@johnpoz It's working fine now, which makes me think it's some kind of caching issue. I find it weird that Chrome could connect to palantir-02 yesterday, immediately, and the command line tools could not. I use iTerm2, which is a 3rd party terminal program that, so far, as exceeded the functionality of Apple's Term program, but I can't help but thinking that there might be some DNS caching being done somewhere that impacts the term programs and that Chrome doesn't deal with. I have several learning disabilities and it's an attention span thing. It takes me longer to dig into something than it does for most people. There's a line and when I cross it, and dive deep into something, I can get a clear understanding of everything in it, but six months later, if I haven't kept working with that material, I can forget it all - unless I do another deep dive. So I've dealt with this kind of stuff before, but long enough ago, that I've forgotten all that's involved. I probably should have looked up the command to clear the Mac's networking cache, but didn't think of it yesterday, when it would have helped. I did consider just rebooting, but didn't have the time while I was at the computer. (I figured that'd clear any DNS caching it may have done.) I have been able to resolve anything with ping in the past - never an issue. I'm in a rural setting, so there are times I lose internet. I have a simple alias: alias icheck='ping -c 5 8.8.8.8;echo;ping -c 5 www.google.com;echo;echo' or something close to that, you get the idea. When I seem to be having connectivity issues, I always run that to see if our internet is down. I did run it just as a quick check (yesterday, when the issue was happening) and it did work.

@badjoodani see https://forum.netgate.com/topic/184226/psa-kea-dhcp-does-not-like-dns-names-breaks-isc-to-kea-migration/10

@richardsago said in How to block internet access for client operating system's DNS over HTTPS: But there was no choice for "Null Block (logging)" "Null Block (logging)" works only when Python mode is enabled. @richardsago said in How to block internet access for client operating system's DNS over HTTPS: When I set Firewall > pfBlockerNG > DNSBL > DNSBL Mode to "Unbound python mode" we lose internet connection so I returned it to "Unbound mode" That's not a normal situation at all. You have a DNS issue then. Consider flipping everything back to default first. This is part of 'default' : [image: 1761299980769-cbdc6616-9081-4278-9c79-4bdfe0c1bbb6-image.png] In a nearby future, 'unbound' mode might as well be removed. You can see "python mode" as a plugin or addon to unbound. It's a script file that unbound uses Unbound uses 'python' as the interpreted script file language , and that's why we call it 'python mode'. It could have been a shell script, LUA, or whatever. This Unbound Python script has now been tested a couple of multiples of trillions times (every DNS request executed by every pfSense using pfBlockerng out there). It's a save bet that to say that there are no more known issues with it. About : [image: 1761299470957-65695ff4-201b-4cc3-9e67-c698baf3c661-image.png] You might as well remove all these. pfSense, the resolver, doesn't need any DNS servers (that you've assigned). It doesn't use them. Unbound is a resolver, which means it resolves using the official (root) DNS servers. No need to use some commercial offer from anybody. 8.8.8.8 and 8.8.4.4 are also revolvers btw. But why would you hand over your private DNS requests to these commercial entities ^? ^

@IanMcLeish said in Host overrides in DNS Resolver: Perhaps they are now not required No need to be unsure. Fact check. Question : what are the host names the my pfSense can resolve for me (knows about) ? : Answer : [image: 1761200903195-8fd4565d-732f-4eab-b7d8-79863fd657e9-image.png] and hit Execute.

Any thoughts on this?

@OsiMosi said in VLAN with dedicated VPN tunnel, DNS isolation, and kill switch — best practice?: PfBlockerNG ... can only interface with unbound. So your private DNS needs are covered/handled by PfBlockerNG, not polluted with the isolated network DNS requests, which are handled by dnsmasq.

So it lasted longer without issue but out of the blue it stopped responding again. Unluckily I couldn’t debug when happened so I don’t have further info to share. I will try again to make it happen and see what I get from the logs

@martinez said in DNS resolver failed to resolve some addresses: server that is authoritative for the org tld It is indeed one of the ORG authoritative servers: dig -x 199.19.57.1 ... ;; QUESTION SECTION: ;1.57.19.199.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.57.19.199.in-addr.arpa. 3274 IN PTR d0.org.afilias-nst.org. ... $ dig +trace wikipedia.org @1.1.1.1 ... ;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 5 ms org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 86400 IN DS 26974 8 2 ... ;; Received 779 bytes from 2001:500:a8::e#53(e.root-servers.net) in 4 ms wikipedia.org. 3600 IN NS ns1.wikimedia.org. wikipedia.org. 3600 IN NS ns2.wikimedia.org. wikipedia.org. 3600 IN NS ns0.wikimedia.org. ... ;; Received 655 bytes from 199.19.53.1#53(c0.org.afilias-nst.info) in 21 ms wikipedia.org. 180 IN A 185.15.58.224 ;; Received 58 bytes from 198.35.27.27#53(ns2.wikimedia.org) in 15 ms

@cmcdonald FWIW as of pfsense 2.8.1 this still seems to be happening. I had everything running fine for years with ISC and today opted to get rid of the KEA nag and it all just fell apart. Most of my Ring devices just get this: Oct 17 22:58:17 kea-dhcp4 20227 WARN [kea-dhcp4.alloc-engine.0x3ec6f4a16600] ALLOC_ENGINE_V4_ALLOC_FAIL_CLASSES [hwtype=1 90:48:6c:2d:4d:44], cid=[no info], tid=0x25b805e: Failed to allocate an IPv4 address for client with classes: ALL, pool_lan_0, UNKNOWN Oct 17 22:58:17 kea-dhcp4 20227 WARN [kea-dhcp4.alloc-engine.0x3ec6f4a16600] ALLOC_ENGINE_V4_ALLOC_FAIL [hwtype=1 90:48:6c:2d:4d:44], cid=[no info], tid=0x25b805e: failed to allocate an IPv4 address after 41 attempt(s) Oct 17 22:58:17 kea-dhcp4 20227 WARN [kea-dhcp4.alloc-engine.0x3ec6f4a16600] ALLOC_ENGINE_V4_ALLOC_FAIL_SUBNET [hwtype=1 90:48:6c:2d:4d:44], cid=[no info], tid=0x25b805e: failed to allocate an IPv4 lease in the subnet 10.3.2.0/24, subnet-id 1, shared network (none) Going to switch back to ISC for a bit and see if anything changes. Config looks legit to me and I can't imagine a subset of Ring cameras (all the same make/model) would have a bug - it's a pretty common vendor really.

@xana I am having the same exact issue. It will just suddenly stop working, the service is running but failing to respond. I have disabled DNSSEC and do not have ntop installed. The only way to restore service is to restart the unbound service. I am using encrypted DNS but that is the only difference from standard setup, I followed the pfsense docs closely when setting it up. Was not a problem until this version, but there are things in this version I need elsewhere so I cannot go back.

@4o4rh said in KEA Multi-Threading - reduce number of threads: The problem was I had a malformed json Yeah ... the concept solution is always easy. Then writing it correctly using the JSON format, that always needs a lot of trial-and-errors before you get it spot-on I'm adding a lot of settings already in the JSON Configuration bbox, for DHCP options, lease logger options, etc.

@jake9wi I'm glad that worked. I just went through hell to figure that out myself. It seems to be a new problem caused by a recent update. I'm not sure why some have the issue and others do not.

@Vollans Nice!

@Gertjan Yep, good call. Done! I do think the behavior I saw in the original post might be a bug, though.

@kj32 PEBKAC - Interesting, I always say it is a picnic.

@nasheayahu said in Change IP to Static Using pfSense?: and where did this user How set static IP for LAN Client in Pfsense get these column's from Looks like that post is from Updated on July 31, 2021 So yeah those screenshots are from an OLD version.. Now normal leases show their start and end time.. [image: 1760129920623-oldleases.jpg] And reservation would show na for start/end Those are old leases in my screenshots - like I mentioned most everything on my network has a reservation. That green up arrow just means that devices is currently in the arp table - so online. If it falls out of the arp table then pfsense would mark it with a down arrow, neither of those for sure 100% mean the device is online or offline - just means its either in the arp table or not.. The arp cache on pfsense expires by default 20 minutes.

@Gertjan steaig copy from pfSense. I'll post a screenshot when I get back home for proof

@cs08 I just encountered this issue and the root cause was the gateway monitor IP. I set it to 8.8.8.8 and the Check IP Service now works and the Dynamic DNS Clients are updating like they used to.