OpenVPN drops connection about once a day, logs indicate DNS failure

1

I have an old version of pfSense (2.3.2) running an OpenVPN client to a commercial server. Over the past few years, the OpenVPN connection has been dropping more frequently, and now it's about once per day. For a while, it was even failing open so that all my traffic would be in the clear. I'm not sure if I fixed that, or that particular failure condition stopped being an issue.

When the VPN fails, restarting the service works fine. The web logs are filled with: 

Sep 16 13:45:24     openvpn     13283   RESOLVE: Cannot resolve host address: us-commercialOpenVPNProvider.com: hostname nor servname provided, or not known

Ping nor tracerte resolve the address, and my Pi-Hole is filled with requests for the same name. Pi-Hole cache is only about 5 minutes, so it should be able to refresh the cache on that name before it's lost, right? Is this a DNS issue, or is DNS a red herring and I have another issue?

Day 2

I compared the nslookup of today's failure with yesterday's and I'm surprised. None of the DNS records are the same. I'm thinking it's a DNS/load balancing issue.

Server:  <pihole>
Address:  172.16.x.x

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    <CommercialOpenVPNProvider>.com
Addresses:  66.115.169.196
          66.115.169.205
          66.115.168.2
          66.115.168.4
          66.115.169.218
          66.115.169.244
          66.115.169.228
          66.115.169.220
          66.115.168.25
          66.115.168.14
          66.115.169.210
          66.115.169.211
          66.115.168.11


C:\Users\<USER>>nslookup <CommercialOpenVPNProvider>.com
Server:  <pihole>
Address:  172.16.x.x

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    <CommercialOpenVPNProvider>.com
Addresses:  66.115.169.239
          66.115.168.28
          66.115.168.19
          66.115.168.18
          66.115.169.223
          66.115.168.10
          66.115.169.205
          66.115.169.226
          66.115.169.203
          66.115.168.24
          66.115.169.244
          66.115.168.9
          66.115.168.13


C:\Users\<USER>>

YetAnotherRandomUser

Posted 2019-09-16T23:00:19.830

Reputation: 1 494

When you see the message can you ping other addresses? It could be a connectivity issue...that would result in a DNS failure – None – 2019-09-16T23:09:38.727

No, nothing works until I restart the OpenVPN service. – YetAnotherRandomUser – 2019-09-16T23:22:48.787

More a workaround than a solution, but since the host resolution should be static (given you are continuously connected to it), you could slap that at /etc/hosts and prevent dns resolution errors – Ángel – 2019-09-16T23:25:08.817

How is your resource usage? Restarting OpenVPN might be releasing ports/memory.

I have flagged this to be moved to serverfault as this is not a security related questio – None – 2019-09-16T23:25:22.407

No answers

Asked: 2019-09-16T23:00:19.830

Viewed: 45 times

Active: 2019-09-17T22:36:18.580