Hi All

New member to the forum but not a newbie to IT, Networking and Firewalls  :P

Has anyone else noticed an issue with the following when using DNS over TLS

If you have a DynDNS service configured in the Dynamic DNS service of pfsense AND you have DNS over TLS configured, your DynDNS service DOES NOT update itself with IP Address changes?????

This sort of makes sense to me that it would not work as it sort of breaks the whole DNS over TLS reasoning but just wondered if anyone else was having these issues

Cheers

Northy

If you want to filter based only on DNS with different resolutions based on user/group, then you would need something like Bind.

That's apparently a side effect of Unbound re-using a source port for a different destination, and can safely be ignored.

https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=3582

The message is suppressed for these cases in Unbound 1.7 which is already in pfSense 2.4.4 snapshots.

Gertjan, thank you very much for your support.

It is obvious to me that the pfSense LAN device can "see" the DHCP requests from the network you think is in front of the firewall.

It obviously is misconfigured.

I would packet capture on the SWITCH that is on the 192.168.20.0/24 network. If you can see the MAC addresses of the devices that are supposed to be on 192.168.0.0/24 network you have somehow crossed the streams.

Ok I have a question every thing works going to google and all and working with cloudlinux but I cant go to pfsense.org it will not load any anyway not to the main site or the forums is there a port or certific I should install or something. Thanks.

20180429_122447.jpg
20180429_122447.jpg_thumb

I was having a similar problem, I'm running two WAN connections load balanced, but if I disable my original WAN connection then DNS stopped working.

I found that you have to have a DNS Server set for each gateway under System/ General Setup/ DNS Server Settings

Thought I'd just add this here in case someone else finds it useful.

@TheNarc:

That's a good point.  If you're using the DNSBL functionality of pfBlockerNG, and you want both VPN and non-VPN hosts to benefit from that, then both VPN and non-VPN hosts must use the resolver.  But I'm not aware, then, of any way to say "non-VPN hosts use the resolver via non-VPN interfaces and VPN hosts use the resolver via VPN interfaces."  Does PureVPN allow you to have multiple concurrent connections?  Because you could set up a few client connections and allow the resolver to use any of those client connections.  Then all of your VPN client connections would have to go down before you lose DNS, so it would be safer to take the approach of "whether a host uses VPN or not for normal traffic, just make all hosts do DNS via the VPN."  This wouldn't suffice for mission critical systems requiring uptime arbitrarily close to 100%, but for a home network I expect it would be fine.

Yes, PureVPN does allow multiple concurrent connections.

You only need to call out a specific dns if that dns is only available via that IP… Say an ISP dns that is only available when your connected to that ISP network.  Or a vpn dns that is only available via vpn connection.

Just using public dns there is no reason to call out specific interface that needs to be used.  Pfsense will use the connection it has that is working to get there.. Based upon your setup of which gateways to use depending on failure, etc etc..

But that would not allow me to use host overrides…
Not an option for me.

You didn't mention anything about that requirement.  Glad to see you got something figured out and working.

Your log shows 2 DynDNS updates of the custom entries and the other one was not changed, though.
The DynDNS updates seem to be triggered by the scheduled DynDNS check, not by an IP change.

That seems to me like the GoDaddy entry was updated before when the IP has changed, but the customs were not.
Are all the entries set on the same interface?

I'm looking for a way to disable the notification on DynDNS update. Do you incidentally know how to?

Well yeah I'm happy it works again… With all the IPs and domains I blacklist, one would not think it would be possible to have a nice and fast browsing experience like this. On my system it only hurts performance very slightly, which I think squid makes up for. I'm still deciding if I should set up HTTPS proxying.
Whatever my latency is, I don't think I can contribute to that a lot any more. I'm pretty sure I've done everything on my end to minimize latency (except for the traffic shaper which I still can't get to work again). I think my internet latency will only improve when I get a fiber connection straight into my pfsense box, which is probably years away unless I move out lol.

Post up a sniff of this traffic.  If your windows client took the correct mask, then the mask is there and the android client is borked… Easy enough to see in packet capture of the actual offer dhcpd sends.

Sorry but your switch config has zero to do with pfsense.  Your thread should really be in general help.

What specific switch do you have from unifi?  Are you using the controller to manage it?  What version of controller, are you on the 5.8 line?  Im currently running 5.8.12 I would assume your using controller if you have a usg and AP.

Once you go with 802.1q vlans you no longer have port based vlans.  It would just be a port in vlan X untagged.  Be more than happy to configure your switch.. If it was something I have experience with.  But I do not have a unifi switch to play with.

This might be helpful
https://community.ubnt.com/t5/UniFi-Routing-Switching/A-non-expert-Guide-to-VLAN-and-Trunks-in-Unifi-Switches/td-p/1804481
A non-expert Guide to VLAN and Trunks in Unifi Switches

I would love to help - I just do not use their switches, and if how you config is how the usg is - don't want to either ;)  Love their APs.. And want to get some of their camera's

I can show you how to do in cisco.. Simple set the port to access and untagged vlan.. Takes all of 2 seconds.

But here is the thing pfsense is going to either be untagged native on  an interface where pfsense doesn't have a clue to what the vlan is.. or its going to be a tagged vlan.  How your switches or devices deal with that has nothnig to do with pfsense.

I would guess you setup some form of dynamic dns.

If your saying client asks your internal dns, and this forwards to google for dns.  Then that means externally is returning your rfc1918 address.  So if you called pfsense site.domain.com and you setup dynamic dns this could happen.

Other than that you ether have this site.domain.com setup in your AD dns.  Since pfsense has zero to do with your dns per your statement of how your network is setup.

Thank you all ….

Bear in mind that your change will likely get overwritten at the next pfSense upgrade.