@dennypage Thought I would share... I was able to track this down via packet inspection. Turns out, these errors are the result of prefix delegation requests. pfSense does not yet have support for delegation when using Kea.

FWIW, the prefix delegation requests are coming from Apple devices in the role of Matter hubs. There does not appear to be a way to turn it off.

@Gertjan "in the resolver log" found at:
Status/ System Logs / System / DNS Resolver in the GUI

@IonutIT

I re edit my post above.
kea2unbound is innocent 👍
The issue is deep in the GUI, and identical to my initial pfBlockerng issue.

I'll have a patch some where next week.

@beluclark said in DNS Resolver fails after enabling pfBlockerNG (DNSBL):

Unfortunately

Is it ? The image you've shown is like mine : the unbound answer is correct, The host couldn't be resolved.

Way better as the GUI : the command line (not the GUI command line of course).
SSH will do just fine, menu option 8.

Ask unbound to resolve "google.com", using 127.0.0.1, as unbound listens on 127.0.0.1 :

dig @127.0.0.1 google.com

or even

dig @127.0.0.1 google.com +trace

@cmcdonald Thanks.

Thanks for post. I have similar network as @tlg and was preparing to switch to KEA. Guess I'll keep waiting.

@UClinux said in DNS Forwarder question:

Now I understand that this is a hard rule

Not a hard rule.
A logic rule.

DNS mostly used to find IP addresses if host names are known.
For those who, used a phone back in the days : like looking up the number if you have the name.

If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, ......

You see the problem ?
Not a hard, but a golden rule : for DNS servers, you use IP's 😊

@viragomann Thank you but I figured out the issue. I couldn't disable DHCP on the LAN or I lost GUI. Solution was to make the change shown below:

44f4e9f4-7486-4fe9-a31f-24f34285fbe1-image.png

Default is /32. I reset it to 24. Then under Services==>DHCP Server an additional tab showed up for Bro. Enable DHCP on that one. Go back to Lan tab and disable DHCP. Done

@tinfoilmatt said in DNS Resolver Infrastructure Cache Stats:

In fact, if you were really paranoid, you could encapsulate DoT queries within the tunnel to keep them hidden from even your VPN provider

Please, if possible, show example?

@JKnott I hear yeah.. it should be really rare I would agree. The only time I have had to manually release and renew my wan lease was when the isp merged with another and they redid a lot of their IP scheme and moved IPs around, etc.

And that was years ago, had my current IP for easy before covid, etc.

One of my favorite pages on the Netgate Docs-
https://docs.netgate.com/pfsense/en/latest/recipes/index.html
Scroll down to DNS then click on redirecting client Dns.

@Modesty said in Bizarre IP in my LAN:

now they behave like kids ;-)

hahah - not sure how to take that, you mean they are working correctly or are they still acting up - hahah ;)

make that a not...

if i nslookup k8s-prd-1 i get nothing, it seem to go out to internet directly...

I've added the name to local dns resolver and the 3 applicable up addresses of my k8s master nodes that i want to resolved to.

G

@georgelza how I would do it is include some text file that contains your entries

Example

[24.03-RELEASE][admin@sg4860.home.arpa]/var/unbound: cat newhosts.conf local-data: "newhost.newdomain.tld. A 10.11.12.13" local-data: "otherhost.otherdomain.tld. A 10.11.12.14" [24.03-RELEASE][admin@sg4860.home.arpa]/var/unbound:

So you could script adding whatever records you want in there like the above.. you can create ptr records as well with local-data-ptr:

And then have your script restart unbound so those are loaded..

unbound.jpg

edit: btw, not really sure what might happen to that text file you create with your records on an update to pfsense or even the unbound package.. So you might want to keep a copy handy of what you put in there.

Another way would be directly editing the xml to put your hosts in there as overrides - but that seems more complex and possible corruption of your configuration of pfsenses overall xml.. The loading of text file seems way less intrusive and easier to accomplish with simple script and less risk of borking something up.