Working around pfSense Unbound DNS race condition on startup

I previously wrote an article on how well pfSense has worked for me.  I’ve so far managed to get it to do everything I have thrown at it, short of integrating fully with my UniFi based network.

There is one very annoying problem I ran into over the past year.  pfSense frequently fails to start now with a race condition related to the DNS server it runs (unbound).  the error is something like the following.

rc.bootup: The command ‘/usr/local/sbin/unbound -c /var/unbound/unbound.conf’ returned exit code ‘1’, the output was ‘[1564567621] unbound[28399:0] error: can’t bind socket: Can’t assign requested address for <ipv6 redacted> port 53 [1564567621] unbound[28399:0] fatal error: could not open ports’

I suspect this is a race condition related to bringing up various VPN or VLAN interfaces.  Fortunately, because pfSense has been so stable, I haven’t ever run into this problem outside of a attended restart.  However, I would have to connect to the server and start the unbound DNS service by hand.

Anyhow, for whatever reason, this hasn’t come on up on the radar of the pfSense developers to fix.  So what else could we do?

It turns out a pfSense package exists called Service Watchdog.  It monitors selected services and restarts them if they aren’t running.  So the workaround is simple.  Install Service Watchdog, monitor the DNS service, and it will keep kicking unbound until everything is up and running.  Usually just on the first retry.

And with that pfSense is back to being the appliance I need it to be.  Hooray!

This entry was posted in Networking, Technology. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s