@jimp -- Thanks for the confirmation on what I'm seeing. I suppose I should follow up with ISC.

@johnpoz I completely respect that point of view on reservations. It's just not realistic when I have a dozen worker bees setting up/tearing down stuff every day. They need autonomy w/o getting me involved constantly.

At this point, I'm strongly considering going back to dnsmasq -- it worked flawlessly for this. I may absorb the headache of running BIND, but, I'm not sure its really worth the HA benefit that prompted the change in the first place. "don't fix what isn't broken" ¯\(ツ)/¯

Sounds like you might have forwarding on and DNSSEC enabled and are forwarding to forwarders that don't properly forward the DNSSEC forwarding.

This is obsured but it totally resolves correctly from the pfsense box itself. WTF?

Yes. Unless you set the domain as a private domain in unbound it will not return RFC1918 answers to queries.

You are expecting the provider/modem to give you a DHCP address? Assuming that's the case, my thoughts would be:

Validate w/ some other device (laptop) that it is able to aquire DHCP lease tcpdump the wan interface to validate DHCP reqquest is getting sent and/or responded to: tcpdump -i xxxx -vvv port 67 or port 68 if no DHCP request is sent, then, re-configure interface.

@Grimson Thanks a lot for your swift reply.

Does that mean I have to enter the record in the format "ns2 IN CNAME server2.mydomain.myextension"?

Cheers

@derelict they pre-route traffic. Roku has the Google DNS "hardcoded" and NSTV apparently does it as well. At least Netflix does. Chromecast does it as well, btw.

But thanks for your help. I will try to get more info before I post here again.

Better?.... Don't know. You'd be the judge. My solution completly cuts any links between gui and dhcpd.conf. You'd have to manually edit the configuration file for every change. Don't forget to backup dhcpd.conf before every pfsense upgrade and remodify services.inc after that.

@johnpoz Got it! In that case, I'll enable 'em both. Thanks!

i resolved the problem. I installed a bind 9.11 in a docker container and activated only the resolver for my subnet. And everything works without any problems.

As I have said multiple times in other threads, this is the way to solve DNS resolution issues when you are policy-routing all over the place.

Yes.. That is what the domain overrides are for..

yeah you need to create your key ;)

Simple google for bind dynamic dns should get you going.

Have not done it in years... But guess I could fire bind in pfsense and do a walk through... Pretty busy with getting back to work from holiday so not sure be able to get to until later.

Everytime the DHCP daemon is restarted, the settings will be created again from scratch. Therefore you will be limited to the options you are able to create on the GUI.

In my case, I also needed to add some stuff (lines) to dhcpd.conf - I solved the first step by copying the current dhcpd.conf to dhcpd.override, make my manual changes and add some start options to use the dhcpd.override instead.

Disadvantage: if you want to change something you have to manually edit dhcpd.override each time! Otherwise you may have to use sed or similar stuff to “dynamically inject” additional options?

If you think this might be useful I can PM the link I used...

If you need DNS redirecting, e.g. because the DNS Servers are hardcoded in some application also check out https://www.netgate.com/docs/pfsense/dns/redirecting-all-dns-requests-to-pfsense.html

-Rico

Using something like dig or drill can help diagnose this sort of problem. There is far more to diagnosing DNS issues than looking at unbound logs.

I spoke too soon: the record that got created is for example.com.example.com. I guess I should be specifying @ or nothing as the hostname so that the correct record gets set, but pfSense just tells me The hostname contains invalid characters. when I try those values.

EDIT: I was able to workaround this by creating an A alias record in the Azure DNS Zone from @ to example.com. This is a dumb workaround though, I'd rather pfSense just updated the correct record in the first place.

@johnpoz said in Help pls - DNS leaks with vpn tunnel.:

So either just forward to your vpn dns, or resolve through the vpn connection by changing unbound to use your vpn connection for its outbound q

Exact.
But keep in mind / check this : if unbound starts before the openvpn tunnel, what will happen ?

Also : keep in mind that if you use the Forwarder, by default it will use all available interfaces to question DNS servers up stream. It should be limited to the OpenVPN tunnel interface.

@gertjan

Thank you, will try and likely take your advice

The nic is the built in nic on an old acer pc that looks like it originally came out of a school. I have been running the system with pfsense for about 3 years now and the nic has never caused any issues other than this one. This is only running my home network so nothing critical. It it does ever cause issues i will just throw in a different nic ore move it to a different system.

Just got a reply from the snort team:-

“This rule will be updated in the next release as the match currently can false positive.”

Thank you for your quick reply. That is what I was hoping for, a static mapping maps sense.