@amrogers3 said in DNS have to create port forward to work:

I have to create NAT port forward for 53 --> 853

If DNS clients actually send TLS DNS traffic to port 53 instead of 853, then yes, port forwarding would be needed.
Although these clients can be considered as broken.

@amrogers3 said in DNS have to create port forward to work:

getting DNS DoT to work

On the WAN - upstream side ?
Locally ?
Describe your setup / needs.

Back then, things were presented as https://www.netgate.com/blog/dns-over-tls-with-pfsense.html - and totally simplified afterwards : https://www.netgate.com/blog/pfsense-2-4-4-release-now-available.html

@ravenium
Dear ravenium,
My man - I hope that you are well and safe in these days and times. Thanks for your thoughtful and measured contribution and observations regarding the specific issue here and your philosophy about " hacking " pfSense in general. I am the OP ( in case you don't know ) - and you are obviously an erudite thinker - and once again - I for one greatly appreciated your .02 as a person
Later my brother - Peace and God Bless You and Yours Always in God's Grace

PS - I will try your proposed solution as stated here in # 1 of your reply ( just for sh*t and giggles ) - and thanks for that one more again

Hey all.

I hate to dig up a long dead thread, but I was wondering if this ever got resolved (other than reinstalling Pfsense and restoring from a working config.

Having a similar issue actually on my machine.
Little more background: these issues started with an attempted install of a freeRadius package. It was having trouble, giving similar "assigning address" errors (didn't screenshot at the time. apologies). I gave up, thought nothing of it, and removed the freeradius package and then my pfblockerng dns blacklist started giving me trouble. I restored to a config that I knew was working, but that also did not solve the problem. I've tried reinstalling pfblocker, totally deleting the config, and resetting it up, rebooting the whole pfsense box, and continue to get the same error.

I still could reinstall pfsense from scratch, and then restore that config file, but have there been any updates?

I can confirm, i did have the same problem as in the bug report. disabling the DHCP lease registration worked for me as a workaround too.

@fedesoundsystem
I would like to know this too. It is even more an issue with ipv6 since these are more dynamic.

For security reasons only, external http (80) connections are not appropriate, especially for a NAS, use https, if you want to access the NAS remotely.
Or use Syno's built-in OpenVPN package for external access

If you’re just looking for ideas, here’s what I came up with a few years ago and its still working fine. I have a lab domain (one that I just fool around with various web projects, DBs, PHP applications) My Spectrum home IP address rarely changes but like you said, it does change. So, I wrote a CRON job from my pFsense router to ping out every few minutes to a web page I wrote. The web page sees what the calling IP address is and compares it to the current IP stored in its DB. If it’s the same, nothing happens. If it is different then it stores the new address, sends me a text message, and activates my NameCheap APIs to change the IP address and DNS Records for all my subdomain.domain.com URLs which target various servers and devices at home via a reverse proxy. That way the links are always up to date and I can access PLEX, NAS drives and my home automation server without any problems.
The web app also monitors the time between pings (10mins for example) and if the time exceeds specified limits then it assumes there was an internet outage and alerts me with the approximate time and outage duration. Sometimes you can lose internet service and not know it real time but you still want to know it happened.

And another update in my "blog".
In Pihole you can set "Use Conditional forwarding" and list your domain and pfsense ip.
That way I can resolve my own internal domain and at the same time use 1.0.0.3 and 1.1.1.3 for dns lookup without going to pfsense. No need to copy over the hosts file.

I ended up not launch resolver and forwarder in parallel.

My setup now is that I Port forward all dns request on all interfaces except the kids-vlan to my pihole-1, I then portforward request coming on my kids vlan to 53 to pihole-2. I allow outgoing requests from my pihole-1 and pihole-2.

Regards. D

Well that is officially very odd... After much fiddling.. enabling static ARP, disabling static ARP, restarting the service and so on... I discovered that our WiFi voucher system had also stopped working. The solution to that was to uncheck the only allow users listed below access.. which would sort of indicate that the option was now working.... I think an upgrade to 2.5 when it's officially stable might be a good idea in any case... thanks for your help.

YES...got it working. to help those that maybe running into this.
Step1: Create DHCP Scope on your windows server.
Step2: Create vlan in PFSense
Step3: Assign new VLAN interface to you LAN trunk from PFSense
Step4: Create Rule to allow new vlan to access other networks as desired. (in my case default vlan as my DHCP server is also DNS)
Step5: PFSense DHCP relay select the new vlan (make sure your LAN and VLANs are all selected)
Step6: Unifi Controller Create new Network with vlan ONLY with your new vlan.
Step7: Create new SSID using new vlan
DONE!

@johnpoz but i am noticing another problem. Summary config

unresolve outgoing only on wan nat rule point to localhost for dns on each interface rule on each interface to pass dns to localhost block rule on each interface to block dns not for pfsense gateway pool as default route fo 2x vpn alias defining list of hosts to bypass vpn rule to pass alias to wan

i am seeing every 20sec in the log
check_reload_status Updating static routes based on hostnames

on the dns resolver, i see loads of
Adding Action: pf table: BYPASS_VPN_HOSTS host: forum.netgate.com
filterdns failed to resolve forum.netgate.com will retry later again.

these are very frequent and seeing to coincide with my intermittent loss of DNS

Anyway... a great Merci :-)

Hi, I return to this topic after installing grafana and also after changing the value to 30 the use of nice cpu by dnsbl remains high, with peaks at 50% and beyond every 30 seconds as per the set value.
With 1,700,000 records in dnsbl is this normal?
@BBcan177

Spoiler

Screenshot (191).png

Thanks!

To be clear, manually restarting unbound in the pfSense webGUI seems to resolve the problem when this occurs. I looked at the contents of unbound.conf. It seems to be fine.

Outside the workday I'll try stopping and manually starting unbound with the command above. However, I fully expect it will start up fine with no obvious errors, since that's what usually happens.

This problem only pops up every week or so. Given that I've had DHCP registration turned on, that means unbound restarts several times per day, almost always successfully. I don't know what's going on in these rare cases where it doesn't.

Hi,

The tip from 2 days ago was :

84c0d552-fd3d-40ce-8a14-6e81064b9137-image.png

(click to see the blog, and Q&A)

So I guess DOT is still in the works.

Btw : the reverse of 1.1.1.3 doesn't even exist yet - neither for 1.0.0.3.
Take note that the tld '.three' doesn't exist.

The blog you mentioned is old : DOT is TLS based, so it needs a valid host name - the one that is also embedded into the cert they present to you.

So, when you use 1.1.1.1 it would be set up as

ba56f67a-c0e0-485b-a97f-4cf9bcd0068a-image.png

edit : I guess 1.1.1.3 etc can be sued, just not yet using TLS.

edit again :

@bgroper said in Howto use Cloudflare DNS ?:

Is there some way to check whether this is working as intended ?

Yep, I understand that you didn't liked this :

c3860986-36f5-4d1f-98fd-58455cfe1e6b-image.png

RFC 8375 sets aside .home.arpa for this kind of use, which is what everyone should be migrating to eventually (unless you have a real domain)