@steveits Not sure if I resolved yet as had mem issues that had to be fixed, I did start adding sites manually to a white list which seems to solve some problems but not yet all. Am going to swing back around and see if I can get more info to share and hopefully resolve.

@brian-smit said in DHCP 169x IP until i reconnect LAN cable or Turn WIFI on or OFF:

reuse_lease: lease age 1217 (secs) under 25% threshold, reply with unaltered, existing lease "

Those are common - leases normally don't start to renew until 50% done. But as the client gets closer and closer to lease expire, it should start screaming for a renew.. Sending them more and more often.

Once a renew fails - it should send a discover..

I would watch your logs the next time it happens and look right away, set your log to keep more in the gu.. I think it defaults to only the last 50 entries. I have mine set at 2000.. This should allow you to see more entries.

@johnpoz 👍 No problem, all water under the bridge. Maybe this lengthy thread will be help to someone in the future in regular Resolver mode.

I should have been more clear in my post too. I knew the DNS Forwarder was dnsmasq and wanted to make sure someone knew it was unbound instead. Next time I'll state it upfront which mode I'm running in.

I learned more abound unbound and some dig queries along the way which is always helpful. Thanks again!

@randombits said in Local IP's resolved from names ?:

under host overrides ?

yes

@bingo600 said in getting out of IP-addresses:

Offcause i meant DHCP lease

Yeah, right. 😉

@johnpoz constraint is a solid brick house. i had cat 7 cables run throughout the house to the boiler room. so for the small environment i have, it is easier in this case, to work with s/w configs that to physically run new cables, etc;

One issue you will face if you use the DHCP server on pfSense is that hostnames of local clients will not be registered in DNS in AD. That may or may not be of concern for your setup.

And you don't want to turn on DHCP DNS updates within pfSense as that will cause the unbound daemon to be restarted each time a client renews its lease. There are many posts on the forum about that little gotcha. DNS can be dead for many seconds during that restart, and the dead time is greatly expanded when you use tools such as pfBlockerNG-devel and DNSBL.

In my opinion, if you have an Active Directory shop, you really should let most of the DNS and DHCP infrastructure be hosted within AD. And in Windows 2016 and up, AD supports DHCP failover if you install the service on multiple hosts.

@brian-smit so they are still on their normal address is some rfc1918 address, not the APIPA 169.254 address.

You sure just not an issue with your unbound restarting with dhcp reservations.. Has been a long time issue where when a lease is issued or renewed, etc. that unbound restarts and if your using pfblocker that can cause start up delays, etc. this can present itself as dns not working - but its just dns is restarting.

One solution to that is not register dhcp leases in unbound settings.

Hello @viragomann,
The problem is DNSSEC.
Thanks again.

If you have a Windows AD you need to configure only the IP of the DCs on clients.
Windows with domain could have weird behavior if clients use a non DC DNS server.
You have to configure the DCs to forward to the other DNS servers.
The best approach is having at least 2 DC to have some redundancy, and configure both IPs on clients.

@cool_corona

Thank You both !

I indeed going to make sure that nobody can plug things into the switches and i change the 192.168.x.x into something else

There is an open bug for Digital Ocean dynamic DNS logged in Redmine: https://redmine.pfsense.org/issues/13167.

@keyser Ok. But if I disable pfblockerNG (not uninstalling it), it's not significantly faster? I also don't have many subscriptions. Only the basic/default Blacklist is enabled.

@m9x3mos
Remember to add the OpenVPN "Client network" to the "unbound resolver ACL's" , else unbound will reject the lookup.
And i assume you have permitted TCP/UDP 53 from OpenVPN clients to the pfSense interface you announce as openVPN dns server ip.

Edit:
I think there's a "feature" in unbound , where it would reject RFC1918 dns answers (from the asus) unless being told to accept them.

@johnpoz
Could you share a hint here ?

/Bingo

@marama
You are saying all your local name resolving is based on host overrides ?
That could be done with unbound (resolver) too.

I have no experience with the DNS forwarder.

Sorry

/Bingo

@steveits Very helpful thank you. This got me going!

@jimp Thanks. That makes sense. Just seems that it was a change for versions after 2.5. Now I know it's expected behavior going forward and will get sorted when the device is configured.

Solved by watching a video from Christian McDonald. The change was to the settings in the peer (client) app. I set the DNS address to the tunnel address (192.168.85.1) rather than my pfSense address.

Figured it out

server: module-config: "respip validator iterator" rpz: name: adguard-cname-cloak zonefile: zonefiles/adguard-cname-cloak.zone url: https://raw.githubusercontent.com/AdguardTeam/cname-trackers/master/combined_disguised_trackers_rpz.txt rpz-action-override: nxdomain rpz-log: yes rpz-log-name: adguard-cname-cloak

Unbound now logging blocked domains

[34470:3] info: RPZ applied [adguard-cname-cloak] a8.looop-denki.com. nxdomain 10.0.0.2@42033 a8.looop-denki.com. A IN

dig reponse

; <<>> DiG 9.16.25 <<>> a8.looop-denki.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12872 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;a8.looop-denki.com. IN A

@sbwcws Unclear - it's not supported as far as I can tell. I'd open a new topic in what you think might be the most appropriate spot or search the forums for other's past inquiries or attempts.

@toluun

Seems to be an issue with my linux installation. If I specify the dns server it responds as expected.

dig @192.168.20.1 notthere.local.lan

Anyone that has insight to share about Bind DNS PTR record troubleshooting?

Anyone? Please help to solve this very old issue.
Thank you!

@wildfrog What is listed as the router in the DHCP server on LAN?

If you really, really want to see what is going on, packet capture the DHCP traffic on the LAN and post it. Particularly interested in the DHCPOFFER from the server.

For future reference, problem was caused by a misconfigured setting in General Setup -> DNS Server Settings - DNS Resolution Behaviour.
Setting changed to Use Local DNS, Fall back to remote DNS Servers