So you enabled forwarder mode in unbound... When you ask unbound, if it has it locally or cached its not going to go ask anything be it forward or resolve.

So if you create a host override - that will be returned when that is asked for.. Its the whole point of "override".. You could return 10.10.10.10 for www.google.com if you wanted too.

Yeah if your MS shop.. You should really just be running dhcp/dns on your AD in the first place.

So you want pfsense to be dhcp.. And you want to setup a static reservation.. And now you want dhcpd to register what it registers in unbound on pfsense, to your AD dns?

Seems like duplication of effort here - when all could just be handled by your AD dhcp and dns.

But if you really want to do this - then read up on rfc 2136 and how you use that in windows dns.

Well its click click... You actually sure unbound restarted? I just showed you how easy it is to turn on and off... I personally don't do it - because its just stupid.. Its like how can I slow down my dns.. OH yeah - let me throw it inside a tls tunnel and hand all my dns queries to company X, etc.

You sure unbound is even running and your not running the forwarder, etc.

Unbound will show you what its doing, set the log to level 2 in the advanced tab

Mar 17 14:22:46 unbound 60954:0 info: reply from <.> 9.9.9.9#853

Look in your conf... Do you see the forwarding section in there

2.4.4-RELEASE][admin@sg4860.local.lan]/: cat /var/unbound/unbound.conf

# Forwarding forward-zone: name: "." forward-tls-upstream: yes forward-addr: 9.9.9.9@853

Now clicky clicky back to resolving like any sane human would want to do ;)

You sure your not redirecting to 9.9.9.9 directly? Lets see your redirect rule, etc.

@fvultee said in Guest / Non-Guest Network with Separate DHCP and Firewall Rules?:

Nope, my Netgear Orbi mesh WiFi system dos not support VLANs natively, that’s why I’ve been trying to figure out a workaround with the pfSense. I was thinking that I could also just block the guest dhcp IPs from bing able to talk to my other devices by making a block rule but that didn’t work either.

I just noticed something I missed before:

(IE no contact with the MAC authorized devices)

PfSense cannot do that, as it has absolutely no effect on traffic between devices on the same subnet. PfSense is a router which means it only affects traffic that passes through it. The only way to prevent guest devices from contacting "authorized" devices is with separate SSID and VLAN.

When you save DNS Resolver Settings, it run unbound-checkconf before returning with the Apply Settings button.

When you have too many DSNBL tables, unbound will grab all memory and won't stop until you kill -9 unbound. Rebooting will do the same.

Remove big DNSBL URLs (on my 8GB box, I have around 1.1-1.2 millions DNSBL entries), monitor memory usage with Status Monitoring. TLD is intended to remove DNSBL entries with wildcard domains, but that also taxes the memory system.

.

@ciscox That's what I see when I use the Resolver as Forwarder.

Thanks, but I'm still confused about what to do here. From what you said, it seems as if I have the choice of choosing to let pfSense Unbound use either the "root" external DNS servers, that of which it chooses, or I can choose. Is that right?

In addition, if I choose, I can encrypt the DNS connection. If I let it just use whatever root servers, is that then unencrypted? Is there a way to encrypt the root servers?

Between choosing my own DNS servers without encryption vs letting it use the root servers (assuming that's unencrypted), is there an advantage to just letting it use the root servers?

Last question. Even if I choose my own DNS servers, it only actually contacts them if the result is not cached? I ask because even though that seems like the case, OpenDNS handled every query, many of which were cached.

@gjaltemba I also have the same problem, not a big issue they show up in arp table. But wondering what could it be.

Let me know if you have found the solution

@jimp said in DNS forwarder between VLANs:

You can setup search domains on the clients to try the other domains. That's all up to the client, though. You can add search domains in the DHCP server settings but not all clients respect that. For example, Windows clients won't honor the search domain list from DHCP.

Ah, nice. Didn't think of that. I think there's a way to get Win clients to listen to search domains through the domain controller, I have a faint memory of doing that in the past. Cheers mate!

@johnpoz said in Noob question Regarding DNS Resolver:

No that is not how a resolver works.. It walks down from roots to get to the authoritative NS for the domain your wanting find a FQDN in

Yes it is normal for your wan IP to be listed - since that is what will query the NS.

If you want a client to query dns 1.2.3.4, then you would set the client to query that dns.. How you do that is up to you, be it your default dhcp setting, or specific in a dhcp reservation, or static on the device itself.

Awesome, just wanted to clarify those questions.Thanks for your quick reply!

I removed openVPN server and it started working. Sth must have happened after last upgrade

https://nlnetlabs.nl/documentation/unbound/unbound.conf/ RTFM and look at the "View Options".

Screen shot of results
?

I ran across this post when trying to figure out why a new WAN interface on my XG-7100 was not getting a DHCP address from my internet provider's router/modem. I was experiencing the same symptom, a laptop would be able to obtain an IP, but the XG-7100 would not.

The issue was that the new VLAN group I setup (under Interfaces -> Switch -> VLAN) did not have the ports 9 and 10 added as tagged members to the new group. Once I added the tagged ports 9 and 10, the new WAN was able to obtain an IP.

My headache really boils down to a case of RTFM. The online document: https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100/switch-overview.html was really helpful in my case.

I hope this helps someone else avoid hours of head scratching.

@mohitsofat said in DNS releated:

pfsense will transfer the ip of my client to the DNS server.

And Why would you think it would do this?? You want to write a dns filtering app - but don't know how dns works??

That's up to your Dynamic DNS provider. Many of them offer an option to do that, it's something you'd have to enable on their side, or in the Dynamic DNS client options.

Meant to tack this onto my earlier reply. Here is a screenshot of how you set the hostname for DNS over TLS verification on 2.5.0:

0_1551890734639_8d796ab0-fe07-4f0f-babf-d0830b2e2069-image.png

I supplied no DNS servers, as I want to use root servers for resolution.

I'll increase the log level and reproduce issue and post the results either tonight or tomorrow night.

If you you need your vpn clients to resolve something that is rfc1918 that is fine.. Sure all day long... But you don't allow for public DNS to resolve rfc1918.. its Borked ;)

Why these be dns resolvers hand it back is beyond me.. They say they are wanting to protect clients against bad shit.. atleast quad9 says it does.. So why would it allow for something as basic as a rebind?

Maybe they think your local forwarder should be the one to protect you? Not sure.. But if your working with that company in any way - I would suggest you let them know its not good idea to have public resolve rfc1918.