@bahsig

This was the first thing I tried to do and was stumped cause it wouldn't let me.

Now it just let me.

Mind blown.

Thanks!

I saw these. But I checked the file after applied one of this option and the file is not the same with red hat docs is in different position and and I don't see the equal...

I agree by now that this is not a "domain override" issue, because I stumbled across a different problem these days.
We use DNSBL, which seems to use its own certificate to break SSL encryption. As far as I can see, this certificate was generated during installation and worked for a couple of weeks, until it was suddenly rejected by browsers ("Certificate could not be verified as the issuer is unknown").
As a quick solution, I disabled DNSBL and we haven't had domain override issues since then. I'm glad I didn't do a downgrade to 2.4.4 p1 :)

So, this issue can happily be considered as solved, and I'll open a new request for the DNSBL thing...

vlan 2 is for public/guest devices
vlan3 is for wireless staff devices which I really wanted to be indistinguishable from wired staff devices. However, I bit the bullet and used pfsense as the dhcp for both vlans and so far haven't had any issues.

Thanks for your answer.

@jimp Thanks for your suggestion. I've fixed it. It was a gateway issue.

Because I was setting a fixed IP address for the WAN Interface of the Netgate rather than a fixed one allocated by an upstream DHCP server, I hadn''t explicitly configured an upstream Gateway for the WAN Interface. Since I wasn't using DHCP then one wasn't automatically set.

Having set the upstream gateway it now all works fine.

Presumably the web server was working across the Internet because it was HTTP over TCP rather than the failing DNS over UDP ?

I suppose that's why it's always recommended to not use your public domain for AD.

I think I may have narrowed it down a little as it does not appear to be an issue withe the actual VPN service. If I use DIG on a root server.

I get a valid response.

However, if I use unbound at its local address

I get a SERVFAIL response. Any thoughts?

@Simont65 said in Multiple DNS resolver instances per interface possible?:

but profesionalism dictate me to make sure the environment can still be maintained

Not sure I agree with you, you have to assume after you win the lottery or get a better job and move on that the person they hire will not be a complete idiot ;)

Your views can be clearly called out in the option box and seen from the gui.. Not like it hidden in some conf file they would not ever think to look in.

Views have been around for really long time with bind. And somewhat more recent in unbound. But it very common practice for what you asking..

I would be more worried about not doing some hack job so that when the next guy comes in he doesn't think you were a incompetent buffoon..

If you don't do it with views either in unbound or bind - he prob going to think what an idiot... good thing he won the lottery since once they figured out he didn't have a clue they would of fired him ;) heheheheh

I had been checking this issue.

For some reason once I enable and setup BIND, the file:

and add the line:

squid resolver start working.

Don't know why that line disappear, I chose LAN+localhost in the BIND GUI.

The other way is to add the localhost in squid alternate dns "127.0.0.1" and works to.

😳

You could go back to running unbound as a resolver and then send all the queries to the authoritative servers out over a VPN. That involves a few more moving parts and maybe the additional cost of a VPN service. That should give you the same outcome as DNS over TLS in terms of privacy. Of course you would have to balance how much you trust your ISP vs some VPN provider. I would ask myself if this is much to do about nothing given how many other ways you're being surveilled. Everyone's needs and concerned are different. I'm not a dissident in some authoritarian place, I will do easy things to stop surveillance capitalism when the opportunity presents itself.

@KOM Thanks. That's a really great suggestion. We use Zabbix to monitor our infrastructure at my day job, and the infrastructure team seem happy with it. Time to roll it out at home!

Sorry - i think i'm blind. There is a "Add" button....

Hmmmm, since firewalls don't normally send RST, nor would they normally answer a s with sa if they are blocking I have to assume your moving up the stack and something decided not to answer your query, and closed the session with R..

Possible ACL on their NS(s)...

Your going to have to actually provide some coherent info.. If you want any help. And actual details of your setup.

@Ev4nsp479

Any reason you're hiding the MAC addresses? They're irrelevant beyond the local LAN.

@no_jah said in Set hostname on DHCP client without adding static mapping?:

@JKnott

Wouldn't it be possible to pair the hostname with the MAC-adress?

Yes !
Answer You need DHCP static mappings - or a host override, which "hard locks" a host to an IP.

@bigtfromaz said in DDNS pfSense to Windows AD DNS DHCPv6:

I am in the software and services business and we have begun running into situations where some client host machines only have IPv6 because their ISPs have run out of IPv4 addresses. That means the only way they can reach my servers is via IPv6. There aren't many and they are non-US but they are important.

It's probably time for the industry to switch to an IPv6-first stance (Apple and Google seem to be there already). Given the absence of vigorous competition in my area, the ISPs are putting themselves before their customers. I am betting it's a common theme.

Thanks for the heads-up regarding the lack of fair play by Netflix. It's probably due to the fact that they have restricted distribution rights for content and can't be sure of your location. You could probably work around that with a guest VLAN having no IPv6. Kids are really good at getting and spreading computer viruses. A guest VLAN would help you minimize your risk.

I am going to see if I can get the addresses registered in a DNS server on the pfSense and replicate to my Windows AD Server. If I write some code that turns out to be useful I'll put it on GitHub and share a link here.

Yeah, there are several avenues to deal with the IPv6 and Netflix thing, but the kids are only here rarely and I have plenty of IDS/IPS protections for critical stuff. Also, it's only a home network. There are no national defense secrets, Democratic National Committee emails, or documents relating to secret payoffs to porn stars stored here ... LOL.

And yes, Netflix blocks HE IPv6 blocks for precisely the reason you stated: users without strict morals use those to get around geoip blocks that Netflix has in place to enforce their distribution contracts with content owners.

I wish all the ISPs of the world would just start supporting IPv6. Unfortunately that appears to be a very slow process. Even some of those that are supporting it are doing so in strange ways. They seem to be doing their darndest to avoid giving out static IPv6 addresses, for instance.

So you enabled forwarder mode in unbound... When you ask unbound, if it has it locally or cached its not going to go ask anything be it forward or resolve.

So if you create a host override - that will be returned when that is asked for.. Its the whole point of "override".. You could return 10.10.10.10 for www.google.com if you wanted too.