THe VPN server (pfSense ?) could push the DNS to the client.

@gsiemon said in WARNING: Don't enable TLS to upstream DNS servers in pfSense 2.4.4: The official place to report bugs is here: https://redmine.pfsense.org/projects/pfsense/issues. Reporting of bugs in the forum isn't a guaranteed way of getting them addressed. I'm well aware of the bug tracker. I specifically posted in the forum in response to a reply from Netgate staff saying that Unbound could be upgraded to 1.8.1. My thought was that since there is already a discussion going on regarding the issue I'd continue the conversation in the forum rather than add to the bug report for something that may or may not be related. I did finally end up reporting the issue to the bug tracker after getting no response from Netgate in the forum thread they were a part of.

@gsiemon My bad. I saw Unbound TLS and jumped the gun.

I have already found out what was happening. The name of the windows server did not have the correct name, that is, the same name that appears in the dns resolver of the pfsense. Thank you.

@jimp said in Unbound DNS Over TLS Memory Leak: I'd test it out first on something non-production just in case, but I haven't had any problems here in my tests. Unbound is only serving requests from a single thread after I updated to Unbound to 1.8.1: https://forum.netgate.com/topic/138274/unbound-1-8-1-only-single-thread-processing-dns-requests

@ronpfs Thanks! I restarted Unbound and logging started working again. Thanks for the quick reply and suggestion!

Thanks alot @johnpoz for ur reply. i will definitely do the backup and move forward to 64 bit 2.4.4. after that i will get back here.

@johnpoz said in Unbound not resolving delegated NS record: He has a delegated sub to a NS on his internal network and he wants outside and inside to resolve this? Is that the actual problem? Is this internal NS running unbound - if so that is wrong choice, unbound is not meant to be an authoritative NS.. etc.. There are many reasons, other than the reason you have concern about, why you might want to delegate a NS to another nameserver. What it serves (private vs external IP) isn't really the point of the question. That nameserver is running on a machine behind a firewall/NAT, and so pfSense's job is to forward the DNS request to the DNS server. This works for external DNS servers to look up IPs, but doesn't work for pfSense or anything that uses the pfSense DNS server without overriding the host of the internal nameserver manually for each domain this happens on.

this is a guaranteed fix for me. with 3 different providers. since can't get the resolver to do what i want it to either. services > dhcp server = assign static addresses to the devices you want to resolve through the personal VPN. once static is set edit the mapping and under DNS servers. plugin the vpn providers static DNS servers. reboot the computer and it will pass your leak test. i don't use express. but i am interested in any reading as well. i may be able to test/ apply it to my service? thank you

@johnpoz You are awesome, thanks a lot for all your help, greatly appreciated. I probably could reinstall it, but as you said, no need since I'm not using it. I've definitely learned a couple of things along the way.

This made me think of some reference material I read on Oracle. Your default BIOS file name shows gpxelinux.0 . According to the following link gpxelinux.0 can be used with BIOS based PXE clients and UEFI clients in Legacy Mode. Not in UEFI mode. Read the top part of the page from the link. https://docs.oracle.com/cd/E92593_01/E71078/html/swk24-rml_psn_3s.html A quick look on Google I found this for someone setting up a FOG server on pfsense. It appears to be supporting UEFI. There are two articles here: https://vworld.nl/?s=pfsense+pxe I have never tried doing this via pfsense myself. I am using Windows Server WDS. I have successfully been able to PXE boot all four conditions (Legacy BIOS, UEFI w/Legacy, UEFI wo/Legacy and UEFI Secure Boot). There was a hiccup/bug with WDS I had to address first but the fix was simple. I'd love to know how this worked for you. I may try this in the future.

Not the advanced options tab, but here: [image: 1543326633284-selection_107-resized.jpg] That's on the main DNS Resolver tab

@gertjan Thanks good to know about the example sites. Bookmarked. I loaded the real deal a good 50 times during testing. Content filtering working great now. Added a firewall rule to only allow port 53 DNS traffic through Pi-Hole. My Roku TVs decided to hardcode their own own 8.8.8.8 DNS setting , which now redirects to Pi-Hole. Too cool. I blackhole a ton of call home traffic across the network and it causes some devices to freak out with log writing.

What option changes did you make that caused it to fail? How many interfaces do you have on this firewall? How many VLANs?

Do you have your LAN interface already configured to track WAN and use that /64 from your ISP? If so, not sure what the issue might be... might need someone with more DHCP6 knowledge to respond.

Points to what if its not assigned? LAN would be assigned to your vlan then and that is what it would respond with for IP.. [image: 1543057333290-lanonvlan-resized.png] ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;pfsense.localdomain. IN A ;; ANSWER SECTION: pfsense.localdomain. 3600 IN A 192.168.3.45 Yes the system name is going to point to the ip assigned to the LAN interface... If your not wanting to use the untagged network of the physical interface of LAN and want vlan 20 to be your lan - then setup the lan interface to use vlan 20 as like my above pic and set the name of pfsense to whatever it is you want. Now that name will return the IP of vlan 20. In other words LAN...

@thefuzz4 said in Moving routing off to a switch but still need DHCP: Then I have to go down to the crawlspace and plug in directly to a port on the switch in order to access my management vlan :). What's your switch doing down there?

any help? :S

So far so good, I manually configured the interface and I think it has been fixed.

@aslatius said in DNS Resolver Infrastructure Cache Speed: The reference to the DHCP registration It works like this : every time a DHCP lease comes in, unbound is restarted.