DHCP and DNS

• 

  HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox
  • jimp  

  80
  12
  Votes
  80
  Posts
  6572
  Views

  

  at least if your current service provider supports it from what i understant it will use doh only if the dns you have configured support it ? You can also configure a different secure DNS provider in the Advanced security section they didn't accept money from cloudflare or from any other dns services if it's the case, it's not that bad and always better than firefox
• 

  RFC2136 Server Setup How-to
  • jimp  

  19
  0
  Votes
  19
  Posts
  22832
  Views

  

  You have some logs as showed above ?
• T

  Wildcard DNS entries
  • tommyboy180  

  6
  0
  Votes
  6
  Posts
  19831
  Views

  C

  @Yowsers: This is in the wiki as well. https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder/Resolver Yes - and that page also misses a big gotcha. As someone coming from dnsmasq / "forwarder"  I had multiple host overrides too. Unbound / resolver refuses to start if you set up a wildcard subdomain AND have host overrides that match.  So you need to delete all the host overrides that use the same subdomain. If you want to override a host in your domain override with unbound, best to do it on the resolver at which you are pointing.
• J

  DHCP Server Assigns Same Address to Multiple Hosts
  • jesse_cureton  

  4
  0
  Votes
  4
  Posts
  34
  Views

  J

  Found a solution.. I got caught up on why the last DCHPDISCOVER logged the hostname of A with the MAC of B. This ended up being because of the client identifier in the DHCP request. The requests still had the proper, unique hostnames, but the Ubuntu template image I was deploying the VMs from actually send /etc/machine-id as the client ID. Since this was defined in the template, the DHCP server was identifying the machines as the same image with different MACs. This is the default behavior for Ubuntu 18.04 onward. This blog post pointed out that zeroing out that file in the template (truncate -s 0 /etc/machine-id) will ensure a new ID is created when the cloned template boots. Alternatively, enabling the Ignore client identifiers option in pfSense's DHCP server settings will accomplish the same result.
• F

  DHCP server reissuing addresses on client's old VLAN
  • fresnoboy  

  1
  0
  Votes
  1
  Posts
  7
  Views

  No one has replied

• M

  Why does pfsense call its implementation of dnsmasq a DNS Forwarder, not DNS server?
  • maya95  

  1
  0
  Votes
  1
  Posts
  23
  Views

  No one has replied

• B

  DNS Resolver - DHCP registration - Multiple Interfaces - not registering in DNS
  • bjk002  

  3
  0
  Votes
  3
  Posts
  41
  Views

  

  @bjk002 said in DNS Resolver - DHCP registration - Multiple Interfaces - not registering in DNS: not allowing DHCP to occur across interfaces. What? Sorry but no..
• 

  unbound: 1.9.6 -> 1.10.1 [pfSense]
  • Gertjan  

  3
  1
  Votes
  3
  Posts
  84
  Views

  B

  so for us standard pfsense users. we can ignore this since it will be included in p1 of 2.4.5?
• T

  WDS problems
  • trond  

  3
  0
  Votes
  3
  Posts
  36
  Views

  T

  option 67 is set to \boot\x64\pxeboot.com\000, but you can't see it without moving the cursor.
• B

  Occasionally dropping DHCP
  • blucube  

  6
  0
  Votes
  6
  Posts
  40
  Views

  B

  For what it's worth. I wasn't able to catch what was happening in any log. However, that could be partially due to not setting it up correctly. Though I wanted to comeback and say that, at least for my hardware, I'm running a G4400 and disabled one of the cores which so far seems to have alleviated the issue.
• F

  Unbound log
  • fedesoundsystem  

  2
  0
  Votes
  2
  Posts
  40
  Views

  

  Hi, Read https://nlnetlabs.nl/documentation/unbound/unbound.conf/ and also, have a look at the pfSense unbound.conf in /var/unbound/ The thing is - line 14 : use-syslog: yes which, according to the unbound manual, overrides settings like : logfile See, for example, here : https://snippets.khromov.se/enable-logging-of-dns-queries-in-unbound-dns-resolver/ - the usage of "logfile". So everything will get send to the syslog, and wind up in the circular 'resolver.log' file.
• C

  Problem with Unbound bug patch 9998
  • ctminime  

  1
  0
  Votes
  1
  Posts
  18
  Views

  No one has replied

• T

  Blocking Port 53 & Issues Resolving Host Names
  • techgeek055  

  10
  0
  Votes
  10
  Posts
  202
  Views

  

  Yep, confirmed : [2.4.5-RELEASE][root@priv.brit-hotel-fumel.net]/root: host 1.1.1.1 1.1.1.1.in-addr.arpa domain name pointer one.one.one.one.
• B

  New install- no DHCP assignments after PC sleeping
  • bill1  

  4
  0
  Votes
  4
  Posts
  27
  Views

  

  @JKnott said in New install- no DHCP assignments after PC sleeping: run Packet Capture W'll get to that if needed For the moment I like to see interface details, DHCP server settings per interface. Knowing that DHCP traffic can not be blocked by the firewall - hidden pass rules exists for DHCP, which can not be undone, I like also to know if there are switches involved etc.
• 

  Ia there a way to clean the dns cache
  • x3rl  

  3
  0
  Votes
  3
  Posts
  57
  Views

  

  x3rl ? wasn't that also a domain name that vanished from the Internet a couple of days ago ? edit : yep https://forum.netgate.com/topic/153717/dns-resolver-issues Answer : restart Unbound / the Resolver and the cache will be gone. Might be a solution for you, but a problem for us all. Btw : call your ISP and have them doing the same thing. You are using 8.8.8.8 (or others) ? Call them to dump their cache also. Etc. Note : the latter two might not be willing to do so ....
• V

  DNS Resolver weird resolution
  • Vents22  

  2
  0
  Votes
  2
  Posts
  53
  Views

  

  Hi, root servers are used to prime the tld part, like "gime a server that knows about dot com ?!" With the answer coming back, the Resolver will question that server, and ask where are the name servers of google.com ?!". With that answer coming back, the Resolver will question one of these name servers of google.com, and ask : "gime the A or AAAA records of google.com ?!" After all, these name servers of google.com are the only ones that the ones that can be trusted to answer that question. root server do not cache every possible zone (domain info) of the planet earth. They couldn't do that. So, yes, it's normal that you see many DNS servers being used. VPN or not, "DNS" doesn't chance. Example : ask if a root server - let's take 'a') knows the IPv4 of the domain forum.netgate.com : dig @a.root-servers.net forum.netgate.com A +short It can't .... It will tell you where to find the guys that know all about dot com zones. Etc.
• A

  Enabled DoT but still see 53
  • amrogers3  

  4
  0
  Votes
  4
  Posts
  76
  Views

  

  @ipeetables said in Enabled DoT but still see 53: imgur is blocked at work You're not the only one. @amrogers3 : you can paste image right into the forum message. No need to paste in an image URL using the picture foru command at all :  Just hit Ctrl V when the forum edit window is in focus, if you have the image copied just before.
• I

  DHCP status shows incorrect interfaces for bridge interfaces
  • incertia  

  2
  0
  Votes
  2
  Posts
  18
  Views

  T

  Hi, I have the same issue. i have modified an interface group of 3 physicals interface into 1 Bridge interface (LanThomas Assignements). With my interface group (LAN + OPT2 + OPT1) the configuration (IP and DHCP) was on the interface LAN With my actual bridge configuration LanThomas (LAN + OPT1 + OPT2) the configuration (IP and DHCP) is on the Interface that i have configure on assignments. As you can see on the DHCP leases the DHCP has some configuration on the old Interface LAN instead of the bridge interface (LanThomas).
• 

  DNS Resolver Issues
  • x3rl  

  3
  0
  Votes
  3
  Posts
  57
  Views

  

  Hi, Do a more general DNS check for that domain. Or even the www subdomain. Use a tool like https://www.zonemaster.net/domain_check - and that domain, and one that you it exists - liek your own web site. Its close to non-existent. Or the domain name maintainer has some DNS issues. Maybe he forget to renew the domain rent ? So yes, pihole and pfSense can't make something from nothing ;)
• 

  dlinkddns (Dyndns dynamic) discontinued
  • kiokoman  

  1
  2
  Votes
  1
  Posts
  127
  Views

  No one has replied

• S

  Issues with DNS resolving on VPN VLAN
  • subterminal  

  1
  0
  Votes
  1
  Posts
  18
  Views

  No one has replied

• A

  dhcpd timezone
  • ahmetakkaya  

  1
  0
  Votes
  1
  Posts
  15
  Views

  No one has replied

• A

  DNS have to create port forward to work
  • amrogers3  

  2
  0
  Votes
  2
  Posts
  32
  Views

  

  @amrogers3 said in DNS have to create port forward to work: I have to create NAT port forward for 53 --> 853 If DNS clients actually send TLS DNS traffic to port 53 instead of 853, then yes, port forwarding would be needed. Although these clients can be considered as broken. @amrogers3 said in DNS have to create port forward to work: getting DNS DoT to work On the WAN - upstream side ? Locally ? Describe your setup / needs. Back then, things were presented as https://www.netgate.com/blog/dns-over-tls-with-pfsense.html - and totally simplified afterwards : https://www.netgate.com/blog/pfsense-2-4-4-release-now-available.html
• U

  Pfsense WireGuard Client Working ( With Catch 22 )
  • ubernupe  

  13
  1
  Votes
  13
  Posts
  1485
  Views

  U

  @ravenium Dear ravenium, My man - I hope that you are well and safe in these days and times. Thanks for your thoughtful and measured contribution and observations regarding the specific issue here and your philosophy about " hacking " pfSense in general. I am the OP ( in case you don't know ) - and you are obviously an erudite thinker - and once again - I for one greatly appreciated your .02 as a person Later my brother - Peace and God Bless You and Yours Always in God's Grace PS - I will try your proposed solution as stated here in # 1 of your reply ( just for sh*t and giggles ) - and thanks for that one more again
• T

  Unbound resolver error: Can't assign requested address for 127.0.0.1
  dns dns resolver configuration config unbound • • themadsalvi  

  40
  0
  Votes
  40
  Posts
  903
  Views

  J

  Hey all. I hate to dig up a long dead thread, but I was wondering if this ever got resolved (other than reinstalling Pfsense and restoring from a working config. Having a similar issue actually on my machine. Little more background: these issues started with an attempted install of a freeRadius package. It was having trouble, giving similar "assigning address" errors (didn't screenshot at the time. apologies). I gave up, thought nothing of it, and removed the freeradius package and then my pfblockerng dns blacklist started giving me trouble. I restored to a config that I knew was working, but that also did not solve the problem. I've tried reinstalling pfblocker, totally deleting the config, and resetting it up, rebooting the whole pfsense box, and continue to get the same error. I still could reinstall pfsense from scratch, and then restore that config file, but have there been any updates?
• G

  DNS resolver not resolvering hosts in alias
  • gwaitsi  

  4
  0
  Votes
  4
  Posts
  54
  Views

  G

  I can confirm, i did have the same problem as in the bug report. disabling the DHCP lease registration worked for me as a workaround too.
• F

  pfSense self hostname on different interfaces
  • fedesoundsystem  

  2
  2
  Votes
  2
  Posts
  52
  Views

  

  @fedesoundsystem I would like to know this too. It is even more an issue with ipv6 since these are more dynamic.
• N

  Random DNS Resolver Issues
  • nhalstead  

  1
  0
  Votes
  1
  Posts
  31
  Views

  No one has replied

• M

  Howto force a dhcp release and dhcp renew on wan interface when down?
  • megapearl  

  3
  0
  Votes
  3
  Posts
  850
  Views

  J

  hi did you manage to solve this problem..I have a script where my modem will reset and will have it's ip renewed but the default gateway does not change automatically..I need to go to interfaces tab to release then renew so its gateway will update...
• G

  Synology DDNS not work
  • Guazo  

  15
  0
  Votes
  15
  Posts
  71
  Views

  D

  For security reasons only, external http (80) connections are not appropriate, especially for a NAS, use https, if you want to access the NAS remotely. Or use Syno's built-in OpenVPN package for external access
• P

  How Setup Dynamically Updating Gateway IP DNS Alias?
  • plfinch  

  3
  0
  Votes
  3
  Posts
  51
  Views

  S

  If you’re just looking for ideas, here’s what I came up with a few years ago and its still working fine. I have a lab domain (one that I just fool around with various web projects, DBs, PHP applications) My Spectrum home IP address rarely changes but like you said, it does change. So, I wrote a CRON job from my pFsense router to ping out every few minutes to a web page I wrote. The web page sees what the calling IP address is and compares it to the current IP stored in its DB. If it’s the same, nothing happens. If it is different then it stores the new address, sends me a text message, and activates my NameCheap APIs to change the IP address and DNS Records for all my subdomain.domain.com URLs which target various servers and devices at home via a reverse proxy. That way the links are always up to date and I can access PLEX, NAS drives and my home automation server without any problems. The web app also monitors the time between pings (10mins for example) and if the time exceeds specified limits then it assumes there was an internet outage and alerts me with the approximate time and outage duration. Sometimes you can lose internet service and not know it real time but you still want to know it happened.
• D

  DNS Forwarder and Resolver in Parallel with different DNS Servers
  dns resolver dns forwarder dns vlan • • Duckmuck  

  3
  0
  Votes
  3
  Posts
  59
  Views

  D

  And another update in my "blog". In Pihole you can set "Use Conditional forwarding" and list your domain and pfsense ip. That way I can resolve my own internal domain and at the same time use 1.0.0.3 and 1.1.1.3 for dns lookup without going to pfsense. No need to copy over the hosts file. I ended up not launch resolver and forwarder in parallel. My setup now is that I Port forward all dns request on all interfaces except the kids-vlan to my pihole-1, I then portforward request coming on my kids vlan to 53 to pihole-2. I allow outgoing requests from my pihole-1 and pihole-2. Regards. D
• C

  DHCP Static mappings seem to be used by all DHCP scopes on all interfaces
  • cre8toruk  

  8
  0
  Votes
  8
  Posts
  51
  Views

  C

  Well that is officially very odd... After much fiddling.. enabling static ARP, disabling static ARP, restarting the service and so on... I discovered that our WiFi voucher system had also stopped working. The solution to that was to uncheck the only allow users listed below access.. which would sort of indicate that the option was now working.... I think an upgrade to 2.5 when it's officially stable might be a good idea in any case... thanks for your help.
• F

  Windows DHCP not working for vlan2 Scope.
  • frostiex  

  2
  0
  Votes
  2
  Posts
  19
  Views

  F

  YES...got it working. to help those that maybe running into this. Step1: Create DHCP Scope on your windows server. Step2: Create vlan in PFSense Step3: Assign new VLAN interface to you LAN trunk from PFSense Step4: Create Rule to allow new vlan to access other networks as desired. (in my case default vlan as my DHCP server is also DNS) Step5: PFSense DHCP relay select the new vlan (make sure your LAN and VLANs are all selected) Step6: Unifi Controller Create new Network with vlan ONLY with your new vlan. Step7: Create new SSID using new vlan DONE!
• B

  DNS Resolver with WAN failover
  • bhjitsense  

  7
  0
  Votes
  7
  Posts
  61
  Views

  G

  @johnpoz but i am noticing another problem. Summary config unresolve outgoing only on wan nat rule point to localhost for dns on each interface rule on each interface to pass dns to localhost block rule on each interface to block dns not for pfsense gateway pool as default route fo 2x vpn alias defining list of hosts to bypass vpn rule to pass alias to wan i am seeing every 20sec in the log check_reload_status Updating static routes based on hostnames on the dns resolver, i see loads of Adding Action: pf table: BYPASS_VPN_HOSTS host: forum.netgate.com filterdns failed to resolve forum.netgate.com will retry later again. these are very frequent and seeing to coincide with my intermittent loss of DNS
• G

  unbound and localhost
  • gonn  

  14
  0
  Votes
  14
  Posts
  71
  Views

  G

  Anyway... a great Merci :-)
• M

  Unbound.conf stats_noreset use 20-28%
  • mikekoke  

  10
  0
  Votes
  10
  Posts
  77
  Views

  M

  Hi, I return to this topic after installing grafana and also after changing the value to 30 the use of nice cpu by dnsbl remains high, with peaks at 50% and beyond every 30 seconds as per the set value. With 1,700,000 records in dnsbl is this normal? @BBcan177 Spoiler
• S

  Special options for PXE (legacy and EFI32/64) needed in DHCP
  • stickybit  

  3
  0
  Votes
  3
  Posts
  429
  Views

  D

  I've exactly the same request for the tftp server to work. Does someone has a suggestion?
• A

  DNS Resolver and Access List - Access List Entry is not saved
  • aztazt  

  1
  0
  Votes
  1
  Posts
  27
  Views

  No one has replied

• R

  unbound fatal error
  • reggie14  

  3
  0
  Votes
  3
  Posts
  43
  Views

  R

  Thanks! To be clear, manually restarting unbound in the pfSense webGUI seems to resolve the problem when this occurs. I looked at the contents of unbound.conf. It seems to be fine. Outside the workday I'll try stopping and manually starting unbound with the command above. However, I fully expect it will start up fine with no obvious errors, since that's what usually happens. This problem only pops up every week or so. Given that I've had DHCP registration turned on, that means unbound restarts several times per day, almost always successfully. I don't know what's going on in these rare cases where it doesn't.