On Wed, Mar 09, 2016 at 02:04:10PM +0100, Marko CupaÄ wrote:
> On Tue, 8 Mar 2016 12:24:59 +0100
> Otto Moerbeek <[email protected]> wrote:
>
> > Give unbound more file descriptors; put in login.conf:
> It's already there, by default on 5.8.
>
> > And do not forget to set the class of the user _unbound to unbound:
> It's already set by default on 5.8.
>
>
> On Tue, 8 Mar 2016 07:36:06 -0600
> Brian Conway <[email protected]> wrote:
>
> > Are you using pf queues? I most frequently see that happen when
> > there's no space left in a queue. `pfctl -v -s queue`
> That's probably it. I am going to try to create separate queue for dns
> traffic originating from the firewall.
I saw this on one of my machines. Correctly or incorrectly, I deduced
that it was caused by unbound losing the ability to send a packet on
its interface after a dhclient controlled interface state
transition. These transitions happened at dhcp lease renew time. I run
isc_bind behind a cablemodem and had the same issue there. Isc_bind
listens at each interface individually:
$ netstat -an | grep "\.53 "
tcp 0 0 169.254.0.1.53 *.*
LISTEN
tcp 0 0 127.0.0.1.53 *.*
LISTEN
udp 0 0 169.254.0.1.53 *.*
udp 0 0 127.0.0.1.53 *.*
Rather than:
$ netstat -an | grep "\.53 "
tcp 0 0 *.53 *.*
LISTEN
udp 0 0 *.53 *.*
For isc_bind at least, when dhclient renewed the ip address, the
listening socket at 169.254.0.1:53 became invalid and the query socket
at 169.254.0.1:53 couldn't send packets.
YMMV
--
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton [chris/at/vindaloo/dot/com]
[demime 1.01d removed an attachment of type application/pgp-signature which had
a name of signature.asc]
