@Gertjan OK, I cleaned it up, no errors found. I rebooted and didnt see anything in the logs that jumped out at me. Working so far!

Similar issue over here, 2.4.5-RELEASE-p1 having LAN, VLAN and WAN1, WAN2 (LoadBalancing&Failover) and IPv4, IPv6 and pfb_dnsbl (stable) and snort (stable). Unbound was starting before 2.4.5 without any issues.

see also similar on pfsense.org:
Bug #9567
Bug #7455
Bug #7096

@johnpoz dnsleaktest.com shows the IP address of my vpn provider.
whether you select standard or extended, it then shows results in the IP of my ISP connection.

my config is as follows
System DNS Servers
DNS Servers 1.1.1.1 firewall WAN
DNS Server Override unchecked
Disable DNS Forwarder checked

DNS Resolver
enable checked
Network Interfaces LAN / VLAN
Outgoing Interfaces Localhost
system transparent
DNSSEC checked
Use SSL/TLS outgoing checked
DHCP Register checked
Static DHCP checked

Advanced Privacy
Hide ID checked
Hide Version checked
Query Name checked
Prefetch Support checked
prefetch DNS key checked
harden DNSSEC checked
Experimental Bit 0x20 checked

Routing
WAN Default Route

Rules
TCP/UDP * * LAN Address DNS allow
TCP/UDP * * !Firewall DNS block

TCP/UDP * * VPNBYPASS * WAN none
TCP/UDP * * !LAN * ExpressVPN none

NAT
LAN TCP/UDP * * !LAN Address DNS LAN Addr (i found using 127.0.0.1 didn't work, but it did with LAN addr)

** PS it is not a tin foil hat, when you live in a country where big law firms criminally intimidate and extort (for 3yrs relentlessly) exorbitant amounts of money because you play 50sec of a movie - consider yourself lucky your lawyers haven't woken up to that scam **

@2malH said in DNS Resolver/Unbound is not resolving:

So unfortunately no one has an idea on how to fix this or what I'm missing/overseeing in the configuration?

Can't really see why unbound refuses to work ....

For testes, use the SSH (or console) access, it far more easier to work with.
Like :

dig @127.0.0.1 google.com ANY

This :

07b5db2b-30db-4f15-8cb9-fed61da9d83d-image.png

both are set to "All", right ?

Like ae34bc35-69c8-48d3-8657-db0f38d5b875-image.png

218d37dc-37de-4cf2-8efe-7947f12097df-image.png

Your unbound.conf mentions that you included other lines, like

forward-zone: name: "." forward-ssl-upstream: yes forward-addr: 1.1.1.1@853 forward-addr: 1.0.0.1@853

What happens if you back your settings, and reset your settings, make you WAN work (and do nothing more) : does unbound work now ?
If so, compare actual, resetted settings with your back up settings.

Btw : you do not block TCP port 53 traffic with a floating firewall rule, right ? (DNS can also be TCP, not only UDP, especially if you ask DNSSEC info)

These :

log-queries: yes log-replies: yes

will 'explode' your logs as there will be a huge number of log lines.
Remember : to much info kills the info.

OK, problem solved! I noticed that the disk was at 100% It seems the Suricata logs had filled the drive, so I enabled the hard limit for their log size, disk usage dropped to 56% and DNS now starts :o)

Maybe a more obvious warning if the disk fills up or more useful logging for the DNS service would be a useful addition in the future?

@DaddyGo Agreed it is not a good solution. I did not have any other viable ones at the time as I did not have a system that I could use to get console access. I lacked a portable device that had the appropriate drivers for USB to serial. I have rectified the situation so I will not run into that problem in the future. I am now able to get console access to the system in the case it is needed in the future.

Thank you for letting me know what needs to be done in the future.

@gwaitsi said in DNS Leak Issues:

I followed the below

this is an older description, but good with the difference that there is already a GUI option since 2.4.4

5335809c-bdb3-484a-8926-5e04c9b0b0ea-image.png

this will be the result:

69d167f0-6218-4143-ba30-6895f400bfb1-image.png

DNS leakage does not come from here,....or is it not so clear.....

all hosts must obtain DNS from pfSense!!!
(it may leak next to it anyway)

and

955e2790-2105-44c7-a3d9-801cb7413564-image.png

btw:
by no means allow ISP DNS
4b1d7f08-deda-464b-8c6e-e62dee5e934c-image.png

@max-pfsense said in pfSense as DHCP server without interface for each subnet:

100Mb interface,

Hi,

Most L3 Cisco switches include a built-in DHCP server that you can configure for any of the configured VLANs...

f00274f9-58dd-48c2-91b7-828f4d0c0657-image.png

pfSense can only assign a DHCP server to an interface, just like any other tool..

which I don't recommend because of port 100 (fast ethernet), but it can be a solution ...
create VLANs in pfSense and assign a DHCP server

Feature request: https://redmine.pfsense.org/issues/10896

Sep 11 04:39:53 10.10.3.1 dhcpleases: Other suffix in DHCP lease for hpprinter.domain.net
Sep 11 04:39:53 10.10.3.1 dhcpleases: Other suffix in DHCP lease for hpprinter.domain.net
Sep 11 04:42:07 10.10.3.1 dhcpleases: Other suffix in DHCP lease for hpprinter.domain.net
Sep 11 04:42:07 10.10.3.1 dhcpleases: Other suffix in DHCP lease for hpprinter.domain.net
Sep 11 04:43:49 10.10.3.1 dhcpleases: Other suffix in DHCP lease for hpprinter.domain.net
Sep 11 04:43:49 10.10.3.1 dhcpleases: Other suffix in DHCP lease for hpprinter.domain.net
Sep 11 04:43:49 10.10.3.1 dhcpleases: Other suffix in DHCP lease for hpprinter.domain.net

Thats what it was looking like.
I've power cycled the hp printer and it appears the logs have stopped for now.

And of course, if your ISP provides IPv6 connectivity, make sure to evaluate that as well. The [interface] address and This Firewall entries will incorporate IPv6 addresses as well, if they're present. Just make sure to set the protocol to IPv4+v6. If none of your earlier entries allow/block IPv6, but the last "Allow any" rule does, then someone on your guest network could access your other network(s) through IPv6 if they knew enough.

So this is just one big flat network with multiple layer 3 networks on it.. OMG.. what a cluster..

Do you have switches that support vlans? Do you have multiple switches?

If all you want is 1 big network, then do that - there is no reason to run multiple layer 3 networks if all you have is one L2.. You are not actually isolating anything from talking to each other if al your doing is using different IP schemes for different clients. So you might as well just put them on 1 network.

To properly segment clients, you need to do it at layer 2 first..

@benrichardson_insync said in VLAN not showing up in DHCP:

192.168.120.252/32

The problem is right there :) You seem to have accidentally configured the interface with a /32 subnet mask. DHCP can not be configured when there's no address space to use ;) As you wrote about primary and secondary: did you check BOTH nodes, that both have e.g. a /24 subnet selection in their VLAN20 interface config?

@virgiliomi said in Understanding how to get hostnames in IPv6 leases:

Unfortunately the ISC DHCPv6 server (used by FreeBSD, and thus pfSense) does not track hostnames for IPv6 leases, like it does for IPv4.

At least Static DHCP > Register DHCP static mappings in the DNS Resolver in Unbound does work for the DHCPv6 Server & RA too, for Static Mappings and the Hostname defined there. But often it takes a little bit longer.

Ok, thanks! Just done a check.
Is there anywhere I can look for the results?

@Gertjan said in DNS unavailable during configuration apply:

Unbound, far more capable as dnsmasq (the forwarder) is still a light weight process.
Using some low-bud arm processor, a second or so to have it restarted.
That is, if it reads the config, the hosts file and some other very small config files.

My pfSenses are on two virtual machines, the host has 1 Intel Core i9-9900K CPU @ 3.60GHz and the pfSenses have 2 vCore each.

An interface goes up or down ? unbound restarts.
A VPN connection is made ? Same thing.
Check the logs for the how often it restarts, and check for every occasion : is it needed ? You can't stop some of them to happen. For for some of them, you have a choice.

Btw : same thing for any mail server, or web server, or any server : while they restart, they can't (don't) 'serve' ;)

I understand that it should restart when it has to bind a new interface, but why cannot it be reloaded and not restarted when a new host is added?

I understand what you are telling, but it's very dangerous that an entire network cannot resolve when applying a new host. Reloads were invented to avoid this :-)

As a quick update: I now have unbound running as expected, with the PFSense sitting (via the LAN port) on my local network.

Thanks again for all the help. Now I need to decide whether I tackle VPN configuration, or work on PFSense as firewall. :-)