@ssanchez1 Perhaps I'm missing something, but both DHCP and DNS servers are built into pfsense.

@johnpoz Yea - I get it. They don't make much sense -- I've definitely had to either drop some of the NAT and Firewall rules for not making sense. Bottom line was the NAT rules was redirecting all port 53 requests to pfsense which was intercepting all the outgoing traffic. Thanks a lot for your help on this issue.

Glad it was helpful.. And hopefully the next guy that finds this might also find useful info. I'm a huge dig user, and really have zero use for doh or dot.. I block them specifically on my network.. I resolve - have no desire to hand all my dns to some company.. Will just resolve thank you very much. But there are useful tools to test with. But no reason can not help others use - even if I think a horrible idea.. I wouldn't mind it too much if was fully opt in.. But these browsers and apps doing doh in the background, without fully and complete sign off from the user specifically to do it - is just horrible horrible direction.. Understanding how it works, how to validate it works - makes it easier to make sure its not viable on my network.. Its wrong - and just another way for these companies to monetize data, sorry but it has zero to do with user privacy or "security" dot is better, because its easier to block apps and devices from using it.. But sneaking dns queries inside https normal 443 is not direction should be going..

A Netgear doing DNS intercepting ? Google up the firmware, that would be known on the net. The ISP doing intercepting, that would be the next question.

well very strange thing I've seen , when putting static 8.8.8.8 on windows client as secondary DNS and primary DNS of my pfsense IP . it does open youtube , if I remove Secondary DNS 8.8.8.8 it does block youtube and other sites which pfblocker should do . :/ . I do have firewall rule I do I prevent users not use other then firewall IP as primary DNS. Regards

Or just turn off Private Address for that SSID. Just upgraded to 14.2 , and had to disable private address om my iPhone/iPad Nice feature , that you can do it per SSID /Bingo

I have a different view of DHCP DNS registration. When you manage relatively small networks, then static IPs (or MAC reservations) and manual DNS records work okay. But as you scale up to hundreds and then thousands of PCs, that becomes increasingly hard to manage. Especially when those PCs are scattered around geographically. To me, workable automatic DNS registration from the DHCP client is quite useful, and I am sad that functionality is currently not workable in pfSense due to the unbound restart behavior. I worked for years in a Fortune 500 US company with over 25,000 employees and thousands of PCs all running Windows scattered across four states in the south. We had a central internal Help Desk for support. The Help Desk connected to a user's PC via RDP (the company had its own private WAN/LAN arrangement using dedicated infrastructure it owned and some it leased). The connection was made by hostname. When our support folks imaged (installed Windows and corporate apps) a new PC prior to shipping it out, they assigned a hostname using an in-house scheme and put an icon on the desktop with that hostname. Now, no matter what corporate office or field location that PC went to, when it got its DHCP IP address for that office it would dutifully register its hostname in DNS with its IP address. Now the Help Desk could easily locate and connect to the PC by hostname. The hostname was displayed in plain sight on the user's desktop. Can you imagine being on the phone and trying to talk a typical user through finding and then telling you the IP address their workstation has so you could connect to it?

@Mr-Waste said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver: I need to know how to get a response back from the Pfsense being on a different network Huh?? Doesn't even make sense.. Pfsense is connected to both networks or all networks question right?? Do you have drawings of some other downstream routers in your network?? Lets say you have this... [image: 1604524679405-setup.png] Forget the network IPs - there could be 3 there could be 3000 of them... Doesn't matter.. Your devices on each network.. Would point to pfsense IP on that network, in my drawing .1 on each network for DNS. Unless you want to point them direct to DNS like on the 10.10.10 I show.. The only thing that has to be allowed for is that 172.16.0 interface that network can talk 53 udp/tcp on that pfsense interface.. Whatever that vlan is called would be listed as vlanX address, on other network it would be vlanY address. Now all you devices ask pfsense for DNS.. To the respective IPs of pfsense on that network - this is default what is handed out via dhcp.. Pfsense forwards this to your DNS.. To be honest all you have to do for your remote is allow that remote IP to your wan IP on 53 udp/tcp as well.. Unbound listening on your wan address.. Will also forward this traffic to your dns.. The only time you ever have to do any sort of port forwarding is if say a client on vlan X 192.168.0 in my drawing is trying to talk to 8.8.8.8 for dns.. This is when you would do a redirect (port forward).. Anything going to anything other than pfsense IP for dns, port forward it to loopback so unbound will see it and pretend its googledns.. I have no idea what you got into your head... But unless your wanting to intercept dns not set to talk to pfsense (default dhcp settings) then this works out of the box.. Nothing to do for any of it.. Other than set unbound to forward to your pihole/dns.. Do you have more routers in your network other than pfsense? Or is my drawing a representation of what you have? Forget what IP ranges I have on networks, or how many they are even... You could have 2, or 2000 - doesn't matter all works the same!!

@grounddave said in DNS Resolver not responding....: set to “All” Which one : [image: 1604296244616-cb447372-7afa-44c1-b179-5f38573019da-image.png] ? This one is unchecked : [image: 1604296408716-127cabd7-9b18-4181-8b63-0b32ac9a1130-image.png] ? The LAN interface has a default GUI firewall that lets in typical DNS traffic. When you create OPT1, OPT etc there are no rules. What are the firewall rules you've activated for OPT etc ?

@johnpoz said in DNS re-direction for internal & external clients across an isolated VLAN: @memphis2k said in DNS re-direction for internal & external clients across an isolated VLAN: This will all break if my WAN IP changes And why is that? That is the whole point of ddns. [image: 1604184712857-host_overrides.png] I can do DDNS in the Host Overrides?? I am doing DDNS for my domain already and DDNS setup in pfSense. It would be nice if I could do "This Firewall", instread of the IP address. Remember I need to route my local DNS traffic for my domain to the firewall. So far, the Host Overrides are the only thing I found that works.

I wouldn't really say that - your forwarding.. Not a fan ;)

If they were wise, and their API access fits into this one : https://github.com/pfsense/pfsense/blob/master/src/etc/inc/dyndns.class it could be rather easy thing to do. If so, and as soon as some one proposes a pull request, then yeah, why not. That some one needs to have a hetzner account, domain name etc. Hetzner rents servers, right ? A plan B would be : skip their DNS services all together. a copy of 'bind' as a master DNS server, use the never dying RFC 2136 and your good to go. The down side will be : you have to handle your own DNS ...

@brad-edmondson said in Unbound stops resolving intermittently: have short DHCP leases I did disable the DHCP registration and also the OpenVPN clients checkboxes as suggested by @Gertjan . In addition to that, I also updated my VPN client settings to add multiple servers -- in case my VPN provider decides to change IP addresses or if they simply decommission the server that I am connecting to. I haven't seen any issues since then. So it was a combination of those two things that fixed it for me. Obviously if you don't use a VPN provider, then the second part wouldn't apply to you.

@chrcoluk said in Unbound cache hit rate is anaemic: it used to be to only set that low if you moving content to another ip Yup use to do that all the time back in the day... As you got closer and closer to zero hour for the switch you would lower the in steps.. Lets say you had a ttl of 24 hours... Couple of days before you might change it to 12.. hours, then 6 later and then 3 later, until you were down to say 1 minute.. for a short time before zero hour.. You would then change your IP.. And within 1 minute everyone should be using the new IP.. Then you could ramp it back up.. Again in steps - just in case you find out something not working and you need to change it.. You wouldn't want some clients having grabbed your 24 hour ttl, etc.. You would ramp down vs just jumping down because that could cause a huge spike on your dns traffic, if you moved it down slowly it would prevent a spike in your dns queries so you were sure you could handle the number of queries with the shorter ttl, etc.

I added private-domain: "mydomain.net" to the unbound custom options like in the documentation you have linked. I'm using pfblocker, too. Yeah you are right. I never mentioned that. DNS rebinding protection was the cause of my problems.

@chrcoluk said in Unbound stability is worrying: Obviously the proper fix is to deal with the configuration that is over stressing the memory in the system, but as a quick workaround in the mean time just enable swap. I usually enable swap on all my systems, just to act as a buffer for these types of moments. Not sure if swapping to an 8gb flash drive is the best idea....