Update: I increased the DNS cache size from 20k to 50k, and that seems to have resolved the long average recursion time dropped from 100+ seconds to less than 2 seconds. Number of DNS queries dropped from about 40k per min to less than 400 per min. I guess the too small cache size was the key root cause.
BTW: what about using unbound (so no DNS forwarding, if I understand it correctly) and creating views in the console like in a (bit different) case here: https://lexxai.blogspot.com/2017/11/pfsense-dns-views.html
Could I use this to separate DNS queries per interface/gateway?
In Interfaces > Bridges you can define a new bridge and add interfaces to it. The go to Interface Assignments, assing an interface to the new bridge and enable it. No further settings are needed on the bridge interface.
But befor you have to ensure that there is no configuration on the vlan 10 interface. It has only to be enabled.
However, with this setting results in the vlan 10 going down, when WAN goes down. To avoid that you can move the IP settings from the WAN interface to the bridge.
Just to make it a bit more complicated ;-) I do see exactly that behaviour all the time if my WAN connection has been broken and comes back. At the moment we do have a not so stable cable connection so I had that several time in the last 5 days. No reboot of the pfSense was box has been done, jut the WAN connection was down and came back.
also have pfSenseNG running. Wondering if this might have some influence here.
Ok, a quicky :
The DHCP server maintains a file on disk with outstanding an outdated leases.
See it here : /var/dhcpd/var/db/dhcpd6.leases : a small file with an extremely readable content.
When you check this box :
It does not interact with unbound, the Resolver. Neither with the" dhcpd" daemon, the dhpc server for one or more LAN's.
Checking this box launches another program that keeps on running - another daemon.
I'll check the box or a minute so I can show it to you :
Look at the program - it's open source so a click opens the source and you can read it.
I'll recap :
It puts a 'watch' on the /var/dhcpd/var/db/dhcpd.leases file. When it changes (because a new lease came in, and the dhcpd server updates the file), the daemon dhcpleases reads it, reads the host file, and writes it to /var/unbound/dhcpleases_entries.conf. unbound reads this file when it starts. Open it to see what's in it ^^
Finally, the process dhcpleases restart unbound.
Cool, right ?
It restarts unbound on every new or renewed DHCP lease.
You have one PC ? => No big deal.
You have 8 LAN's and 6000 devices ? => unbound gets chain gunned.
Example : you bought this nice home automation thingy device on AliExpress - let's say : your new your door bell with web cam . It asks a new lease every 60 seconds (because it looses its wifi radio signal, reconnects, launches a DHCP request and again and again). And unbound gets restart every 60 seconds. People wind up posting here to ask "why".
I am not sure I am clear on what your asking? Is this what you mean?
Example - I have a bunch of smart lightbulbs.. They all report a name of wlan0
Its not very helpful I agree.. Which one is which is the question.
So I set them all to have reservation in dhcp.. And give them a hostname in the reservation, now I can access them via their fqdn, I can resolve this IP to their name.. etc. etc. So I know exactly which device is what
It was a bit of a pain to setup, matching which mac was which device. But it was a 1 time thing.. Is this what your asking about? While I don't have all that many so just did by hand - looking in app for which light was which based on mac, I then edited the reservations to set the hostname..
I got a new SG-3100 and want to replace my slow USG firewall, but keep the several Unifi APs with the Cloud Key.
I know there should be no problem, but there are a few issues:
What is the recommended DHCP setup? Should the Cloud Key be the DHCP server and just set the gateway address manually or should the SG-3100 be the DHCP server?
DIsable the DHCP Server in the Cloud Key and let your pfSense box be the DHCP server for both your wired and wireless networks.
Concerning DNS: The Cloud Key advertises the gateway to be the home network DNS server, which is what I want. How can I make sure my SG-3100 remains the DNS server for the LAN at home, while itself getting DNS service from some public service (220.127.116.11, etc...)?
Do NOT change anything relative to DNS with a pfSense default installation. It is ready to go right out of the box. It contains a DNS resolver (unbound) that will ask the DNS Roots for IP information. Again, DO NOT make any DNS changes in pfSense! Do not change its defaults. Many do that and wind up totally breaking DNS and have to come back here for help.
When you enable the DHCP server in pfSense, it will assign your pfSense box as the DNS server for all wired and wireless clients using DHCP. If you have any static IP assigned clients, you will want to point them to the pfSense box for DNS.
To understand what I mean about not changing the DNS settings in pfSense, go to Google and research what a DNS resolver is and how it works. pfSense now comes with a fully configured DNS resolver right out of the box. No need to change a single thing for successful DNS lookups.
Are you referencing the wireguard fiasco? Or was there some other news that put this into an updated context? An unbound regression in OpnSense 21.1.5?
On WireGuard, AFAIK OpnSense has a userspace daemon similar to what pfSense has offered for a while, not the in-kernel implementation that was apparently borked and then yanked.
Are you referring to this OpnSense forum post? I think that's isolated as that user had other problems when upgrading w/ unsupported packages (not to say unbound is unsupported, just that theirs seems like a complicated configuration).
To be fair I did suffer from some constant unbound restarts on my own OpnSense box yesterday, but I haven't updated that machine from 21.1.4 to 21.1.5 yet so I'm 99% sure that was down to my toggling the ramdisk option for /var and losing unbound data at reboot. (I had read the option as /var/log ramdisk, which I assumed would have no ill effects. The /var option not so much since it encompasses so much more.)
It all boils down to : check the logs. Learn how to read them. Check why unbound get restarted : what event triggered the restart.
Now, you can ask yourself : can I influence this event. Do I need it ? Can I change it ?
Very Very true, Some time ago I found that the cron job for PBlocker was running just before each DNS drop, I'll keep an eye on things after the recent change , I have Grafana setup so may even try to setup something to log what's happening around the time of the issues and make it pretty.
Thanks for taking the time & effort in your replies
You do understand without esni or ech (esni is dead already really)..
Just because you hide the dns from your evil isp, they still see where you going via the sni the browser sends to the https server they are talking to via the ip they got from your hidden from the man dns query.
Without esni or ech, hiding your dns queries from your isp is to be honest exercise in futility. Your isp can really easy see what whatever.domain.tld your going to.. Along with the IP, and if the IP is not on some CDN serving 1000s and 100s of thousands of sites - its not difficult to know exactly where your going. Even if using esni or ech
But what you do end up doing is handing over everywhere you go to whatever dns service your forwarding to, be it encrypted or not.
Since going to a website is a specific handshake between the client and the server, support for encryption of what site you actually want via the sni in the https handsake will depend on the server your going to supporting that.. Doesn't matter if you encrypt the dns query or not.
I've copied the existing installation to another location and it has managed to start up ok, so DHCP is working again, but the release is quite old so I thought I would try to update it, which I am now doing... So... don't know what caused the original problem, but it looks like it has been sorted.
Just dropping those 2 lines in every unbound is no prob.
On my home setup where i had an existing linux based DHCP + DNS infrastructure.
I only use unbound to forward to my (existing Bind9 servers) , no pfS 127.0.0.1 resolving. All that hits unbound goes to the Bind9's.
My Phone + MMedia vlans gets a DHCP DNS pointing to a Debian Pihole , that uses the Bind9's.
DNS & especially DHCP is a bit more cumbersome on linux , but i have DDNS (DHCP added entries) working like a charm. And that is s super neat feature.
If there is a match from local data, the query is answered.
Otherwise if the query has a different name, the query is re-
solved normally. If the query is for a name given in local-
data but no such type of data is given in localdata, then a
noerror nodata answer is returned. If no local-zone is given
local-data causes a transparent zone to be created by de-
Used to turn off default contents for AS112 zones. The other
types also turn off default contents for the zone. The 'node-
fault' option has no other effect than turning off default
contents for the given zone. Use nodefault if you use ex-
actly that zone, if you want to use a subzone, use transpar-
Seems like transparent is the way to go for me (sub zones)
@float The issue lies with the Fritz Box, it's somehow blocking DNS, tried everything but couldn't get the resolver to work, only the forwarder. Swapped it out for a Zyxel modem, everything is working as it should now.
I want to use DNSFilter.com with an SG-3100 at the high school I work at in San Diego. Are you still using FreeDNS and DNSFilter.com with pfSense? If so, how is it working for you? I need to use it for the CIPA Children’s Internet Protection Act compliance that E-Rate requires.
So, the way that I have found to solve this the best way, was to keep that DHCP on Network B and a subdomain there as foo.xyz.com, as a stand alone, and forward all xyz.com to my dc.xyz.com DNS server.
The problem that I am still trying to solve is that forwarding queries from my dc.xyz.com to pfsense.foo.xyz.com, are not being solved or even queried. Even the 10.0.10.1 is not solved and gaves the error message in validaded: the server with the IP address is not authoritative for the required zone.
I've delegated that subdomain foo.xyz.com to 10.0.10.1 DNS server who is the pfsense.foo.xyz.com. In my dc.xyz.com I have the following:
But testing from a stand alone pc in the same network of my dc.xyz.com, I am able to use the pfsense.foo.xyz.com as a DNS server.
Anyone here knows if I am missing some step or steps to be able to perform this setup?
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.