@johnpoz said in DNS Resolver SERVFAIL: What specific machine was that done on? Do you mean what hardware? It is not a Netgate device, it is an HP T620 Plus thin client. unbound-control -c /var/unbound/unbound.conf lookup . The following name servers are used for lookup of . ;rrset 52503 13 1 11 5 . 52503 IN NS a.root-servers.net. . 52503 IN NS b.root-servers.net. . 52503 IN NS c.root-servers.net. . 52503 IN NS d.root-servers.net. . 52503 IN NS e.root-servers.net. . 52503 IN NS f.root-servers.net. . 52503 IN NS g.root-servers.net. . 52503 IN NS h.root-servers.net. . 52503 IN NS i.root-servers.net. . 52503 IN NS j.root-servers.net. . 52503 IN NS k.root-servers.net. . 52503 IN NS l.root-servers.net. . 52503 IN NS m.root-servers.net. . 52503 IN RRSIG NS 8 0 518400 20191105170000 20191023160000 22545 . W1Px4SeZe4f3Y4hwceNfLQqibpKA3rAIyc5d278lXmS5gxR948mWtGNqCjMLe/rn0P9bftmT5Gbi94AoqepaHXJ6tNl/P5v12KVKB6k5CvN9qDRpVcVxib3eiOLBp2Wm4FXlssZTS9oXVPmIuSMxoMdV4gCF6ykyDfW0F7j/Ka0tFXiCq5G+cRoimTrQ2QVNkD0gCOQTb4G3W1xZfKvIReYTQwlAbBGGHJdlmVnZThsQGf/hJ/MC1veeK62pdAuUFWhuU5idAko0q5OhXoLfrlCjuCgx8fCza/ccgjdAVu0yBO+zaIoZxm+v8lYs9b8bcbp+aCswp7UCe7uLSs0oRA== ;{id = 22545} ;rrset 52558 1 0 8 3 m.root-servers.net. 52558 IN A 202.12.27.33 ;rrset 52558 1 0 5 3 m.root-servers.net. 52558 IN AAAA 2001:dc3::35 ;rrset 52558 1 0 8 3 l.root-servers.net. 52558 IN A 199.7.83.42 ;rrset 52558 1 0 5 3 l.root-servers.net. 52558 IN AAAA 2001:500:9f::42 ;rrset 52556 1 0 8 3 k.root-servers.net. 52556 IN A 193.0.14.129 ;rrset 52557 1 0 8 3 k.root-servers.net. 52557 IN AAAA 2001:7fd::1 ;rrset 52556 1 0 8 3 j.root-servers.net. 52556 IN A 192.58.128.30 ;rrset 52556 1 0 8 3 j.root-servers.net. 52556 IN AAAA 2001:503:c27::2:30 ;rrset 52553 1 0 8 3 i.root-servers.net. 52553 IN A 192.36.148.17 ;rrset 52556 1 0 8 3 i.root-servers.net. 52556 IN AAAA 2001:7fe::53 ;rrset 52552 1 0 8 3 h.root-servers.net. 52552 IN A 198.97.190.53 ;rrset 52553 1 0 8 3 h.root-servers.net. 52553 IN AAAA 2001:500:1::53 ;rrset 52551 1 0 8 3 g.root-servers.net. 52551 IN A 192.112.36.4 ;rrset 52551 1 0 8 3 g.root-servers.net. 52551 IN AAAA 2001:500:12::d0d ;rrset 52551 1 0 8 3 f.root-servers.net. 52551 IN A 192.5.5.241 ;rrset 52551 1 0 8 3 f.root-servers.net. 52551 IN AAAA 2001:500:2f::f ;rrset 52550 1 0 8 3 e.root-servers.net. 52550 IN A 192.203.230.10 ;rrset 52551 1 0 8 3 e.root-servers.net. 52551 IN AAAA 2001:500:a8::e ;rrset 52549 1 0 8 3 d.root-servers.net. 52549 IN A 199.7.91.13 ;rrset 52550 1 0 8 3 d.root-servers.net. 52550 IN AAAA 2001:500:2d::d ;rrset 52547 1 0 8 3 c.root-servers.net. 52547 IN A 192.33.4.12 ;rrset 52548 1 0 8 3 c.root-servers.net. 52548 IN AAAA 2001:500:2::c ;rrset 52546 1 0 8 3 b.root-servers.net. 52546 IN A 199.9.14.201 ;rrset 52547 1 0 8 3 b.root-servers.net. 52547 IN AAAA 2001:500:200::b ;rrset 52546 1 0 8 3 a.root-servers.net. 52546 IN A 198.41.0.4 ;rrset 52546 1 0 8 3 a.root-servers.net. 52546 IN AAAA 2001:503:ba3e::2:30 Delegation with 13 names, of which 0 can be examined to query further addresses. It provides 26 IP addresses. 2001:503:ba3e::2:30 not in infra cache. 198.41.0.4 expired, rto 67163840 msec, tA 0 tAAAA 0 tother 0. 2001:500:200::b not in infra cache. 199.9.14.201 expired, rto 67163840 msec, tA 0 tAAAA 0 tother 0. 2001:500:2::c not in infra cache. 192.33.4.12 rto 306 msec, ttl 397, ping 2 var 76 rtt 306, tA 0, tAAAA 0, tother 0, EDNS 0 probed. 2001:500:2d::d not in infra cache. 199.7.91.13 not in infra cache. 2001:500:a8::e not in infra cache. 192.203.230.10 not in infra cache. 2001:500:2f::f not in infra cache. 192.5.5.241 not in infra cache. 2001:500:12::d0d not in infra cache. 192.112.36.4 not in infra cache. 2001:500:1::53 not in infra cache. 198.97.190.53 not in infra cache. 2001:7fe::53 not in infra cache. 192.36.148.17 not in infra cache. 2001:503:c27::2:30 not in infra cache. 192.58.128.30 not in infra cache. 2001:7fd::1 not in infra cache. 193.0.14.129 not in infra cache. 2001:500:9f::42 not in infra cache. 199.7.83.42 not in infra cache. 2001:dc3::35 not in infra cache. 202.12.27.33 not in infra cache. IPv6 is disabled on my machine, I don't know if it is relevant or not, just mentioning because I see that your dig +trace used IPv6.

@quadrinary I had the same issue... DHCPDISCOVER was going over the line just fine, but I was getting no DCHPOFFER from the modem. This is also on a pfsense VM on vSphere 6.7. Plugging my laptop directly into the cable modem was working just fine, getting an IP from the modem within a second. Disabling CDP on the vSwitch and rebooting modem and pfsense VM solved the problem. Thanks to this post, because I would have NEVER found the solution to the problem otherwise. So thanks! :)

@johnpoz Thanks. That is what I typed in initially but then decided to go and look to make sure I was doing it correctly before actually enabling it. That's when I found the information I mentioned in my first post, but pfSense wouldn't accept the input recommended by OpenDNS. Since this just appears to be a text field for data that is passed to the service, I didn't understand why it was being parsed for invalid characters in the first place. However, I can go back to just trying the network name (NetworkLabel) in the box and see what happens.

Thank you very much for this else suggestion.. I will try to turn off DNSSEC too.

@AWeidner said in DHCP, multiple Access Points: But it looks like pfSense and the client device cannot agree to an address a lot of the time. If a client request IP address 1.2.3.4, and gets told NO.. via nak.. then it should send out a new discover. Can you post up this pcap you took so we can take a look see to what could be going on. I don't have a lot of android devices to play with - but guests are on my guest vlan, and never have any problems. My son android phone is on the network all the time, and he doesn't seem to have any issues. I have multiple devices that move about different SSIDS to new vlans and new IP ranges - without any issues switching to the new IP scheme on the different vlan, etc..

The vm is ok. Gets an ipv4 address in the normal scope. Removed the tftp:// but still the same. [image: 1571258622207-virtualbox.png]

@johnpoz Thank you for the insights..

Patching the script generating the config to include "update-static-leases on" in dhcpdv6.conf doesn't seem to help. The man page says that this isn't recommended anyway, so maybe I should add the records manually after all, but then update-static-leases shouldn't be switched on for IPv4 either.

So I came in this morning and I can no long get DNS resolution again...

I mean to the authoritative ns(ers) for your name space. If you want to point your client to pfsense that sure have at it... But what you can not do is point the client to pfsense and then some public ns.. Since you never know where the client will query. But if pointed to pfsense, and pfsense has an override to resolve domain.tld that points to where they can resolve that - that works too. You just need to make sure that when you forward to something that is going to return rfc1918 space that you correctly allow for rebind protection.

So you have to have a static public IP which is used for sending out mails and you need a public domain, where you assign a hostname to that public IP. You may also need PTR Resource Record which points to that hostname. This can be set by your ISP. Usually a smart host should rather use an authentication method than require all that.

@astph said in Can pfsense run the OpenDNS Updater?: As mine is having 0.0.0.0 on the cached ip. As long as the updating didn't work, you wind up having 0.0.0.0. That's normal. I have : [image: 1570542049129-737de201-72fe-4c54-9626-62e3b2825a0d-image.png] Notice : the hostname isn't a hostname here, but your "account ID" created with OpenDNS. Use the "Verbose logging" option. When activated, you should check the logs, they will tell you everything ... edit : extra checks : See [image: 1570542385287-6734e3ba-9f1c-4a64-8647-98f1413a86bc-image.png] Question : pfSense uses this URL to get your 'real' WAN IP. Does it really work for you ? Answer : goto Console (SSH !) and use option 8. Type : curl http://checkip.dyndns.org it should answer with something like this : <html><head><title>Current IP Check</title></head><body>Current IP Address: 82.127.34.254</body></html> and yes, 82.127.34.254 is my WAN IP.

I shudder to suggest this but.... You can do this by running both the DNS forwarder and the DNS resolver (in forwarding mode). Obviously one has to run on a different port but you can use a port forward on whichever LAN is using it so clients still use port 53. You can a domain override on one pointing at the other one for your local hosts so you only need to maintain one host list. It's ugly. It will probably come back to bite you at some point. It doesn't scale beyond 2. But it doesn't require any packages or custom config, everything in in the GUI and hence backed up. Steve