Dono abut your thread - found it here as is.

About the Resolver : I'm using plain vanilla settings, this is : unbound as Resolver. I activated DNSSEC.
Never saw any problems.

Btw : my advice :
aac5679c-3521-4605-a4e3-b9831d0fd091-image.png

Quad9 - Cloudfare : why should you use these ?

You'll have to see what suricata complained about and make it not do that. It's likely only doing what it was told to do.

Thanks Gertjan. That was it... I checked my account on the DNS-O-Matic website, clicked the link to 'documentation' and found:

"An HTTP request to http://myip.dnsomatic.com/ will return the public IP of the client."

The whole process seems to be automated, so my setting works. No need for any change or update. This is great. Thanks Gertjan.

This is a mad idea but how about using DNS Forwarder and DNS Resolver, one for each subnet, make sure they are both running on different port numbers and set up a port forward on the guest wifi interface from port 53 to the correct port. Haven't tested it, but my understanding is DNS forwarder is DNSMASQ and Resolver is Bind. Might be worth a try. You'll need to have strict interface bindings though.

5c1641bb-42b3-4c9c-8b59-8b48ca7d2fd1-image.png

@shawn8888 said in DNS Resolver Host Override not working in Windows:

I installed BIND from package.

This would have been a good nugget to know right from the start. At least it's working now.

No that is not what it means, it means pfsense will ask itself (default resolve) and maybe 192.168.1.1 - but that is not where unbound will forward too, unless actually set to forward.

So yeah that would explain why pfsense can resolve, but when a client asks it does not.

Depending on what unbound sends back, nx or servfail when it resolves would determine if 192.168.1.1 is even asked, etc..

If he wants pfsense to ask dd-wrt for dns, then he should setup unbound to forward to that.. Then that should either forward for public stuff or resolve on dd-wrt, etc.

if he just wants pfsense to be able to resolve whatever entries he puts on dd-wrt for specific domains, then he could just seutp domain overrides for those domains to point to dd-wrt as the ns for those domains.

@Gertjan

Thanks for the info/advice. As far as what you were saying about the clients providing their own FQDN, its not the norm in most environments, but it is a standard option as part of the IANA definitions of DHCP functionality:

https://tools.ietf.org/html/rfc4702

https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml

I think it would be interesting to get this working at some point but for now I will simply adjust my automation for spinning up VM's and containers to utilize hostname only. There are too many transient nodes on my network all the time for static mappings to make sense from a management perspective.

@Derelict Thanks a lot. The custom options enabled the responses. Thanks again.

@johnpoz said in DNS Lookup wrong:

It shouldn't be if you ask me... I will bring it up... Prob never thought to put in a check for such nonsense, since thought who would be so stupid to do such a thing ;)

They probably never thought someone would be stupid enough to assume they didn't put that check in purely as a lack of thought but validated the very next field and made sure the firewall knew what to do with those request.

@KOM said in Setting up DNS *correctly*:

enable resolver, disable forwarder, check DNS Query Forwarding and put 1.1.1.1 under System - General Setup - DNS Servers.

This is the exact configuration I went with. Thank you very much for the help!

So your using RFC 2136, with bind right? I do not believe unbound supports that method of update.. So yeah there are some differences and depending on what your wanting to do unbound is not the best choice.

If what your wanting to do isn't supported by unbound - then yeah I would concur setting up bind is good choice.. unbound not really meant as authoritative ns anyway. If what your wanting is authoritative name services on your local lan - bind is going to be the best choice again..

Also the dhcpd gui config in pfsense does not expose every possible config scenario either. So yeah when you want to do more fancy stuff with dhcpd - run it on another box is always great idea.

I think there is a bit of misconception in some of these services that pfsense provides that are really outside the scope of a firewall/router... While sure its nice to provide features like dhcp and name services - makes it really easy for small shops and less experienced admins... But in the big picture as the size of the network grows - such services are almost always hosted elsewhere in the network..

I do not believe the end goal of pfsense is to be the end all get all do it all box for all network services a network might need.. with every possible configuration of dhcpd or dns to be exposed via a simple gui.

And since the configurations are started in the xml, and specific things to provide good setups while its possible to adjust the scripts that setup the configs, etc. to do uncommon things - if what your wanting to do is outside the scope of the gui interface to these services provided by pfsense.. Yup run them full on some other box in your network..

If not too crazy of a thing - you could always put in a feature request or bounty to get some feature or configuration functionality exposed in the pfsense gui for for that service.

In unbound you can do good stuff in the custom options box - but depending on what your doing that could become cumbersome.

To finish this off how bat shit insane these rules are in blocking mode.. Some AD could be hosted off a .top site - so now user minding their own business not doing anything other than reading the news on bbc or cnn.com and ad pops up for something.top and next thing you know their whole internet is broken because access to their dns server is blocked.

My BAD!!! on that - not sure how I didn't see the log.. But I have unbound logging all queries so log fills up quick on the gui..

I just did another test.. Where I looked at uptime and pid of pfsense, then pulled the wan connection and put it back... And yes clearly it restarts.

[2.4.4-RELEASE][admin@sg4860.local.lan]/root: /usr/local/sbin/unbound-control -c /var/unbound/unbound.conf status version: 1.8.1 verbosity: 3 threads: 4 modules: 2 [ validator iterator ] uptime: 729 seconds options: control(ssl) unbound (pid 6774) is running... [2.4.4-RELEASE][admin@sg4860.local.lan]/root: /usr/local/sbin/unbound-control -c /var/unbound/unbound.conf status version: 1.8.1 verbosity: 3 threads: 4 modules: 2 [ validator iterator ] uptime: 7 seconds options: control(ssl) unbound (pid 97634) is running... [2.4.4-RELEASE][admin@sg4860.local.lan]/root:

You can see the uptime reset, and the pid changed.

On the second screenshot change that prefix delegation size from 61 to 64.

That isnt the issue at hand tho.

You need to enable tracking.

So on LAN interface set the following.

Ipv6 configuration type - tracking
Then in track ipv6 interface box configure ipv6 interface to WAN.
In ipv6 prefix id can leave at 0 or change to another value of your choosing if dont want to use first useable prefix.
Apply

This should then populate the ipv6 range in the dhcpv6 server page which for you is currently blank as you have no lan side ipv6 subnet.

thanks for your reply
@chrcoluk

First what I would do is reconfigure so pfsense is the dns server for internet lookups. Then from there just forward queries to your local domains to your separate dns server. That should be more efficient/performant.

In what way are you forwarding the queries?

Pfsense is not the only server for providing internet access to user, we have 3 other mikrotik device that are used as like hotspot so installing a windows server in core mode is the best plan for us.

nice behavior thanks
@johnpoz

By either disable rebind protection or set your domain as private.
https://docs.netgate.com/pfsense/en/latest/dns/dns-rebinding-protections.html

thanks.
Leaving it unchecked....

Views have been around a REALLY Long time!! Pretty sure views have been available since the release of 9, like 2000 was it?