Thanks for post. I have similar network as @tlg and was preparing to switch to KEA. Guess I'll keep waiting.

@UClinux said in DNS Forwarder question: Now I understand that this is a hard rule Not a hard rule. A logic rule. DNS mostly used to find IP addresses if host names are known. For those who, used a phone back in the days : like looking up the number if you have the name. If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, If you want to use "w1.aaa.com" as a DNQS, well, ok, fine. What needs to happen first, is resolving "w1.aaa.com" into the IP of "w1.aaa.com", so, ...... You see the problem ? Not a hard, but a golden rule : for DNS servers, you use IP's

@viragomann Thank you but I figured out the issue. I couldn't disable DHCP on the LAN or I lost GUI. Solution was to make the change shown below: [image: 1732407371559-44f4e9f4-7486-4fe9-a31f-24f34285fbe1-image.png] Default is /32. I reset it to 24. Then under Services==>DHCP Server an additional tab showed up for Bro. Enable DHCP on that one. Go back to Lan tab and disable DHCP. Done

@tinfoilmatt said in DNS Resolver Infrastructure Cache Stats: In fact, if you were really paranoid, you could encapsulate DoT queries within the tunnel to keep them hidden from even your VPN provider Please, if possible, show example?

@JKnott I hear yeah.. it should be really rare I would agree. The only time I have had to manually release and renew my wan lease was when the isp merged with another and they redid a lot of their IP scheme and moved IPs around, etc. And that was years ago, had my current IP for easy before covid, etc.

One of my favorite pages on the Netgate Docs- https://docs.netgate.com/pfsense/en/latest/recipes/index.html Scroll down to DNS then click on redirecting client Dns.

@Modesty said in Bizarre IP in my LAN: now they behave like kids ;-) hahah - not sure how to take that, you mean they are working correctly or are they still acting up - hahah ;)

make that a not... if i nslookup k8s-prd-1 i get nothing, it seem to go out to internet directly... I've added the name to local dns resolver and the 3 applicable up addresses of my k8s master nodes that i want to resolved to. G

@georgelza how I would do it is include some text file that contains your entries Example [24.03-RELEASE][admin@sg4860.home.arpa]/var/unbound: cat newhosts.conf local-data: "newhost.newdomain.tld. A 10.11.12.13" local-data: "otherhost.otherdomain.tld. A 10.11.12.14" [24.03-RELEASE][admin@sg4860.home.arpa]/var/unbound: So you could script adding whatever records you want in there like the above.. you can create ptr records as well with local-data-ptr: And then have your script restart unbound so those are loaded.. [image: 1731679176800-unbound.jpg] edit: btw, not really sure what might happen to that text file you create with your records on an update to pfsense or even the unbound package.. So you might want to keep a copy handy of what you put in there. Another way would be directly editing the xml to put your hosts in there as overrides - but that seems more complex and possible corruption of your configuration of pfsenses overall xml.. The loading of text file seems way less intrusive and easier to accomplish with simple script and less risk of borking something up.

Root problem was I was running the command as a user, not as root. Shouldn't do things early in the morning! All cron'd up and working as expected now!

@Laxarus said in pfsense, windows server active directory, dhcp and dns: did you ever try windows admin center? No, I've just used the direct snapin plugin managment tool in Windows Server itself via RDP. I really don't do very much to my AD configuration these days. It just runs very well all by itself. I very rarely need to change anything, and thus it is not that big of a deal to use the MMC on the rare chance when I need to look at something or make a change.

@johnpoz Na, I'm on 2.7.1 for now. I've looked over the release notes for 2.7.2 and didn't see any updates or changes to KEA so I haven't ugpraded to it yet. Probably will this weekend or next when things are quiet. Maybe I'll hold off until 2.8 releases and check the notes to see if those KEA improvements fixes the DHCP registrations into DNS.

@user-853 said in LAN Configuration Problems: If I ping LAN it is 100% packet loss. You mean pfsense can not even ping its own lan IP? How are you accessing pfsense web gui if the lan is not working? But yeah pfsense can not even ping its own IP there is something for sure not right and no you prob not going to work.. Nor do you get an IP from dhcp

@AutorouteEnSable by what design.. What your asking for is not really a basic dns design.. Providing different responses based upon source IP of the query is bit more complex than you might think I having a hard time working out an actual need as well.. What exactly what you be accessing by the fqdn on pfsense anyway, other than the gui.. If you want to resolve interface X IP to a fqdn, then create one.. For example I setup my other interfaces to reflect the vlan I have them in.. Really no need for it - but if I am on the 192.168.x network and don't recall exactly what vlan I called that, etc. I can just do a ptr to pfsense IP on that network.. Even if I forget what IP pfsense is on network x, simple look to what gateway the client has set would tell me that. But all of my pfsense IPs other than wan end in .253 $ dig -x 192.168.3.253 +short sg4860.dmz.home.arpa. If for some odd ball reason I would want to talk to pfsense gui, sure I could use that different fqdn but quite possible the browser would complain that the fqdn is not listed in the san of the cert, unless you did that. Other than firewall rules, you can talk to the gui on any IP of pfsense sure. But why do you need to, if your on your local network you can for sure just talk to the lan IP, or you can if you allow it. There is no difference really in if client on some vlan access via that vlan IP or the lan IP on pfsense.. While you can for sure do what you want with views, seems like a lot of effort for not much reason behind it.