New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unbound blocklist download failures: error : HTTPSConnectionPool: Read timed out. #7371
Comments
changing the timeout is relatively easy:
I don't think we should try to modify the streaming behavior of the script, when for example 80% of the file can be downloaded, it's usually better to process it than ignore it in full. These sets don't really represent a consistent state that is only valid when processed in full..... |
It does make sense in most scenarios, but if 90% was downloaded the first time and only 10% this time, it would result in the 10% of valid data overwriting the initial 90% of valid data. |
True, I missed the caching part in the code here core/src/opnsense/scripts/unbound/blocklists/default_bl.py Lines 124 to 130 in b551927
|
I just went to check my DNSBL list again, and it seems that this time I have encountered a more serious download problem. My list is now left with only 1000+ entries. Currently, I am updating the DNSBL every 8 hours through a scheduled task, but it doesn't seem to have solved this problem. According to the code you provided earlier, the cache TTL is set to 20 hours. This means that I may have inadvertently missed almost a day's worth of data, causing some leaks as that data was not properly blocked. |
this 597b65a should improve the situation, also increased the timeout a bit, but the main change is about process ordering (use cached when failed) |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
Unbound often logs download failures, but the download can be completed using a Windows browser.
Unbound will use the content of incompletely downloaded files and import them into the DNSBL list.
Perhaps these list files are relatively large, or the file links are behind a CDN network.
However, Unbound's timeout retry strategy is somewhat aggressive, with a timeout of only 5 seconds, and it will use incompletely downloaded files, resulting in an incomplete list
Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Follow the CDN associated with the list download link.
Wait for the file download to complete.
Adjust the timeout and retry strategy.
If unable to download the complete list in the end, consider abandoning the current list update instead of importing an incomplete list.
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 24.1.5_3-amd64
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.13
The text was updated successfully, but these errors were encountered: