pfBlockerNG DNSBL
- Removed the line include: /var/unbound/pfb_dnsbl.*conf
- Added cache TTL configuration:
server:
cache-min-ttl: 3600
cache-max-ttl: 86400
prefetch: yes
serve-expired: yes

Actions
Copy link
 #1

Updated by Kris Phillips 1 day ago

  • Status changed from New to Incomplete

Hello,

What do the logs show for the DNS Resolver? Do you see the DNS queries reaching the firewall in a packet capture? Is there any response from the firewall, such as a denied/timeout message?

Marking Incomplete, as there isn't enough information here to confirm this is actually a bug and not a configuration issue.

Actions
Copy link
 #2

Updated by Xuân Sơn Nguyễn about 19 hours ago

Hello,

Thank you for your response. I’ve completed all the requested checks and can confirm the following:

- DNS Resolver logs show minimal activity across threads, with only a few queries processed and no errors or rejections.
- Packet capture confirms that DNS queries from internal clients are reaching the firewall via the CARP VIP (192.168.0.254).
- Firewall logs show no blocked or denied traffic on port 53.
- CARP status is stable, and the node is in MASTER state.
- Interface binding in Unbound includes the CARP VIP, LAN, and localhost.
- pfBlockerNG DNSBL has been disabled, and related includes removed.
- TTL caching parameters have been applied to Unbound to improve response consistency.

Despite all these confirmations, the issue persists: when clients use the CARP VIP as both gateway and DNS server, DNS responses are unstable — pages often require 1–3 refresh attempts before loading successfully. This behavior only began after upgrading from pfSense CE 2.8.0 to 2.8.1.

Given that all configuration and connectivity checks are in place, I believe this may indicate a regression or bug introduced in 2.8.1 related to DNS handling over CARP VIP. I kindly ask that this be investigated further.

Best regards,

Actions
Copy link

Also available in: Atom PDF