This is in the wiki as well.
Yes - and that page also misses a big gotcha.
As someone coming from dnsmasq / "forwarder" I had multiple host overrides too.
Unbound / resolver refuses to start if you set up a wildcard subdomain AND have host overrides that match. So you need to delete all the host overrides that use the same subdomain.
If you want to override a host in your domain override with unbound, best to do it on the resolver at which you are pointing.
I don't really give 2 shits about your product... You should be reaching out to the OP that is having the hard time with this.. Not me ;)
The questions you can answer is the simple easy to understand instructions for how to make it work with unbound.. If you have had a few pfsense users reach out to you - you would think you would already have this documented on your site..
NO NO NO... Method 1 should be the last freaking option... And only used when there is some crap application that has your public IP hard coded or something.. Nat reflection is pure evil and an abomination...
It takes two seconds to do a host override... I would suggest you take the time to figure out what you were doing wrong with your override.. You put in the forwarder when your using the resolver - have seen that a few times ;) Your client not using pfsense as dns for sure would be an issue.
Client using both pfsense and some external dns also common mistake since you can never be sure what dns a client will use when you have more than 1 listed.
You would only get a rebind error if pfsense is looking elsewhere for the record. A host override would be served up from it and rfc1918 is fine.. Only when it forwards/resolves or you have set a domain override pointing to some other ns and it gets back rfc1918 for a query is that a rebind. Which you solve by setting the domain to private if you some local dns is you are query for this record via domain override, etc.
With Namecheap you do not use the username and password for your account. Leave the username blank, and the password is the API token you received in the Namecheap web interface when you enabled Dynamic DNS for your domain.
Again - you can hand out the domain for the client.. whatever you want.. Doesn't mean client will use it, etc. depends on the client.
But registering the dhcp leases into unbound only uses the pfsense domain. If you want to do something like what your talking about with multiple domains.. Use bind and have the client register themselves into you specific domains.
Off the top my head I do not believe unbound allows for dns registration of clients because its not really meant as an authoritative NS to be honest.
Re: Only LAN shows up for DHCP Server interfaces?
Thank you everyone!
That was it, I didn't notice that it had defaulted to 32. The subnet mask has been appropriately set and it is working now.
Thank you again!
Found the problem: the aws reply was with private IP addresses and they were dropped by default pfsense setup.
See https://www.netgate.com/docs/pfsense/dns/dns-rebinding-protections.html for how to enable "Private Address support".
Your clients did receive by DHCP an IP for the DNS server that is this 'host' (on VM) that is your Nxfilter ?
If so, then all ok, you just have to make this Nxfilter thing work.
How , Dn't know. Don't know what "Nxfilter" is.
bullshit is a good word to describe such nonsense for sure. Shit windows and many os'es would bitch at you trying to set a gateway when you have a /32 bit mask. Since any gateway you set would be outside your mask.
That fact that you can use the internet, ie talk to your gateway which is outside your mask - shows you that you can talk to other devices ;)
So why would you think you could not talk to other devices on the same wire?
@jeetu3363 said in need to resolve external website ip instead of internal dns ip:
this is big office with many branch offices so it is hard to change the local domain name
No it isn't... Shouldn't of never been started in the first place.. Your computers are members of AD, that can be a pain. But you make no mention of AD.. This is a pfsense site, not MS support.
Your domain there is mylocal?? That sure and the F is not public domain.
How about you actually go into what is the problem.. Your domain listed there in pfsense is mylocal which is not a public domain.
but my domain name is same like the website ( internal dns is abc.com and the external site is also abc.com
This is NOT what your showing in pfsense with a single label domain. What exactly is resolving wrong.. You have host.abc.com on the public internet? that resolve to public 126.96.36.199, what exactly is on local network that is resolving wrong?
Will the bug finally be resolved with 2.4.4?
The bug report is open for 8 months now. Although wie tried to mitigate the problems when it occured for the first time for us in November, we still had problems every time filterdns stopped.
If you're affected from the bug the problems will in many cases be critical, as either access will be allowed when it should be blocked or if you're using a whitelist approach systems or services will break because of the connection problems.
Right. So, like I said in a reply near the top, my Pi Hole nukes streaming media regularly, so I put my regular clients on the Pi Hole for DNS, and my streaming clients on my provider's DNS servers. And it worked, but only after a reboot, which was strange, but oh well.
Thanks to all.
Putting rfc1918 in a public dns is almost always BORKED... And yes anything worth anything would not hand that back to a client because of possible rebind.. Because again rfc1918 in a public domain is just borked ;)
This it! Thanks now it's working fine! Thanks.
@stan-qaz said in Auto-renew DHCP after outage:
@e4ch I had to set pfSense to reject the DHCP info offered by my cable modem when it is not connected to the the Internet, that causes pfSense to wait to do a DHCP request until I'm on-line and getting DHCP information from my ISP instead of the internal modem server.
Reject leases from
To have the DHCP client reject offers from specific DHCP servers, enter their IP addresses here (separate multiple entries with a comma). This is useful for rejecting leases from cable modems that offer private IP addresses when they lose upstream sync.
I don't think anyone else has requested the feature before. You can open a feature request on https://redmine.pfsense.org/ with that config example and it shouldn't be too hard to add. Probably not going to make it in the next version, but at some point in the future.
@alexis-girardi said in No DNS resolution on LAN:
if I don’t state a server dig doesn’t send a request
What version of dig are you using? I have seen this on 9.12 versions if dns not in the resolv.conf file, etc.. On windows I have not tried 9.12 on other OSes So you have to place default NS in this file
If you want to validate client dns resolve - you should use its built in client.. Something as simple as a ping for example to validate it can resolve.
@pfkomrad said in Can you implement DNS Round Robin for local IP's?:
Ideally though, this should be hidden from the client
For what possible reason? If you have 2 piholes that resolve the same stuff, then hand them both out to your clients. Any client is going to be smart enough to move to the other listed ns if the first one does not answer.
If you want your piholes to resolve your dhcp clients names - then forward them to pfsense that is acting as your dhcp server.
So clients ask pihole, if asking for www.domain.com and not blacklisted, it forwards to pfsense that resolves it or forwards (however you like it to work - resolving is default pfsense setup). If its a local domain, then pfsense would respond and pi-hole would hand it back to client.
Seems like your overthinking something that is quite simple. I also don't get the need for registration of dhcp in a home setup to be honest. If there is something you want to be able to resolve - why not just make sure its always on the same IP either with static and host override or dhcp reservation and let pfsense register the registration.
Clients can list as many ns as you want.. The only thing you need to be sure of is any and all of the listed ns for the client need to resolve the same stuff. You can point client to say pihole and google and then wonder why sometimes fqdn is blocked and sometimes its resolved. You can never be sure what ns a client will query when you list more than 1, doesn't matter what order you hand them to the client. ALL ns listed on a client need to be able to resolve the same stuff, or block the same stuff, etc. Pointing a client to 1 ns that can resolve local, and another that can not is asking for failure.
@virgiliomi The hostname is in the URL, and it works to update the DDNS. It is just that I see an error message when there is no error.
I am also using the same service for the Custom in IPv4 but it doesn't throw an error message.
Thank you - and I did as you suggested and got 2.4.4 devel installed now. Also, thanks for your thoughts on using lan. I am going to research that and I did learn something ( very enlightening )- I truly appreciate you
@simpleone said in Unbound DNS Resolver, Domain Overrides to IP across OpenVPN tunnel interface.:
it was simultaneously appending the pfsense’s local domain suffix to those same queries,
That would be your client using suffix search that has nothing to do with unbound. Unbound would never nor could it add a suffix to a query. it is only going to resolve or forward what is asked of it.
And yeah since there is no override for it, yes it would try and resolve it the normal way. You can stop those from happening by changing your zone type to static. I personal think this should really be the default zone type vs transparent.
@thenarc said in DNS setting and redirection:
@mikekoke Well if a device is set to use 188.8.131.52 as a DNS server, you're going to see that in the states. But just seeing it in the states doesn't mean that pfSense is allowing it to use 184.108.40.206. It's saying "This client asked to do a DNS query to 220.127.116.11, but I'm redirecting that query to 127.0.0.1 since you told me to." And from there, unbound (the DNS resolver) takes over and forwards it to 18.104.22.168 since you configured it for forwarding mode.
Thanks again for the clarification is just that I use Pfsense still recently and with some things I still have problems.