so i did dns lookup on pfsense directly and it shows correct dns server open dns.

However from pc connect to my Asus in Access point mode which don't have dns running it still shows comcast dns 73.xx.etc.

I did ipconfig /flushdns and went to asus AP and did root# killall -1 dnsmasq to flush dns from AP but Shell return nothing to kill as service is not running rightfully as asus AP is in AP mode only so no dns, dhcp running but both of my pc and laptop shows comcast dns on whoer.net and ipleak.com. What gives guys?

I finally figured it out.  the vlan tagging on my switch was pushing this device to the External interface that didnt have dhcp server configured.  when I changed the switch to the internal VLAN it all worked..  vlans=magic  :)

@RonpfS:

  Bail obtenu. . . . . . . . . . . . . . : vendredi 2 mars 2018 17:32:11   Bail expirant. . . . . . . . . . . . . : vendredi 2 mars 2018 17:36:51

Check the DHCP log and you will notice that unbound restart every time a new lease is issued.

The 'Unbound Resolver Reloads' can take several seconds or more to complete and may temporarily interrupt DNS Resolution until the Resolver has been fully Reloaded with the updated Domain changes. Consider updating the DNSBL Feeds 'Once per Day', if network issues arise.

So you need to disable  Register DHCP leases in the DNS Resolver under Services / DNS Resolver / General Settings. I use Static Mappings.

thank you very much problem solved

Would this happen if DHCP has already assigned IP's to these MAC addresses? Check Status > DHCP Leases. If so try deleting the entries automatically created by DHCP with the same MAC addresses.

Make sure you are assigning static IP's outside of the DHCP IP range.

Is what normal - yes esxi has ipv6 support.. But it wouldn't be coming from the mac of your VM virtual nic..

Yes suse most likely out of the box would try and configure IPv6.. Did you tell SUSE not to do ipv6?

Pretty much every single current OS on the planet willl use IPv6 - unless you specifically and sometimes quite difficult turn it off..  Windows for example you can even disable it with reg key… But its still there in the core, just doesn't do anything with it..  But if you look you will still see ipv6 loopback, etc.

Same with linux to rip it out of the kernel you would have to compile your own, etc.

Sorry,

I did not find the setting for this in pfSense. I think pfSense when installing, the pfSense the second interfaces address put the/etc/hosts fileautomatically. (My second interface is WAN_2). The unbound (DNS Resolver) read datas from this file and write this information into the```
/etc/unbound/host_entries.conf

I checked the DNS Resolver -> Advanced Settings -> Disable Auto-added Host Entries, and the host_entries.conf file does not contain this information now. I have manually entered these the DNS Resolver -> Custom options:

server:
local-zone: "local.lan." transparent
...
local-data-ptr: "192.168.0.1 pfsense.local.lan"  #  CHANGED IP MY LAN_1 ADDRESS
local-data: "pfsense.local.lan. 192.168.0.1"      #

In the ARP table is show now:

interface    IP address      Hostname
WAN_2      11.22.33.44    router.example.com    # extarnal ip, my external domain
LAN_1      192.168.0.1    pfsense.lan.home      # internal ip, domain

This working  ;)

Though i am finding it probably wasn't necessary, i like the idea of the pfsense being able to resolve machines on my domain.

AD dns servers auto-forward to the root servers when you try to resolve a TLD.

I got LDAP integration working by using creds to authenticate, for some reason i couldn't get anonymous binding to work. Any light you could shed on that would help as i would prefer that method.

I am so glad I finally found this thread. I was using pfBlockerNG before, but just for country blocking. I decided to start using DNSBL, but that required my remote sites to switch from DNS Forwarder to DNS resolver, but when I did that the internal DNS broke. I had searched with the wrong keywords I guess before, but this one was a lifesaver! Thanks for these suggestions that fixed my DNS problems!

I have never seen anything treat DHCP addressed devices differently (in this way) than statically addressed devices.

If all the devices have a valid IP address, it's not a DHCP issue.  The only relevant DHCP info, for communicating over the local network, would be IP address and subnet mask.  On computers, you can check the ARP cache to see if a device you're trying to contact is in it.  As I've mentioned many times, in these forums, capturing traffic can help understand the problem.  Packet Capture on pfSense will only capture traffic for or passes through pfSense, as well as broadcasts.  So, to capture traffic you'd need Wireshark and a means, such as port mirroring with a managed switch, to capture the traffic.  You can also run Wireshark on any computer that's involved in the problem.  Without knowing what's on the wire, we're largely guessing, in the absence of other information.

Puma 6 Test
21ms : x
24ms : x
25ms : xx
27ms : xxx
28ms : xx
31ms : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx»
32ms : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
33ms : xxx
34ms : xxxx
35ms : x
36ms : xxxxx
37ms : xxxxxxxx
38ms : xxxxxxxxxxx
39ms : xxxxxxxxxxxxx
40ms : xxxxxxxx
41ms : xx
42ms : x
43ms : xxx
45ms : x
46ms : x
47ms : xxx
52ms : x
54ms : x
62ms : x
63ms : xxx
64ms : x
75ms : x
78ms : xx
79ms : xx
150 - 199ms :xx
250 - 299ms :x
350 - 399ms :x

I think that passes.  I will try the other test and post results. Thanks!

So here look set to static I ask for something.local.lan, which there is no record of that I get back this..

dig something.local.lan

; <<>> DiG 9.11.2-P1 <<>> something.local.lan                         
;; global options: +cmd                                               
;; Got answer:                                                         
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21582             
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:                                                 
; EDNS: version: 0, flags:; udp: 4096                                 
;; QUESTION SECTION:                                                   
;something.local.lan.          IN      A

;; Query time: 0 msec                                                 
;; SERVER: 192.168.9.253#53(192.168.9.253)                             
;; WHEN: Sat Feb 24 03:18:29 Central Standard Time 2018               
;; MSG SIZE  rcvd: 48

It sends the NX… And thing else happens... Now if change the zone to transparent which is the default..  You get this instead..

dig something.local.lan

; <<>> DiG 9.11.2-P1 <<>> something.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37322
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;something.local.lan.          IN      A

;; AUTHORITY SECTION:
.                      3600    IN      SOA  **  a.root-servers.net**. nstld.verisign-grs.com. 2018022400 1800 900 604800 86400

;; Query time: 179 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Sat Feb 24 03:19:44 Central Standard Time 2018
;; MSG SIZE  rcvd: 123

It tried to find that by normal resolve.. You can see roots sent back hey buddy sorry no .lan network… If you would sniff on wan you would see it asking for that.. I did query for othersomething since something was cached as neg and wouldn't go ask again until that neg ttl expired..

publicquery.png
publicquery.png_thumb

Yes, one word : realtek

Hi,

Instead of explaining what might happened, I'll propose the easy one :
Use defaults settings and you'll be fine.
Not using default settings is fine to, but there are consequences. One of them is : pfsense itself can't resolve anymore. After that, pfsense can't find any upgrade anymore (and packages).

edit: sorry, forget say this : the default setting is : use Resolver.

edit : like this : https://forum.pfsense.org/index.php?topic=144363.0 - happens all the time.

Do you need it? No you don't there is zero resources that I am aware of that are only available via ipv6 other than maybe some darkweb or p0rn sites..

As you saw my windows box is clean - but I can click 1 button and then it has IPv6 and I can test stuff via IPv6 if I want, etc..

Here I enabled ipv6 on its lan and bing bang zoom I can talk IPv6 to internet, etc..

ipv6.png
ipv6.png_thumb

Yes out of the box pfsense uses rebinding protection

https://doc.pfsense.org/index.php/DNS_Rebinding_Protections