@steveits Not sure if I resolved yet as had mem issues that had to be fixed, I did start adding sites manually to a white list which seems to solve some problems but not yet all. Am going to swing back around and see if I can get more info to share and hopefully resolve.
reuse_lease: lease age 1217 (secs) under 25% threshold, reply with unaltered, existing lease "
Those are common - leases normally don't start to renew until 50% done. But as the client gets closer and closer to lease expire, it should start screaming for a renew.. Sending them more and more often.
Once a renew fails - it should send a discover..
I would watch your logs the next time it happens and look right away, set your log to keep more in the gu.. I think it defaults to only the last 50 entries. I have mine set at 2000.. This should allow you to see more entries.
@johnpoz 👍 No problem, all water under the bridge. Maybe this lengthy thread will be help to someone in the future in regular Resolver mode.
I should have been more clear in my post too. I knew the DNS Forwarder was dnsmasq and wanted to make sure someone knew it was unbound instead. Next time I'll state it upfront which mode I'm running in.
I learned more abound unbound and some dig queries along the way which is always helpful. Thanks again!
@johnpoz constraint is a solid brick house. i had cat 7 cables run throughout the house to the boiler room. so for the small environment i have, it is easier in this case, to work with s/w configs that to physically run new cables, etc;
One issue you will face if you use the DHCP server on pfSense is that hostnames of local clients will not be registered in DNS in AD. That may or may not be of concern for your setup.
And you don't want to turn on DHCP DNS updates within pfSense as that will cause the unbound daemon to be restarted each time a client renews its lease. There are many posts on the forum about that little gotcha. DNS can be dead for many seconds during that restart, and the dead time is greatly expanded when you use tools such as pfBlockerNG-devel and DNSBL.
In my opinion, if you have an Active Directory shop, you really should let most of the DNS and DHCP infrastructure be hosted within AD. And in Windows 2016 and up, AD supports DHCP failover if you install the service on multiple hosts.
@brian-smit so they are still on their normal address is some rfc1918 address, not the APIPA 169.254 address.
You sure just not an issue with your unbound restarting with dhcp reservations.. Has been a long time issue where when a lease is issued or renewed, etc. that unbound restarts and if your using pfblocker that can cause start up delays, etc. this can present itself as dns not working - but its just dns is restarting.
One solution to that is not register dhcp leases in unbound settings.
If you have a Windows AD you need to configure only the IP of the DCs on clients.
Windows with domain could have weird behavior if clients use a non DC DNS server.
You have to configure the DCs to forward to the other DNS servers.
The best approach is having at least 2 DC to have some redundancy, and configure both IPs on clients.
Remember to add the OpenVPN "Client network" to the "unbound resolver ACL's" , else unbound will reject the lookup.
And i assume you have permitted TCP/UDP 53 from OpenVPN clients to the pfSense interface you announce as openVPN dns server ip.
I think there's a "feature" in unbound , where it would reject RFC1918 dns answers (from the asus) unless being told to accept them.
For future reference, problem was caused by a misconfigured setting in General Setup -> DNS Server Settings - DNS Resolution Behaviour.
Setting changed to Use Local DNS, Fall back to remote DNS Servers