@Vollans said in ISC vs KEA - KEA always wrong: Solar upgrade Not the hardware Just the the firmware. Anyway : I still suspect it isn't a kea issue as it clearly says : 10.0.1.2 can be given as another device is using it. Afaik, kea does a network network broadcast for "who has 10.0.1.2") first and no device should answer. Apparently, some one answered. What about an ARP packet capture to see who answers ?

Wow! Yall have been most helpful. Thanks!

@patient0 thank you for pointing me to the right direction for troubleshooting as a side note it seems that I am able to keep System Domain Local Zone Type: static by marking the specific domain as transparent in the DNS Resolver Custom options via server: local-zone: "m.internal.domain.com." transparent it seems working so far

@EngineerSB do you have such Entires in the system log? kernel sonewconn: pcb 0xfffff803cd9fb540 (**IP**:53 (proto 6)): Listen queue overflow: 193 already in queue awaiting acceptance (267 occurrences), euid 0, rgid 0, jail 0 kernel sonewconn: pcb 0xfffff803cd9fb540 (**IP**:53 (proto 6)): Listen queue overflow: 193 already in queue awaiting acceptance (179 occurrences), euid 0, rgid 0, jail 0 ...

@Gertjan said in Kea DHCPv6 and clients with unstable IAID: @rolfl said in Kea DHCPv6 and clients with unstable IAID: by adding /usr/local/lib/libdhcp_flex_id.so to ... wouldn't that be : /usr/local/lib/kea/hooks/ for pfSense ? I found some kea libraries there. Correct, I must have been copying from a google search. Regardless, the file isn't there. I you could find a pre build "libdhcp_flex_id.so" (build against FreeBSD 15.x - light up a candle, and copy it in place) it might just work. PfSense is using Kea 2.6.2. Apparently pre 3.0 Kea had this library as a premium feature and requires a token to enable it. Btw : just to be sure : these devices use Wifi, right ? So it could be the wifi that 'breaks' every 10 minutes, so a DHCP initial 'boot' request will get emitted every time ? That stull doesn't expmlain why the IAID is randomized like that. I have checked unifi logs for the devices and there is no evidence of disconnect/connect behavior for wifi. If this isn't the case, why not mentioning the device by type, serial number, brand etc ? So we will all know what device not to chose at any cost, as it is known that every constructor out there wants to break IPv6, and some of them are doing a great job. I did mention that the brand was TAPO / TP-link, particularly the matter compatible wifi light switches. The model numbers are: S505, S505D, S515, P125M.

@JonathanLee said in Serving different WPADs per subnet with Unbound: for Netflix not liking the HE ipv6 tunnel That was also solved with the help of pfBlockerng : [image: 1758778353680-eca53c7f-080b-4bc2-ab1a-cf4abc9e9f38-image.png] and enter all the domain names you don't want to be resolved as AAAA, only A. In my he.net days, this worked very well.

@johnpoz said in Why not a CNAME?: But I am not aware of anyway to dynamically change what fqdn a cname record points to other than via a API into the dns.. Or maybe you could script something with unbound-control. Agreed.

@WN1X I'm on community. 2.8.0-RELEASE It was released in May.

Hello, Has anyone else encountered similar problems?

@Gertjan said in There was an error trying to determine the public IP for interface - wan (mvneta0 ). DDNS not working..: dig @127.0.0.1 checkip.dyndns.org +short Thanks for having a look! I have removed those wan-rules now. And here are some outputs: [image: 1758183115943-screenshot-from-2025-09-18-10-10-43.png] [image: 1758183115960-screenshot-from-2025-09-18-10-10-22.png] And: "That's a script I wrote years ago. Totally forgot about it. That web site and host name is 'mine' " you are a god!

@Gertjan That works perfectly thank you so much! Enabling DNS Query Forwarding seems to be the correct setting for us. I think what was throwing us off was the wording "or those obtained by dynamic interfaces such as DHCP". Obviously we can't have that. However the qualification "if DNS server override is enabled there", which it is not, so that just didn't apply. [image: 1758142364307-045a144c-7f19-4446-bea3-d346a86e5919-image.png] Now if I have a DNS address specified it works, and if that server is unreachable for any reason it doesn't. That is what I want. Again thank you so much. I can now move on to step 2 +++ ;) We will take further steps to deal with DoT and DoH as you and others have mentioned.

@Luca-De-Andreis said in After restart, Unbound DNS Resolver don't work: @Unoptanio Yes, its true. Setting ALL:ALL the DNS works correctly from system restart without manually restart daemon (after reboot) ! I've just tried now. Wow, just tried this too and after years of dealing with it - it's fixed. Thank you!

Hopefully this isn't an ongoing bug because it's pretty crippling.

@Gertjan said in Crash report: @pf_ltu said in Crash report: kea2unbound If you are using pfBlockerng, then here is the solution. SOLVED thank you @Gertjan

@Gertjan Thank you, I look through the last 500 entries in the log and there was nothing but repeat entries, nothing about starting and stopping the dhcp server, only the one you see where I started it again. Thank you for pointing out thisight be an old bug, I will update as soon as I can.