I originally asked this in the "routing and multi-wan", but received no reply, but the more I dug the more this seems like multi-wan over DNS issue...and finally received a response there.
I don't have the privileges to delete this post, but just be aware that it is being followed up:
In this thread

Thanks folks, that was exactly what I was looking for. Much obliged!

@cre8toruk

Then you don't need VLANs. If you only have 1 SSID then you can use the native LAN. Perhaps the 3 methods put the various users into 3 address groups. If so, it would be possible to filter on IP address.

@cburbs said in Quad9 and DNS Resolver:

Yeah snort and pfblocker are on my list. I played with these a while back but it broke many things and haven't got back to them.

Before you jumping into these IPS / IDS, DNSBL, etc. things, I highly recommend Bill Meeks (alias: bmeeks) posts Snort / ÍSuricata and BBcan177 on the topic of pfblockerng

Release the lease for a device, use the release command.
For windows, that will be

ipconfig /release

Then renew.

Also, packet-capture the whole DHCP communication. Use wire-shark and friends to detail all the info.
You'll see what will be asked for, and what the DHCP server (pfSense) is handing out.

Another test :
Disconnect all devices - rip out cables, shut down radio devices.
Stop the DHCP server - all LAN type interfaces.
Delete all the DHCP lease cache files : /var/dhcpd/var/db/
Start DHCP server(s)
And check.

edit : and what devices ?
Some just don't implement the DHCP protocol 'by the book'.

What LAN ? Settings for the DHCP LAN server does not affect the settings of another LAN type (OPTx) interface.

Yep.

Here is the list https://www.iana.org/domains/root/servers - contact them, and ask them if they could open another port.
Please, let them keep port 53 in parallel, otherwise the Internet will stop working for all of us.

More serious :
The root guys don't support DoT.
Keep in mind : activating DoT for the entire chain will multiply for ever involved server the load by a huge factor.
See, for example, https://www.reddit.com/r/sysadmin/comments/caf8se/dns_over_tls_with_root_name_servers_clarification/

If you want a sure answer : use DNSSEC.
If you want to hide your traffic for your ISP : forward to, for example, one.one.one.one (is 1.1.1.1 but don't use the numbers, use the host name).
As of today, you can't have both.

Or, why not : pushing everything over a VPN with an end point very nearby one of the x.root-servers.net guys.

@Bulldogg

Then you don't want to use the Wifi on the modem. You cannot have the same subnet on both sides of pfSense, unless you configure it to be a pass through firewall.

never-mind. that didn't seem to do the trick. the ubuntu host that I was testing with rolled back to DHCP DNS servers, and I didn't realize it. the issue still exists...

this is a real tough one for me to figure out, and it's frustrating...because from a bind perspective I know exactly what needs to be done. but how to do it in pfSense and working with the GUI...it's not quite clicking for me yet. if anyone has suggestions, I really could use a lifeline. 😕

I saw this ones or twice :

@MilesMorales said in DNS Resolver validation (internal or external firewall):

dig +trace pfsense.org

; <<>> DiG 9.10.6 <<>> +trace pfsense.org
;; global options: +cmd
;; Received 28 bytes from 172.16.0.1#53(172.16.0.1) in 33 ms

"dig" worked, but adding the +trace option silenced it completely, there were no results except for these 3 lines.

@MilesMorales said in DNS Resolver validation (internal or external firewall):

installing bind fixed the issues

Did you also uses bind to resolve ? Or just installing it without activation ?

This is one of the rare situation where a reboot of pfSense restored the dig + trace functionality. I never investigated for a reason, I've still a note for myself to find out what happened.

Btw : System > General Setup > DNS Server Override isn't set, right ?

Nothing public resolves to a 10 address. My domain exists on both the internal DNS server and the public DNS server. The internal forwards requests it doesn't have local to my ISP DNS. So for computers with 10.0.0.3 DNS, a request for www.google.com hits 10.0.0.3 then gets forwarded to 75.75.75.75 since that isn't authoritative for that domain. A request for www.mydomain.com though gets served from 10.0.0.3 since mydomain.com is local to that server thus it gives 10.0.0.100. A person outside my LAN requests www.mydomain.com and gets my record from ClouDNS where I have my public records hosted and that resolves to a 50.77 address.

It's worked fine for years this way, and it's the same way our DNS is setup at work (a major municipal government entity). It's only a problem because this blasted Fire HD tablet is apparently asking 8.8.8.8 first. I tried blocking 8.8.8.8 all together and then name resolution totally fails on the tablet, which is why I think it's ignoring the 10.0.0.3 DNS server DHCP is giving out.

Ok I found the solution on debian! I should edit the /etc/nsswitch.conf file! But can anyone explain to me why if the dhcp assigns a ip the .local domain keeps working, but if the ip is static in pfsense can't!?

@no said in DynDNS for IPv4 and IPv6:

routing 100 MBit/s and above(?) and if so not with the latency(?)

Can't tell. It maxes out for me, but my ISP gives my 22Mbits/sec down, 2,2 Mbits up ....
It's free to try, though.

Check to see if your unbound_server.pem cert file length is 0 size.

ls -l /var/unbound_server.pem

If it is size 0, chances are your /var may have filled up.

See my last post here for an explanation.

https://forum.netgate.com/topic/151361/unbound-broken/4

See unbound-control-setup(8) to remedy.

To fix this problem of mine....

Since pf already updated to 2.4.5, with the packages installed and running fine, except dhcpd
was not running. I did a back up the configuration xml file. This configuration xml file will have
all my settings incl. pf and its packages.

I did a refresh install, and then got my PPPOE working first.

I did a refresh install on my packages all of them, 1 by 1 installed them. Note that if PPPOE is not working,
then needless to say, downloading and installing packages would not work at all.

After installing the packages, reboot the system, now grab the configuration xml file and restore it.

Once finished restoring the xml file, the system will automatically reboot itself.

log into pf, and you see a big message: pfSense is reinstalling the packages in the background.

I left the system to do its work. I went away and did something esle while waiting for the system
to complete its task of reinstalling the settings. It took about 2 hours.

After 2 hours of waiting, my log in screen did not display the message. Meaning pf had finished
installing.

DONE.

Hi guys,

thanks for your interest in my question and I'm really sorry if I hadn't use the terminology in a correct way (also sorry for my bed english).
First of all, I'm running pfSense 2.4.2-RELEASE-p1.
As previously said, the goal is that clients from different OpenVPN connection will be able to resolve internal root domain, subdomains and hosts or part of them; currently, to achieve that goal (only on one OpenVPN connection, that's the reason of this post), I'm using DNS Forwarder and Host/Domains overrides in this way:

DNS Query Forwarding - Query DNS servers sequentially -> flagged, in order to forward every query to internal DNS servers (they all are authoritative ones for internal domains/sudomains) for hosts and subdomains that clients are allowed to resolve, no override is configured for subdomains and their "children" hosts that clients are NOT allowed to resolve, Domain override is in place for subdomain only and destination ip is set to "!" for hosts that clients are allowed to resolve even when a domain override is in place for their "parent" subdomains, Host override is in place with local data (manually "mirroring" internal DNS data) -> this is a very special configuration and I'm going to configure it only for few hosts.

Why I need this configuration? Because most of OpenVPN clients are not "people" but "machine" and I need to ensure as little data exfiltration as possible in case of their compromisation.

I can consider using DNS Resolver if the final scenario is not supported by DNS Forwarder or if it will do a better job.

Thanks again!

I have another issue, when i clone another server, same problem arise as above. the worst thing is, even if i delete the lease. the route does not pass on the interface ip which is x.x.201.2.

here's the snippet from above, where interface ip x.x.201.2 is not even visible anymore. The others dhcp clients are complete by showing the x.x.201.2 on the traceroute.
f68e9537-2d77-482a-babf-240a49f1cd88-image.png

below is the correct one:
875b21a1-ffa0-4bec-aa61-bf2c9d531e55-image.png

so now, whatever i do, disable/enable NAT. nothing works!

does anybody experience same as mine? or is this a bug???

Thanks for @dotdash support.

Best regards !