Opening new topic, about redirecting dns over tsl to pfsense, this can be be closed/deleted

Since I cannot edit (I cannot fix the typos sorry).

But also to clarify, there is a reason this is off by default as you can imagine it is down to the admin if they are ok with records been served from a cache after they expired upstream :)

The description in pfsense I tried to make as understanding as possible whilst as short as possible so it wasnt bloating the interface.

Thank you bmeeks!

Regards,

Manny G.

@johnpoz said in DKIM record problem:

My guess would be this

the use of double quotes to shorten the key parts to lengths which Unbound will accept. You may need to play with the placement of these quotes.

yes i played with qoutes and now working....

@tman222 said in Should unbound-control work by default?:

@Taz79 said in Should unbound-control work by default?:

@jimp can i ask you about the feature "Serve Expired"?

5846fdd3-3731-423a-8c33-82996c1c2a09-image.png

I'm wondering when a record reach TTL of 0.. How long will it stay in the cache before it gets deleted? I mean how much good does this setting do? .. It seems like a good thing and does not take up any extra DNS traffic.

I have had this enabled for some time with no ill effects that I can see. It seems that DNS TTL's are pretty short on major sites these days (I assume for load balancing purposes or because of the usage of CDN's?) so I find that this does speed things up a bit on my own network where there are just a handful of users. If there were a large number of users it might be less useful as the DNS cache would generally be kept hot otherwise (i.e. records would likely not expire before being requested again). Hope this helps.

Seems like i have to create a separate thread for this to get it sorted out :) .. It defenatly helps me though looking at the statistics. Thanks for your reply!

Not sure I fully understand the question, but yes, it is possible to run configuration like this:
LAN--pfSense--[trunk]--switch--[trunk]--OpenWRT--Internet

In my case OpenWRT router was configured to bridge it's WWAN port with a VLAN on it's LAN port.
pfSense was configured with just DHCP on top of a VLAN.

Hi,

thanks for your feedback!

Ok, did not look closely enough on the advanced tab - log level ist easy to overlook :)

Fortunately I was able to resolve my issue, though I still don't know what happened exactly.

I tried to take as much out of the equation as possible - my last try was to take even pfsense out...
So I started unbound as a docker container on one of my machines (pfsense still in use for internet gateway, though)...
That showed the exact same symptoms.

That was a serious WTF moment :|

I then googled for a long time, and tried to debug that single docker unbound instance - without success. It seemed as if something dropped packets, but I did not know what.

I eventually found a promising thread:
https://forums.freebsd.org/threads/unbound-very-slow-and-or-dns-address-could-not-be-found.57493/

That setup seemed to be similar. I as well use a Fritzbox that is tricked into working only as a dsl modem.
I tried to change the dsl protocol version as suggested in the thread - without success.

I then took a deeper look at the fritzbox again. There are various modes the fritzbox can be turned into a dsl modem.
I used the variant, where the fritzbox itself handles VLAN tag 7 for VDSL.
I found various threads, that this bridge mode suffers a drop-some-PPPoE-packets problem.

I then switched the box to full_bridge - of course I had to adjust pfsense to do the VLAN tagging itself on the WAN interface.
And guess what: it worked.

Unbound now works fine. Why the bridge mode of the fritzbox dropped just these specific DNS packets - I have absolutely no idea. Of course, I mustn't complain, since I use the box in a way it was not designed for (at least not officially) :)

So basically everything was set up correctly and I did look at the wrong end...

Also, if I disable unbound, everything works fine. With unbound on I have 100% CPU utilization all the time.

@Gertjan said in Dynamic DNS resolved to wrong IP:

Activate "Verbose logging" so you can when the wrong IP is set - this will be shown in the logs.

You mean activate it in the DDNS client, right? There it resolves to the right IP. Only not in the VPN-client on my smartphone.

You don't get a IP address from VLAN 10 and VLAN 30 ?

What happens if you plug a PC directly into the LAN port the AP is conected to.

BTW RealTek LAN ports aren't the most reliable.

https://forum.netgate.com/topic/89171/realtek-nic-not-working-with-vlan

@vjizzle said in DNS Resolver does stops resolving some domains.:

redirecting all DNS requests in the tunnel and they acknowledged that.

WTF?? They say they are doing that for your privacy? That is just pure utter nonsense!!!

A DNS server is a computer server that contains a database of public IP addresses and their associated hostnames, and in most cases serves to resolve, or translate error, those names to IP addresses as requested. DNS server not responding run special software and communicate with each other using special protocols.

Method 1 is useful if specific LAN clients need to use a specific 3rd-party DNS for whatever reason. You block all external DNS and then create rules to let some LAN clients reach out to some other DNS.

Method 2 is more generic and less flexible. It redirects all DNS requests to pfSense. For most LANs, this is what you want.

@drzoidberg33 Have you tried using Resolver without using forwarding? That way DNS reqs just go to the root servers. That way, you don't need overrides or any servers at all listed in General Setup. All that will show on the Dashboard will be 127.0.0.1. But no TLS AFAIK.

Yeah, I was thinking all the things you're saying. All clients have had these IPv6 DNS addresses for months. Really hasn't caused any issues other than annoying me because I didn't know where clients were getting it from. I think Windows has some automatic thing where it establishes IPv6 Teredo connection. Found some KB articles online that show how to disable it in the registry. Adding rules to bock it on pfSense made the addresses disappear soon as I did a lease renew on the clients which is cool so now I don't have to push out registry changes.

I'll leave this post here so it might help someone else.