@Draghmar said in Split DNS and wildcard issue - some are local some are remote:

Simply it's how it works so unfortunately I still need NAT Reflection for my setup...

Split dns doesn't work if your not using your own dns.. To resolve the local -

Have to wonder why you would need to access your own local webserver while your "working" ;)

Just access it via IP if you do.. no dns involved. Or just create a host entry on the machine - so it knows fqdn points to local IP, and doesn't even need to ask work dns for it..

Other solution would be to run a conditional forwarder on your machine, say dnsmasq and not point your client to work dns, but the your conditional forwrder that only asks your work dns for work related domains.

Or depending on your work dns - you could setup pfsense to be the vpn client, and do policy routing with conditional forwarding for dns.

There are always many ways to skin the cat, in your case the simple solution would be yeah to use nat reflection. For this specific client.

I better understand with this example the use of "invert match"
In my case, I just followed the doc guide to create the redirect rule.
I do prefer explicit rules since I am not used at all to the firewall modifications

Thank you

I figured it out. Pfsense was caching DNS queries. I restarted the dnsmasq service, and I'm good to go. Thanks!

@dkyarnogarn said in DNS Resolver with DNS forwarding x2 slower than DNS Forwarder:

We are having issues with DNS in https://www.yar....

Like no SOA. That's bad.
DNS forwarding, Resolving, whatever, if your DNS zone is bad things become messy.
edit : correction :
There it is :
dig yar??.dk SOA +short
logan.ns.cloudflare.com. dns.cloudflare.com. 2034779557 10000 2400 604800 3600

No DNSSEC neither ? I thought that in the north things were done seriously these days ;)

Using colors as an indication isn't good enough on its own, especially Red/Green, as color blind individuals may not be able to distinguish the difference. It's best to use icons instead (or in addition to) color indications.

@DeclanM25 said in DNS Not resolving on Clients:

Any suggestions?

Execute this :

on the console or SSH acces.

You see many restarts ?
Your mission is : compare logs, and figure out why Unbound is restarted.

A known possibility :
You removed the check from :

160a0f5a-8254-4741-8f88-83c494be2aeb-image.png

Other possible reasons :
Interfaces that become disconnected, and come up again.
pfBlockerNG-devel,
Any other process that restarts, and asks other system processes like unbound to the same.
Etc.

edit : you don't need 1111 and 8888 : out of the box, pfSense works fine.

@JKnott It works with the single IP address, but I have the alias setup so that it points to the "web_server" through the firewall via the alias.
1588857b-f93d-4a1f-80f8-e19bfd711759-image.png

but when I try to use the same alias in the Forwarder

b0f7e1b7-0c04-46ec-9c07-09a210a785fc-image.png

Your rules force all traffic out the gateway.

rules.png

And the rules below that make no sense, because rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

So your rule sending traffic out your gateway is any any.. When would there be traffic that does trigger that rules.

When would there be traffic to ! private, that does not match the rule above it any any?

If you want your clients to talk to pfsense IP.. Where do you allow that? You block talking to pfsense on 443, then your next rule says go out the vpn.. How does vpn have access to pfsense vlan30 interface for example?

This happened to me using a TL-SG108E HW2.0 (TP Link cheap switch).

I looked at your post, very informative! I am still getting tsig refused error when I run enable ddns in dhcp on pfsense. I have no idea why it's being a pain. I've tried all kinds of config changes for BIND on my DNS server. I'll keep at it. Thanks!

@james_h said in unbound Broken Config:

I added some custom config into DNS Resolver using the webgui.

At a loss to what you could of done with resolver that would of broken ssh or the gui? I could see the gui being slower if dns was not working..

Was it that you just couldn't resolve your pfsense name to access ssh or gui? You can always just access via IP.

@kiokoman Of course, that makes more sense. I had commented it out and restarted the DHCP service and it seemed to clean it up. I went ahead and followed your recommendation and it still seems to be good. I'll update here if it changes, but it looks like it's good to go now.

I'd started to change the title to include Solved, but I realized I still don't know why this originally happened to begin with. I don't generally edit things outside of the GUI, so it's not like this is due to something I tweaked in some unusual way.

Here is an example of stuff not resolving, but not noticing because I actually want those blocked and its stuff devices, software is doing that shows some ad or whatever that is blocked.

Just in the last 24 hours.
blockedbutnotnoticed.png

Would never notice this, since stuff is working.. But the whatever it is still banging its head against the wall trying to resolve that.