@DavidIr I just tried configuring Azure DNS in Dynamic DNS and I am seeing the same. I am on version 23.05-RELEASE.

The record exists already in the zone, I am trying to get pfsense to keep it up-to-date.

Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _update() ending. Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _checkStatus() ending. Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: phpDynDNS (test.<mydomain.com>): (Unknown Response) Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: phpDynDNS (test.<mydomain.com>): PAYLOAD: 400 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _checkStatus() starting. Jun 3 16:32:37 php-fpm 13896 </html> Jun 3 16:32:37 php-fpm 13896 </body>\x0d Jun 3 16:32:37 php-fpm 13896 </div>\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)</p>\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.DispatchOperationRuntime.DeserializeInputs(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.UriTemplateDispatchFormatter.DeserializeRequest(Message message, Object[] parameters)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.DemultiplexingDispatchMessageFormatter.DeserializeRequest(Message message, Object[] parameters)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.SingleBodyParameterMessageFormatter.DeserializeRequest(Message message, Object[] parameters)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.SingleBodyParameterDataContractMessageFormatter.ReadObject(Message message)\x0d Jun 3 16:32:37 php-fpm 13896 at System.Runtime.Serialization.Json.DataContractJsonSerializer.ReadObject(XmlDictionaryReader reader, Boolean verifyObjectName)\x0d Jun 3 16:32:37 php-fpm 13896 <p> at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName, DataContractResolver dataContractResolver)\x0d Jun 3 16:32:37 php-fpm 13896 <p>The server encountered an error processing the request. The exception message is 'There was an error deserializing the object of type Microsoft.WindowsAzure.Dns.Frontend.Common.DataStructures.API.Dns.CsmResourceRecordsPackageBody. The value '' cannot be parsed as the type 'Int64'.'. See server logs for more details. The exception stack trace is: </p>\x0d Jun 3 16:32:37 php-fpm 13896 <p class="heading1">Request Error</p>\x0d Jun 3 16:32:37 php-fpm 13896 <div id="content">\x0d Jun 3 16:32:37 php-fpm 13896 <body>\x0d Jun 3 16:32:37 php-fpm 13896 </head>\x0d Jun 3 16:32:37 php-fpm 13896 <style>BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; } #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; } A:link { color: #336699; font-weight: bold; text-decoration: underline; } A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; } A:active { color: #336699; font-weight: bold; text-decoration: underline; } .heading1 { background-color: #003366; border-bottom: #336699 6px solid; color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal;margin: 0em 0em 10px -20px; padding-bottom: 8px; padding-left: 30px;padding-top: 16px;} pre { font-size:small; background-color: #e5e5cc; padding: 5px; font-family: Courier New; margin-top: 0px; border: 1px #f0f0e0 solid; white-space: pre-wrap; white-space: -pre-wrap; word-wrap: break-word; } table { border-collapse: collapse; border-spacing: 0px; font-family: Verdana;} table th { border-right: 2px white solid; border-bottom: 2px white solid; font-weight: bold; background-color: #cecf9c;} table td { border-right: 2px white solid; border-bottom: 2px white solid; background-color: #e5e5cc;}</style>\x0d Jun 3 16:32:37 php-fpm 13896 <title>Request Error</title>\x0d Jun 3 16:32:37 php-fpm 13896 <head>\x0d Jun 3 16:32:37 php-fpm 13896 <html xmlns="http://www.w3.org/1999/xhtml">\x0d Jun 3 16:32:37 php-fpm 13896 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\x0d Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Data: <?xml version="1.0" encoding="utf-8"?>\x0d Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: date: Sat, 03 Jun 2023 14:32:37 GMT Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-routing-request-id: GERMANYWESTCENTRAL:20230603T143237Z:62223bf7-3bc2-40d0-ba3a-8f0576793a0c Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-correlation-request-id: 62223bf7-3bc2-40d0-ba3a-8f0576793a0c Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-request-id: 62223bf7-3bc2-40d0-ba3a-8f0576793a0c Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-powered-by: ASP.NET Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: server: Microsoft-IIS/10.0 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-ratelimit-remaining-subscription-resource-requests: 11999 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: strict-transport-security: max-age=31536000; includeSubDomains Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-content-type-options: nosniff Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: content-type: text/html Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: content-length: 3221 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: cache-control: private Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: HTTP/2 400 Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _update() starting. Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS (test.<mydomain.com>): running get_failover_interface for wan. found pppoe0 Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): <myip> extracted from local system. Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _checkIP() starting. Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS: updatedns() starting Jun 3 16:32:35 check_reload_status 436 Syncing firewall Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Configuration Change: admin@192.168.20.199 (Local Database): Dynamic DNS client configured.

(private info redacted from logs)

@viragomann I tested and the "Redirect IPv4 Gateway" and "NAT rule" made it work.

BUT... I don't want all VPN clients using internet through VPN. Is there a way to make this work, without the "Redirect IPv4 Gateway" option checked?

@SteveITS I used the second option you mentioned.

But the problem is that the "domain override" was not working. As @viragomann mentioned, I needed to set the Active Directory DNS in "General Setup" and activate forward option in the DNS Resolver.

After that, I configured the OpenDNS IP (208.67.222.222) in the Active Directory forwarder.

Everything is working now, including the NAT rules that were conflicting.

FYI, everything is working. After additional checks, it was necessary to activate the DNS resolver like this:

text alternatif

@Johan1974NL

If this device is somewhat recent and a wifi device, and uses the MAC randomizer, this will mean it will use a random IP also.
Because : as soon as the MAC changes, the IP changes.

Blocking a moving target : hummmm, that's a no go.

The only feasible option is : bloc 'something' for the entire LAN using the option Dobby_ listed.

@GameHoundsDev I’m not sure actually.

So it didn’t work recreating the interface with a /24 mask?

It seems DHCP/PXE implemention is somehow broken in current v 2.6.0. In my setup there is no any VLAN, but EFI machines are requesting "BIOS" boot file from TFTP server. I think it worked normally in some previous version.

@jamesjose03

What is a VM here, pfsense and some other guest - just pfsense? Just some guest vm you have running on what proxmox, esix, virtualbox, hyper-v, qemu ?

What are you restarting exactly? The dns that is provided by dhcp - your saying pfsense is not handing that out? In the dhcp offer? Did the client ask for it?

Lets see your dhcp packet capture.. Example - here is a dhcp exchange..

dhcpjpg.jpg

You can see in the discover and request client asking for dns, and in the offer and ack the dhcp server sending the info.

So your saying even though the dhcp client asks for dns - the dhcp server is not sending it?

But then you restart "network" which means what exactly? Reboot the vm, reboot the host, disable enable some interface either physical or virtual? Some other network reset in the os like "netsh int ip reset" in windows?

@SteveITS said in iCloud Private Relay:

@DefenderLLC I think you’re missing the trailing period:

local-zone: "mask.icloud.com." always_nxdomain

https://jpgpi250.github.io/piholemanual/doc/Block%20DOH%20with%20pfsense.pdf#page14

I actually had it in there originally. Apparently it just takes awhile for the device to recognize that iCloud private relay is no longer available. I ended up going down the pfBlocker path since it has so many other predefined options for blocking DoH and DoT services. Thanks.

@KimbleWorshack Great that you could resolve this. 23.05 seems to fix all other bugs for me aswell.

@mohsh86 i registered an account just to say thank you for this!

Just this one :

@ibbetsion said in When trapping rogue DNS requests, logging looks strange:

That means family will scream at me for X device not working

That's the ever ongoing discussion between "you and the others".
You : want to protect the entire network, and also from the others hurting themselves and/or your LAN. You don't want them to shoot in their own foots. Everybody knows all about security and that they should be careful .... and then they tap on the "Install tiktok" button.
Life is hard, .... but we keep on smiling.

@stephenw10
Could you or any other Netgate representative confirm that pfSense doesn't send gateway info when no WAN connection is up, e.g. when no WAN cable attached or service down?

This from the Netgate docs:
"DHCP also sends configuration information to clients such as a gateway, DNS servers, domain name, and other useful settings." See here.

I have a factory reset SG-1100 here with only LAN cable attached and my macbook gets no gateway info, just IP and DNS.

@scorpoin said in unbound stop after pfblockerng upgrade:

@jdeloach Thanks for your prompt response, list indeed has not been updated except pkg it self. As I mentioned that this behavior occurred right after pkg upgrade.

Cront job start at 12Pm and its been running till now 3:20Pm still running at TLD finalizing.......
and service of unbound stopped so I had to start it manually . How do I fix this or find out root cause of this behavior to resolve it.

DNSBL status on main dashboard turn yellow out of sync as well.

Regards

This has been an issue for a long time for some folks, myself included. It seems to occur most often when one has a lot of large block lists. The maintainer, @BBcan177, was aware of it and I thought Netgate had come up with a fix for it but I guess it is still happening.

@maestrx I do know what the difference between an L2 and L3 switch are. The L3 switch would perform the relay function, which depending on the manufacturer may or may not work well. I know on the Cisco Catalyst switches, it worked without any issues.

@kenw said in Intermittent DNS Falure:

@steveits Thank you so much for your help in better understanding how DNS in pfsense works!
I have made the following changes and will monitor the results over the next few days.

1/ System Domain local Zone Type: Transparent (unchanged)
2/ Enable DNSSEC Support: UnChecked (changed)
3/ Enable Forwarding Mode: Checked (changed)
4/ Use SSL/TLS for outgoing DNS Queries to Forwarding Servers: Checked (changed)
5/ Register DHCP static mappings in DNS Resolver: checked (unchanged)

I also checked system logs for unbound restarts and saw only 3 in the month of April.

System has been running without problems for 2 weeks after applying the above changes. problem seems to be resolved.

If you're running 23.01, it's likely this bug we fixed in 23.05:
https://redmine.pfsense.org/issues/14091

@johnpoz said in DNS unresponsive to clients:

@robbiett where is your local host in your listen?
Its hard to see can you not expand that box?

Small walk of shame for me as I didn't know the box could be simply dragged to expand it. 🤷

2023-05-22 at 08.42.44.png

[Using Safari in screenshot]

☕️

@johnpoz said in About blocking DNS 53 on WAN interface:

unless he was doing a floating rule on wan interface in the outbound direction, which is what I think he was doing.

Exactly what I am doing.
Everything out on WAN using dest port udp 53 is blocked.

At suggestion of Xfinity rep, I exchanged the DB7 modem/router for newer DB8. Now when I enable Bridge Mode all works fine. I pulled an IP address from a completely different block of IP addresses. Not sure how they go about assigning the IP addresses. Now the issue with DDNS running in non-Bridge Mode is a moot point. Thanks again for your assistance.

@baah

If DNSSEC is activated, a helper app ( unbound-anchor ) is started to retrieve the DNSSEC root key file first.

Try this for yourself :

/usr/bin/su -m unbound -c '/usr/local/sbin/unbound-anchor -a /tmp/key -F -v'

I've added the switches -F and -v for more verbose output.

Take note : after running "unbound-anchor -h" :
I presume that unbound-anchor does it's own resolving, using DNS root server hints (the IP addresses are hard coded in the executable so it can boot trap resolving itself as no DNS resolver is available yet on the system).
It's a modern app : it will use IPv6 first, and fall back to IPv4 if that doesn't worked out.
If you suspect IPv6 issues, add a "-4" here, right after the "-a", to force IPv4 usage.

edit :

Welcome to Netgate pfSense Plus 23.01-RELEASE... No core dumps found. ...ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg /usr/local/lib/freeradius-3.0.25 /usr/local/lib/ipsec /usr/local/lib/mysql /usr/local/lib/perl5/5.32/mach/CORE 32-bit compatibility ldconfig path: done. >>> Removing vital flag from php81... done. External config loader 1.0 is now starting... nvd0p1 nvd0p2 nvd0p4 Launching the init system...Updating CPU Microcode... CPU: Intel(R) Atom(TM) CPU C3338R @ 1.80GHz (1800.00-MHz K8-class CPU) Origin="GenuineIntel" Id=0x506f1 Family=0x6 Model=0x5f Stepping=1 Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE> Features2=0x4ff8ebbf<SSE3,PCLMULQDQ,DTES64,MON,DS_CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,TSCDLT,AESNI,XSAVE,OSXSAVE,RDRAND> AMD Features=0x2c100800<SYSCALL,NX,Page1GB,RDTSCP,LM> AMD Features2=0x101<LAHF,Prefetch> Structured Extended Features=0x2294e283<FSGSBASE,TSCADJ,SMEP,ERMS,NFPUSG,MPX,PQE,RDSEED,SMAP,CLFLUSHOPT,PROCTRACE,SHA> Structured Extended Features3=0xac000400<MD_CLEAR,IBPB,STIBP,ARCH_CAP,SSBD> XSAVE Features=0xf<XSAVEOPT,XSAVEC,XINUSE,XSAVES> IA32_ARCH_CAPS=0xc69<RDCL_NO,SKIP_L1DFL_VME,MDS_NO> VT-x: PAT,HLT,MTF,PAUSE,EPT,UG,VPID,VID,PostIntr TSC: P-state invariant, performance statistics Done. done. Initializing.................. done. Starting device manager (devd)...done. Loading configuration....done. Updating configuration...done. Checking config backups consistency.................................done. Setting up extended sysctls...done. Setting timezone...done. Configuring loopback interface...done. Starting syslog...done. Starting Secure Shell Services...done. Setting up interfaces microcode...done. Configuring loopback interface...done. Configuring WAN interface...done. Configuring LAN interface...done. Configuring IDRAC interface...done. Configuring PORTAL interface...done. Configuring CARP settings...done. Syncing OpenVPN settings...done. Configuring firewall......done. Starting PFLOG...done. Setting up gateway monitors...done. Setting up static routes...done. Setting up DNSs... <==== 3 seconds or so Starting DNS Resolver...done. Synchronizing user settings...done. Configuring CRON...done. Bootstrapping clock...done. <==== this took a couple of seconds Starting NTP Server...done. Starting webConfigurator...done. Starting DHCP service...done. Starting DHCPv6 service...done. Configuring firewall......done. Starting captive portal(CPZONE1)... done <==== this took 10 seconds or so, as several portal users were connected while I decide to restart .. Enabling voucher support... done <=== strange, voucher support is disabled Generating RRD graphs...done. Starting syslog...done. Configuring filter for dynamic IPsec VPN hosts... done Starting CRON... done. Starting package AWS VPC Wizard...done. Starting package IPsec Profile Wizard...done. Starting package Netgate Firmware Upgrade...done. Starting package acme...done. Starting package Cron...done. Starting package Notes...done. Starting package nut...done. Starting package System Patches...done. Starting package OpenVPN Client Export Utility...done. Starting package freeradius3...done. Starting package Shellcmd... done. Starting package Avahi...done. Starting package Filer...done. Starting package Backup...done. Starting package pfBlockerNG-devel...done. Starting package OpenVPN Client Import Utility...done. Starting package Service Watchdog...done. <==== WTF : forgot about this one, have to remove it asap. Starting /usr/local/etc/rc.d/munin-node.sh...done. Starting /usr/local/etc/rc.d/pfb_dnsbl.sh...done. Starting /usr/local/etc/rc.d/pfb_filter.sh...done. Starting /usr/local/etc/rc.d/shutdown.nut.sh...done. Netgate pfSense Plus 23.01-RELEASE amd64 Fri Feb 10 20:06:33 UTC 2023 Bootup complete

The entire reroot sequence : from kernel loaded to boot menu shown : 30 seconds ?

I've several pfSense packages, notably FreeRadius

WOW! Thank you all.
I now feel a lttle better with my choices.
It boils down to this: do I trust quad9 over cloudflare or google, for example?
Yes. Based on the research I did about them. And it seems I am not the only one. But it is exactly and only that: trust.

Thanks again for all your good inputs.

Dear Gertjan,
First of all: thank you very much for the time spent on your part, I highly appreciate that 😊. I will reply below:

@gertjan said in iPhone w/ manually configured IPv4 - not in DHCP leases list:

The thing is :
When you set manually the IP details like IP, gateway and DNS, you de activate the DHCP (client) process. The device needs IP info to use a network. It can use DHCP, and this is the default method.
Or you do it manually.
It one or the other.

Quite right. UniFi works differently and does list devices with IP set manually-in-device. Like you said, I have now come to understand that pfSense only shows actual leases (i.e. issued by the pfSense DHCP Server service) on the "DHCP leases" page. Oh well.

Furthermore, devices with manual IP configured-in-device actually do function properly and firewall rules with exceptions based on IP actually do work for these devices too, even though we can't see them in the leases list. But I like seeing them so I'm back to all DHCP now.

Discover the magic :

c41ca5ca-c22a-44ba-99ed-89e5955c7235-image.png

😊

Yes I am familiar with this setting and I've used it successfully in the past for quite some time.

Rogue IP lease monitoring
At some point, couple of years ago, I went back to "Allow all clients" because I wanted to monitor the leases list to make sure there weren't any rogue IP clients popping up on the grid. So because all my devices have static mappings, basically all was well as long as no new leases in the DCHP pool would come up.

But then Apple introduced Private WiFi - randomized MAC and of course new leases popped up for every iOS device, hence the attempt to revert to manual-in-device IP configuration (see above).

It took a while for me to discover (my bad) that the Private WiFi option is selectable per WiFi network so initially I let it play. Soon after that, I figured out I can set their devices to Private WiFi OFF for the home WiFi SSID and ON for everywhere else. Great insight.

So I set all family iOS devices to Private WiFi OFF and reworked the static mappings list. So far I have still kept DHCP settings at "Allow all clients" for this particular VLAN to be able to monitor new devices connecting.

But there must be a smarter way to do this 😓

Of course I could re-enable "Allow known clients from only this interface" and rely on the firewall to let no other devices connect in the first place, which is what others on this page do.

When they, kids etc, decide to delete the Wifi profile

I suppose by deleting the WiFi profile you mean they tap the network and then tap "forget this network"?

, and re connect from scratch, [...]
So, no need to explain what so ever to the wife or kids : it's an auto learning process.

Ah yes, now I know for sure that is what you meant - forget this network.

They do something wrong, they assume the consequences.

Okay, I am now very seriously considering to turn on "Allow clients from only this interface" again.

But...

@cabledude said in iPhone w/ manually configured IPv4 - not in DHCP leases list:

Is there any way to receive alerts from pfSense in case someone tries to get in?

There are many options.
Use the LAN interface for yourself, and only accepts trusted devices on this network.
Everybody else : on another (OPT1) interface, where you simply block all traffic that wants to go the the OPT1 IP (= pfSense): Block port 22, 80 an 443, and you'll be fine.

I created separate VLANs, which may or may not be what you mean, but VLANs are effective.
However my own "trusted" devices currently are in the same VLAN as the other family phones, pads, laptops. like you did, I may move my own to the LAN, thanks for the suggestion.

Use a difficult password.

Obviously got that, it's in my iCloud Keychain.

See what System > Advanced >Admin Access => "Login Protection" can do for you.

Added some fields there, thanks.

So far I have used OpenVPN to access pfSense from outside the firewall and that is the most secure.

I am now considering using Synology reverse proxy (with domain name and certificate) to allow for easy access to pfSense, outside and inside. But something is holding me back. HTTPS should be secure but attackers can get to the login screen easily. I disabled the admin account, but still...

Please confirm that you 😊 right now.

😊 😊 😊

@42sec This is what I use.
https://github.com/markster17/unbound/tree/main

@johnpoz said in Unbound DNS resolver - high latency at resolution of local mappings:

@carpet said in Unbound DNS resolver - high latency at resolution of local mappings:

I do not understand why local DNS entries are checked against pfblocker blacklists with unbound

You understand how it blocks is it creates local entries for say baddomain.tld points to 127.0.0.1

If you have 10,000 entries in your local db, then looking for fw01.localdomain takes a bit longer.. vs looking through 100 records..

I understand now.
I expected unbound only checking blacklists as a second step (and not creating these entries at the same level)

@steveits thanks - that's interesting. I'm not forwarding to quad 9 but I'll check and see if disabling aslr makes a difference.

@t__2
For me it wasn't the upgrade so much as a clean install after the upgrade. Has been totally fine since the flash install.

@panjali-ganiyev hmmm, other than looking back through logs of dhcp I am not aware of a way to know that. static leases don't show up in the dhcpd.leases file

If you handed off your logs to some syslog server it should be quite easy to look up some mac or IP for when the was the last time it got a lease.

Please help. How to automatically remove reserved MAC addresses from DHCP Static Mappings, for example, not active for 2 months?

@spacebass The only way I found to do it is to use samba's DHCP server (isc-dhcp-server) with the following script:
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records
In pfsense, if you have other networks, you would need to enable DHCP relay option.

Perhaps there is another way of doing it that I'm currently not aware of.

You would use the samba's DNS server too.

There is a very nice discussion about the DNS side of it here: https://forum.netgate.com/topic/176888/using-pfsense-as-firewall-and-windows-server-as-dhcp-and-dns-server-re-hash?_=1683907911478

@penguinpages said in DHCP - Long Lease Allocations:

Kea

https://redmine.pfsense.org/issues/5413#note-49

@jerryf72 Did you install the patches from the System Patches package and restart? There is one to disable unneeded 3am cron jobs that (per other long threads) filled up ZFS ARC memory. The cron jobs are disabled in 23.05.