DHCP and DNS

• 

  HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox
  • jimp  

  13
  8
  Votes
  13
  Posts
  1731
  Views

  B

  this is why i use firefox ESR. the version that would get this automagically would be the standard version of FF
• 

  RFC2136 Server Setup How-to
  • jimp  

  19
  0
  Votes
  19
  Posts
  21737
  Views

  

  You have some logs as showed above ?
• T

  Wildcard DNS entries
  • tommyboy180  

  6
  0
  Votes
  6
  Posts
  18064
  Views

  C

  @Yowsers: This is in the wiki as well. https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder/Resolver Yes - and that page also misses a big gotcha. As someone coming from dnsmasq / "forwarder"  I had multiple host overrides too. Unbound / resolver refuses to start if you set up a wildcard subdomain AND have host overrides that match.  So you need to delete all the host overrides that use the same subdomain. If you want to override a host in your domain override with unbound, best to do it on the resolver at which you are pointing.
• E

  2 wireless ap's, 2 physical interfaces, DHCP assignment conflicts
  • Ev4nsp479  

  3
  0
  Votes
  3
  Posts
  18
  Views

  E

  @Derelict Yes! That was it. Totally overlooked a few connections. Thank you kind sir
• J

  DNS Resolver returns SERVFAIL for a valid domain
  • jofrep  

  2
  0
  Votes
  2
  Posts
  25
  Views

  

  @jofrep said in DNS Resolver returns SERVFAIL for a valid domain: www.ara.cat [2.4.4-RELEASE][admin@sg4860.local.lan]/root: dig www.ara.cat ; <<>> DiG 9.12.2-P1 <<>> www.ara.cat ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48284 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.ara.cat. IN A ;; ANSWER SECTION: www.ara.cat. 3528 IN CNAME www.ara.cat.cdn.bitban.net. www.ara.cat.cdn.bitban.net. 3528 IN CNAME caching.ara.edge2befaster.com. caching.ara.edge2befaster.com. 3528 IN CNAME cec01.usg.edgetcdn.com. cec01.usg.edgetcdn.com. 3529 IN A 185.59.223.130 cec01.usg.edgetcdn.com. 3529 IN A 74.208.86.233 cec01.usg.edgetcdn.com. 3529 IN A 185.152.67.178 cec01.usg.edgetcdn.com. 3529 IN A 74.208.80.126 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Mar 24 20:54:21 CDT 2019 ;; MSG SIZE rcvd: 220 [2.4.4-RELEASE][admin@sg4860.local.lan]/root: I would suggest you do a +trace with did to find out where your failing in the path. When doing a +trace you will have to walk down through all the cnams... BTW - that is HORRIBLE setup... that many cnames is not good practice. Any sort of basic analysis of that chain of nonsense finds errors. www.ara.cat.cdn.bitban.net/CNAME: A query for www.ara.cat.cdn.bitban.net results in a NOERROR response, while a query for its ancestor, cdn.bitban.net, returns a name error (NXDOMAIN), which indicates that subdomains of cdn.bitban.net, including www.ara.cat.cdn.bitban.net, don't exist. (205.251.192.153, 205.251.195.183, 205.251.197.5, 205.251.198.35, 2600:9000:5300:9900::1, 2600:9000:5303:b700::1, 2600:9000:5305:500::1, 2600:9000:5306:2300::1, UDP_-_EDNS0_4096_D_K) Such setups with that many chains of cnames make for horrible resolving time.. An any point in the chain that fails the end record being looked up can fail.
• L

  DNS Resolver (unbound) not updating ?
  • Lumberjack  

  17
  0
  Votes
  17
  Posts
  136
  Views

  

  @Lumberjack said in DNS Resolver (unbound) not updating ?: ...whut ?! thats not even enabled? Hummm. This rings a bell to me. An issue that was solved a couple of updates ago ... emptying the dhcp leases file when dhcpleases process is shut down. You 'missed' that upgrade I guess ^^
• 

  DNS Resolver Issues...What's going on here?
  • ARAMP1  

  9
  0
  Votes
  9
  Posts
  48
  Views

  

  Leonardo Acropolis: "I am... a geniussss."
• N

  Set hostname on DHCP client without adding static mapping?
  • no_jah  

  6
  0
  Votes
  6
  Posts
  72
  Views

  

  @no_jah said in Set hostname on DHCP client without adding static mapping?: @JKnott Wouldn't it be possible to pair the hostname with the MAC-adress? Yes ! Answer You need DHCP static mappings - or a host override, which "hard locks" a host to an IP.
• B

  DDNS pfSense to Windows AD DNS DHCPv6
  dns ipv6 ddns ipv4 windows server • • bigtfromaz  

  6
  0
  Votes
  6
  Posts
  43
  Views

  

  @bigtfromaz said in DDNS pfSense to Windows AD DNS DHCPv6: I am in the software and services business and we have begun running into situations where some client host machines only have IPv6 because their ISPs have run out of IPv4 addresses. That means the only way they can reach my servers is via IPv6. There aren't many and they are non-US but they are important. It's probably time for the industry to switch to an IPv6-first stance (Apple and Google seem to be there already). Given the absence of vigorous competition in my area, the ISPs are putting themselves before their customers. I am betting it's a common theme. Thanks for the heads-up regarding the lack of fair play by Netflix. It's probably due to the fact that they have restricted distribution rights for content and can't be sure of your location. You could probably work around that with a guest VLAN having no IPv6. Kids are really good at getting and spreading computer viruses. A guest VLAN would help you minimize your risk. I am going to see if I can get the addresses registered in a DNS server on the pfSense and replicate to my Windows AD Server. If I write some code that turns out to be useful I'll put it on GitHub and share a link here. Yeah, there are several avenues to deal with the IPv6 and Netflix thing, but the kids are only here rarely and I have plenty of IDS/IPS protections for critical stuff. Also, it's only a home network. There are no national defense secrets, Democratic National Committee emails, or documents relating to secret payoffs to porn stars stored here ... LOL. And yes, Netflix blocks HE IPv6 blocks for precisely the reason you stated: users without strict morals use those to get around geoip blocks that Netflix has in place to enforce their distribution contracts with content owners. I wish all the ISPs of the world would just start supporting IPv6. Unfortunately that appears to be a very slow process. Even some of those that are supporting it are doing so in strange ways. They seem to be doing their darndest to avoid giving out static IPv6 addresses, for instance.
• H

  DHCP not registering hostnames in DNS
  • hova  

  22
  0
  Votes
  22
  Posts
  124
  Views

  

  Yeah unless you write this code yourself or place a bounty for it to happen... I don't think this is ever going to happen.. There are a bajillion better things the dev's could be doing - like changing ui to a cooler looking font... Which would fine 10000X more interest from their user base then like the 2 people that might want such a feature ;) You have the time to create a reservation for client and put in the NAM and the mac but not the IP? I don't care if you have a 1000's freaking clients.. You know you could just load this in from a file right? You don't have to do it all by hand in the gui. I can load 1000's reservations via an xml restore in couple of seconds... Vs all this nonsense of just put in reservation without the IP. And then on the other end - if you have 1000 freaking clients if they get an IP who freaking cares if their name is deviceXZY or YourName, etc.
• L

  Domain override broken since 2.4.4 p2
  • luas  

  15
  0
  Votes
  15
  Posts
  59
  Views

  

  Looks like your forwarding, or have dns setup in general, or letting get dns from dhcp.. If your using resolver.. You should have nothing setup in general for dns, you should make sure that you do not allow dns from dhcp. And yeah when you do diag like that all you should see is loopback 127.0.0.1
• D

  dns resolver
  • Diego de Santis  

  8
  0
  Votes
  8
  Posts
  43
  Views

  

  So you enabled forwarder mode in unbound... When you ask unbound, if it has it locally or cached its not going to go ask anything be it forward or resolve. So if you create a host override - that will be returned when that is asked for.. Its the whole point of "override".. You could return 10.10.10.10 for www.google.com if you wanted too.
• R

  Make pfSense DHCP server update or registry entries in Windows DNS servers?
  • riahc3  

  4
  0
  Votes
  4
  Posts
  68
  Views

  

  Yeah if your MS shop.. You should really just be running dhcp/dns on your AD in the first place. So you want pfsense to be dhcp.. And you want to setup a static reservation.. And now you want dhcpd to register what it registers in unbound on pfsense, to your AD dns? Seems like duplication of effort here - when all could just be handled by your AD dhcp and dns. But if you really want to do this - then read up on rfc 2136 and how you use that in windows dns.
• I

  DNS over TLS
  • IanJanus  

  12
  0
  Votes
  12
  Posts
  60
  Views

  

  Well its click click... You actually sure unbound restarted? I just showed you how easy it is to turn on and off... I personally don't do it - because its just stupid.. Its like how can I slow down my dns.. OH yeah - let me throw it inside a tls tunnel and hand all my dns queries to company X, etc. You sure unbound is even running and your not running the forwarder, etc. Unbound will show you what its doing, set the log to level 2 in the advanced tab Mar 17 14:22:46 unbound 60954:0 info: reply from <.> 9.9.9.9#853 Look in your conf... Do you see the forwarding section in there 2.4.4-RELEASE][admin@sg4860.local.lan]/: cat /var/unbound/unbound.conf # Forwarding forward-zone: name: "." forward-tls-upstream: yes forward-addr: 9.9.9.9@853 Now clicky clicky back to resolving like any sane human would want to do ;) You sure your not redirecting to 9.9.9.9 directly? Lets see your redirect rule, etc.
• I

  DNS Resolver Domain Overrides nor working in one subnet
  • IanJanus  

  1
  0
  Votes
  1
  Posts
  16
  Views

  No one has replied

• F

  Guest / Non-Guest Network with Separate DHCP and Firewall Rules?
  • fvultee  

  8
  0
  Votes
  8
  Posts
  92
  Views

  

  @fvultee said in Guest / Non-Guest Network with Separate DHCP and Firewall Rules?: Nope, my Netgear Orbi mesh WiFi system dos not support VLANs natively, that’s why I’ve been trying to figure out a workaround with the pfSense. I was thinking that I could also just block the guest dhcp IPs from bing able to talk to my other devices by making a block rule but that didn’t work either. I just noticed something I missed before: (IE no contact with the MAC authorized devices) PfSense cannot do that, as it has absolutely no effect on traffic between devices on the same subnet. PfSense is a router which means it only affects traffic that passes through it. The only way to prevent guest devices from contacting "authorized" devices is with separate SSID and VLAN.
• A

  (Solved) Can't make config changes to Unbound
  • angdigi  

  6
  0
  Votes
  6
  Posts
  70
  Views

  

  When you save DNS Resolver Settings, it run unbound-checkconf before returning with the Apply Settings button. When you have too many DSNBL tables, unbound will grab all memory and won't stop until you kill -9 unbound. Rebooting will do the same. Remove big DNSBL URLs (on my 8GB box, I have around 1.1-1.2 millions DNSBL entries), monitor memory usage with Status Monitoring. TLD is intended to remove DNSBL entries with wildcard domains, but that also taxes the memory system. .
• P

  DNS Resolver Status, no data?
  • provels  

  56
  0
  Votes
  56
  Posts
  184
  Views

  P

  @ciscox That's what I see when I use the Resolver as Forwarder.
• I

  Switched back to Unbound, External DNS Servers Still Used?
  • Iceman24  

  5
  0
  Votes
  5
  Posts
  108
  Views

  I

  Thanks, but I'm still confused about what to do here. From what you said, it seems as if I have the choice of choosing to let pfSense Unbound use either the "root" external DNS servers, that of which it chooses, or I can choose. Is that right? In addition, if I choose, I can encrypt the DNS connection. If I let it just use whatever root servers, is that then unencrypted? Is there a way to encrypt the root servers? Between choosing my own DNS servers without encryption vs letting it use the root servers (assuming that's unencrypted), is there an advantage to just letting it use the root servers? Last question. Even if I choose my own DNS servers, it only actually contacts them if the result is not cached? I ask because even though that seems like the case, OpenDNS handled every query, many of which were cached.
• G

  DHCP Leases List Not Showing Hostname in Some Cases
  • gjaltemba  

  2
  0
  Votes
  2
  Posts
  322
  Views

  C

  @gjaltemba I also have the same problem, not a big issue they show up in arp table. But wondering what could it be. Let me know if you have found the solution
• P

  DNS forwarder between VLANs
  • Phatsta  

  3
  0
  Votes
  3
  Posts
  39
  Views

  P

  @jimp said in DNS forwarder between VLANs: You can setup search domains on the clients to try the other domains. That's all up to the client, though. You can add search domains in the DHCP server settings but not all clients respect that. For example, Windows clients won't honor the search domain list from DHCP. Ah, nice. Didn't think of that. I think there's a way to get Win clients to listen to search domains through the domain controller, I have a faint memory of doing that in the past. Cheers mate!
• K

  Noob question Regarding DNS Resolver
  • KingCollins  

  3
  0
  Votes
  3
  Posts
  52
  Views

  K

  @johnpoz said in Noob question Regarding DNS Resolver: No that is not how a resolver works.. It walks down from roots to get to the authoritative NS for the domain your wanting find a FQDN in Yes it is normal for your wan IP to be listed - since that is what will query the NS. If you want a client to query dns 1.2.3.4, then you would set the client to query that dns.. How you do that is up to you, be it your default dhcp setting, or specific in a dhcp reservation, or static on the device itself. Awesome, just wanted to clarify those questions.Thanks for your quick reply!
• M

  Strage behavior my DHCP seems to be working fine but none of the static IPs do
  • mke  

  2
  0
  Votes
  2
  Posts
  26
  Views

  M

  I removed openVPN server and it started working. Sth must have happened after last upgrade
• J

  How to resolve DNS to a second gateway?
  • JEdgerly  

  1
  0
  Votes
  1
  Posts
  40
  Views

  No one has replied

• E

  Auto-renew DHCP after outage
  • e4ch  

  23
  0
  Votes
  23
  Posts
  2238
  Views

  E

  Ok, I've now also created a script. Instead of using external sites, I'm now just checking if the WAN adapter (igb1) has an IPv4 address. If not, it waits 2 minutes and tries again. If it still has no IPv4 address, it issues the same commands as the other scripts: ifconfig down, ifconfig up, dhclient (not sure if the last one is necessary). It does not include rebooting the firewall, because I think this is overkill. Actually I just wanted to force-renew the DHCP client lease, but I couldn't get that to work, although I looked at what the PHP source is doing. I'm using this script now: #!/bin/sh wan="igb1" LOGFILE=/var/log/pingtest.log currip=$(ifconfig $wan | grep "inet " | cut -d " " -f 2) if test -z "$currip"; then echo `date +%Y%m%d.%H%M%S` "Detected empty IP on $wan! Will try again in 120 seconds." >> $LOGFILE sleep 120 currip=$(ifconfig $wan | grep "inet " | cut -d " " -f 2) if test -z "$currip"; then echo `date +%Y%m%d.%H%M%S` "2nd try: Still empty IP on $wan! Will fix now." >> $LOGFILE ifconfig $wan down sleep 10 ifconfig $wan up sleep 20 dhclient $wan echo `date +%Y%m%d.%H%M%S` "Fixing done!" >> $LOGFILE else echo `date +%Y%m%d.%H%M%S` "2nd try: $wan has IP $currip; ok" >> $LOGFILE fi else echo `date +%Y%m%d.%H%M%S` "$wan has IP $currip; ok" >> $LOGFILE fi If you want to use it, you would have to do the following: Diagnostics / Edit File: Enter file name /usr/local/bin/pingtest.sh and paste the file from above in there and click Save. Update igb1 with the name of your WAN interface. That name is visible in Status / Interfaces in the title. For me it says there: "WAN Interface (wan, igb1)" Diagnostics / Command: "chmod +x /usr/local/bin/pingtest.sh" (without quotes) and click Execute. This makes the file runnable. System / Package Manager / Available Packages: Install Cron. To my understanding, this is just the user interface for Cron. Services / Cron / Settings: Leave the existing packages there and add a new one. Minute: "/10" (without quotes) or just "" for every minute, but every 10 minutes should be fine and avoids filling up the log. Other values: "*", User: "root", Command: "/usr/local/bin/pingtest.sh" From time to time you can take a look at the log file "/var/log/pingtest.log" and maybe delete it to avoid that it's getting too big. For me this works now if I restart the modem. If even works if I schedule it to every minute; then two scripts will be running at the same time, but due to the 2 minute delay and retest, it works fine too. Without the second test it also worked, but then it already issues a fix while starting up, so it tries to fix it twice. I wanted to avoid that. We'll see how this works in the coming months/years. For me this is a clear bug in pfSense, as this happens with many different modems and searching through the forum shows that many people have this problem. Even if the modem is the culprit, I still think pfSense should be able to recover, because with other clients it works fine.
• R

  Multi-instance Resolver OR Conditional DNS Queries
  • rsaanon  

  2
  0
  Votes
  2
  Posts
  44
  Views

  

  https://nlnetlabs.nl/documentation/unbound/unbound.conf/ RTFM and look at the "View Options".
• M

  DHCP client unable to get lease from cable provider [solved]
  • melslenstra  

  1
  0
  Votes
  1
  Posts
  60
  Views

  No one has replied

• P

  DNS leak - dns and secure connection
  • paoloest  

  2
  0
  Votes
  2
  Posts
  105
  Views

  B

  Screen shot of results ?
• S

  WAN and DHCP on XG-7100
  • senobogos  

  10
  0
  Votes
  10
  Posts
  347
  Views

  B

  I ran across this post when trying to figure out why a new WAN interface on my XG-7100 was not getting a DHCP address from my internet provider's router/modem. I was experiencing the same symptom, a laptop would be able to obtain an IP, but the XG-7100 would not. The issue was that the new VLAN group I setup (under Interfaces -> Switch -> VLAN) did not have the ports 9 and 10 added as tagged members to the new group. Once I added the tagged ports 9 and 10, the new WAN was able to obtain an IP. My headache really boils down to a case of RTFM. The online document: https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100/switch-overview.html was really helpful in my case. I hope this helps someone else avoid hours of head scratching.
• M

  DNS releated
  • mohitsofat  

  16
  0
  Votes
  16
  Posts
  234
  Views

  

  @mohitsofat said in DNS releated: pfsense will transfer the ip of my client to the DNS server. And Why would you think it would do this?? You want to write a dns filtering app - but don't know how dns works??
• E

  Strip subdomains with DNS resolver or forwarder
  • ebsense  

  2
  0
  Votes
  2
  Posts
  73
  Views

  

  That's up to your Dynamic DNS provider. Many of them offer an option to do that, it's something you'd have to enable on their side, or in the Dynamic DNS client options.
• F

  Default unbound DNS-over-TLS - Potential MITM Issue By Not Verifying Certificate?
  • Finger79  

  4
  0
  Votes
  4
  Posts
  115
  Views

  

  Meant to tack this onto my earlier reply. Here is a screenshot of how you set the hostname for DNS over TLS verification on 2.5.0:
• T

  Unbound Fails After Changes Applied
  • trippsc2  

  10
  0
  Votes
  10
  Posts
  136
  Views

  T

  I supplied no DNS servers, as I want to use root servers for resolution. I'll increase the log level and reproduce issue and post the results either tonight or tomorrow night.
• B

  Non-forwarding Resolver returns NS records only for some domains
  • bldnightowl  

  9
  0
  Votes
  9
  Posts
  193
  Views

  

  If you you need your vpn clients to resolve something that is rfc1918 that is fine.. Sure all day long... But you don't allow for public DNS to resolve rfc1918.. its Borked ;) Why these be dns resolvers hand it back is beyond me.. They say they are wanting to protect clients against bad shit.. atleast quad9 says it does.. So why would it allow for something as basic as a rebind? Maybe they think your local forwarder should be the one to protect you? Not sure.. But if your working with that company in any way - I would suggest you let them know its not good idea to have public resolve rfc1918.
• S

  DNS resolving only some domains on clients?
  • Sim0cYz  

  2
  0
  Votes
  2
  Posts
  90
  Views

  G

  @sim0cyz i had the same problem. I enabled DNS Forwarding option in DNS Resolver, and all the resolution problems disappeared
• 

  Guide to force your clients to use Youtube in Restricted mode
  • dennis_s  

  3
  0
  Votes
  3
  Posts
  138
  Views

  

  @kom Good catch, the image has been corrected. Thanks!
• P

  WiFi -> Pf -> Router -> WAN problem
  nat dhcp configuration • • p0p0  

  1
  0
  Votes
  1
  Posts
  62
  Views

  No one has replied

• S

  Intermittent Changes of IP Address and WAN not pulling IP from Modem
  dhcp ipv4 • • skullabyss  

  9
  0
  Votes
  9
  Posts
  183
  Views

  

  If you're on a UNIX-like system you can use this to capture remotely from a UniFi AP and from pfSense -- I found this somewhere and noted it down. Change X.X.X.X for the correct address. UniFi AP ssh ubnt@X.X.X.X 'tcpdump -f -i br0 -w - not port 22' | wireshark -k -i - You need Wireshark installed, obviously--works on Macs too and it won't get super hot like when you capture directly on it. pfSense ssh root@X.X.X.X 'tcpdump -f -i em0_vlan100 -w - not port 22' | wireshark -k -i - Here you'll need to change em0_vlan100 for the correct interface, but you can SSH in and get them with ifconfig. :) Good luck!
• J

  DNS working but Error Timeout
  • Jules13  

  1
  0
  Votes
  1
  Posts
  61
  Views

  No one has replied

• W

  DDNS upadate to Cloudflare DNS will fail using: Enable Proxy (Cloudflare)
  • Wepee  

  8
  1
  Votes
  8
  Posts
  183
  Views

  W

  Thanks for your info. I did open an account with Pfsense Bugtracker, but I did not how to create a report, let alone finding the php code, which is responsible for doing DDNS update. Well...at least someone has finally report this issue to the Pfsense development team, and see whether they look in to it. A big thank you to: Nico Schneider for lodging this issue.