unbound icon indicating copy to clipboard operation
unbound copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

DNS Stops resolving after a period of inactivity, also kicks off VPN.

Open RexBytes opened this issue 2 years ago • 2 comments

Hello,

Describe the bug: Unbound stops resolving DNS

I am using unbound on a laptop as a portable DNS resolver. I am connecting through an openVPN. After a period of inactivity and leaving laptop alone DNS doesn't resolve and I have to restart the service. (Unbound failing seems to kick me off the VPN and the VPN disconnects)

Inelegant Workaround:

If anyone needs a quick ugly fix I am restarting the unbound service every 30 mins, this just works... I can come back to laptop hours later and all connections are still up.

I don't think the VPN is the problem as it now stays up with this workaround in place.

Add this to your root user crontab,

*/30 * * * * /usr/bin/systemctl restart unbound

To reproduce:

I'm using a fresh install of linux mint. Connect to a VPN provider using openVPN. Unbound installed natively, NOT in a docker container. Start it all up, wait a few hours for it to stop resolving.

unbound.conf:

server:
    logfile: "/var/log/unbound/unbound.log"
    verbosity: 1
    interface: 127.0.0.1@5335
    interface: 172.17.0.1@5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    do-ip6: no

    prefer-ip6: no

    root-hints: "/var/lib/unbound/root.hints"

    harden-glue: yes

    harden-dnssec-stripped: yes

    use-caps-for-id: no

    edns-buffer-size: 1232

    prefetch: yes

    num-threads: 1


    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 172.17.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

    remote-control:
	control-enable: yes
        control-interface: 127.0.0.1
        control-port: 8953

System: Unbound Version 1.13.1 OpenVPN Version 2.5.5 System: Kernel: 5.15.0-58-generic x86_64 bits: Desktop: Cinnamon 5.6.7, Linux Mint 21.1 Vera base: Ubuntu 22.04 jammy CPU: Intel Core i7-6500U

Expected Behaviour:

I'd like to have my DNS requests resolving, VPN connection still up, after 12 hours or more of inactivity. Without my workaround.

Thank you.

RexBytes avatar Feb 11 '23 15:02 RexBytes

If you do not do anything, unbound simply sits there and performs no activity. It can get the root anchor if you have auto-trust-anchor-file enabled, about once a day, but that is not enabled in your configuration. So unbound should not be doing anything with the network when the laptop is also not doing anything. This is by design, the server is supposed to be quiet when there is no work to do.

With the change, unbound starting again, not sure, does that send network traffic, like an initial lookup of some sort. And repeating that acts as a keepalive. Much like a keepalive packet, or keepalive options in like openssh. That keeps nat connection tables fresh and this may keep the VPN connection alive, or something along those lines?

If you think it is really unbound I would enable verbose logging, like verbosity 4, it should log all traffic that it attempts. And also, since nothing is happening that could be a short log. And the difference between the working and not working situation. Logging is very verbose, so short means relatively short. But likely the only thing that matters is traffic on the TCP connection, that keeps the firewall rules from timing out.

wcawijngaards avatar Feb 13 '23 08:02 wcawijngaards

If unbound stop working and you can't get reply to unbound-control, unbound is probably stuck in a loop. That's has been fixed here: https://github.com/NLnetLabs/unbound/commit/0ee44ef384593ed0382d1ce6048d5a9c9440b45c

jcmichot avatar Oct 09 '23 14:10 jcmichot