@johnpoz
Yes, its been a quiet 5 years since I signed up for this forum, ;-)
My usual signature is :
"I'm not a complete idiot. There's still a few pieces missing."
TIA's

@Gertjan thanks for the response. I do not have any packages installed as I have reset to default settings. I took pfsense out altogether and I seem to get connection through a store bought router. When i go through pfsense though, the connection goes in and out constantly but network connectivity and the WAN ip stay good.

@ryaoi42 said in Domain name doesn't get resolved with local dns resolver:

Wait so I should reset pfsense and start over?

This will take 5 minutes or so. Do what I said above.

The resolution is to not leave the TTL field blank. A value must be entered or this error will occur.

I have been having exactly the same problem today as the OP, first a laptop getting a weird IP in the 169 range, then a desktop also in the 169 range, then my daughters phone wouldn't connect to the wi-fi when she came home, it seemed to be having issues getting an IP address. In all three cases if I set the device to a static IP it would work.

Digging around in PfSense showed all of my pool in use, but I noticed that there seemed to be the same device associated with lots different IP addresses. Fortunately there was a clue in its name, which started with Amazon. So I went and turned off the Amazon Echo and two Fire TV boxes, the last one of which was extremely hot.

Seems that last Fire TV must have had some sort of issue and was using up all the leases before they had chance to expire and thus PfSense was running out of leases.

During testing I was turning off and on the wi-fi on my phone and everytime it was fine, and I now realise it was getting issued the same IP address, where as my daughter had been at work all morning, the laptop and PC had been off overnight.

Shame I rebooted Pfsense for this, it was up to 180 days uptime.

Anyway, just posted this as info in case any body else had a similar issue.

I requested the image file for my new sg 3100. Redid my entire firewall from scratch restoring no backup and this is no longer as issue

I learned it’s one of two things

Changing your vlan range breaks something and it never clears up

Restoring just the alias page from a previous working pfsense firewall causes this

This is no longer an issue

You still have a MESS!!! And your forwarding in unbound is wrong... Because I pretty much can promise you your 10.10.100.5 box sure not doing dot over port 53..

So while your 10.10.100 box can resolve PTR I take it, your whole unbound setup is just borked! If you tell pfsense that it can use 10.10.100.5 as NS in general, its no going to be doing dot, just normal dns query, etc.

I would highly suggest you fix your setup to make some sense..

If your going to point pfsense direct to your 10 box, seems you have zero use for unbound and might as well just disable it.

@ahking19 Thank you. Sounds interesting, especially the Encrypted SNI together with DOT. The Problem with DoH is, that it uses Port 443. And obviously you cannot block Port 443 at Firewall level. Therfore any device or software with hardcoded DNS over HTTPS settings can bypass your DNS Resolver/Forwarder.

Bind is designed to be an authoritative NS, unbound is not..

There are plenty of places to get FREE dns services.. Hurricane electric is one of them, cloudflare is another.. Pretty much every registrar will provide you with free dns as well. Depends on what features are needed, etc. Maybe they don't support CAA records or something, or dnssec (even though its a requirement to be an accredited registrar)..

@Gertjan said in How to use mDNS (via Avahi) with VPN interface:

nan, that's just you not locking down the DHCP-client of your camera with a Static-MAC-IPv4 in your DHCP server. And while you're at it, give it a host name defined by YOU (rather then by the cam, that will probably can propose you something like KLHG6545ARd.
Now you can use an URL like CAM1 in your web browser - Windows and or pfSense will add local.net (if that is your network name) so your browser will hit cam1.local.net which will resolve just fine in the classic DNS to the LAN - or other network - IP of your device.

No, actually I do have reserved IPs and hostnames for those cameras. That is not enough to make the app auto-discover them. mDNS does more than that. It has a service discovery mechanism.

@septer012 said in DNS resolver fails to work when pfSense has an IPv6 address:

It is again working. I am not sure if it is related to that IPV6 DNS entry or simply that I disabled the WAN IPV6. I was initially just going to try to downgrade to the Latest stable version (2.4.x), but I could not figure out how to through the GUI. Perhaps its not something you can do.

It should make no difference whether IPv4 or IPv6 is used for DNS. You get the same info no matter which is used. I use resolver here and it works fine. On my LAN both IPv4 & IPv6 DNS are available and either may be used, depending on the device. If you suspect a DNS problem then try pinging the problem address. You can ping with both IPv4 and IPv6. If there are only one or a few bad addresses, then it's a problem at the original DNS.

I figured it out. It is working now.

OpenVPN -> Servers -> Advanced Client Setttings -> DNS Server enableProvide a DNS server list to clients -> Specify list of hardcoded DNS servers

Not sure why that is an "Advanced" Setting or why the IP needs to be hardcoded. I would think you would want it to push the DNS Resolver IP by default.

Yes.

You have to click on these icons

c0d3853f-ec31-4068-be7b-6b09a5d793eb-image.png

to export the certs - P12 and pem format.

The certs are also available here :

caae1ef0-a836-428b-b1f4-27a526e4e4f2-image.png

You'll have to write a scrip to send it over to other devices. But as you might have guessed : the Synology DSM GUI uses a ... GUI to install the certs. Maybe it can be done using scripts on the Synology;,an ssh interface exists, but you have to discover that yourself.

The website might just not work correctly - I tried a few others and those do report secure DNS, so I guess it's fine after all.

I figured it out, okay sorry for this. I changed my gui port to 8080, works fine. My problem was my RHEL server didn't have a firewall rule allowing port 443. As soon as I added a rule on the box itself, the port opened. Thank you so much for your time, sorry for the stupid question. I appreciate your time, I'm sure i'll be back eventually with another stupid question.

@akuma1x
i am having some issues with legacy domain controller (samba 3) when windows client connecting with WiFi (Wifi is different subnet and different network interface).

LAN 192.168.0.0/24 (wired clients and domain controller is in here)
WiFi 192.168.1.0/24 (WiFi AP connecting to this interface to serve wireless users)
Dmz 192.168.2.0/24

Tested with WiFi AP connecting to LAN switch, so that WiFi clients get 192.168.0.x, no problem at all with Domain Controller e.g. change password, join domain etc.

So i am thinking to expand the range by switching to /23 so that wired and wireless client all within the same subnet and "probably" solve the domain controller issues.

Thinking that this is the easier way instead of trying to fix the domain controller issues.

@yakatz said in DNS Doctoring in pfsense:

@sparkyMcpenguin That is what I meant too. We are not using any dynamic DNS from outside. We have static IPs allocated by our ISP going to internal servers with 1:1 NAT. To restate, many of the systems allow our customers to create their own DNS records pointing to our IP addresses. The firewall has no way to know what these DNS records are in advance, but DNS Doctoring (or alias as dnsmasq calls it) allows Split DNS to work with no additional configuration.

what about a 'Proxy ARP' VIP under firewall for east host? wikipedia page for reference Proxy ARP

this and (maybe needed not quite sure - but u did say 'dnsmasq') having the forwarder (i see it say dnsmasq a lot on there i just dont use it) on the wan

I figured out what happened to it because all of my servers are using static ip address and I haven't put the static ip address under the DHCP static mapping on the DHCP server page.Screen Shot 2020-03-03 at 10.37.02 AM.png
After I typed in all the static ip address on the DHCP server and define the hostname for it, I am able to access the shared folder using the hostname i defined.

domain override forward all queries for that domain to the specified IP (it's already written in the description, i don't know what else can be added)
The IP address is treated as the authoritative lookup server for the domain (including all of its subdomains), and other lookup servers will not be queried