@Gertjan: Remember : do not edit the zone file db.my-domaine.tld without using the "rndc freeze / reload / thaw", or you will be struck by the DNS gods. Boy Howdy that's the truth! That's perfect, I appreciate it! –jason

Dude how many dns entries do your clients have?  If they have both internal and pfsense then is borked.. Your dns clients should only point to the nethserver for dns.

1)  What interfaces do you want it to listen on… I am never a fan of ALL for something that listens.  I have it set to my local interfaces using it on and my wan for outbound. yes the online docs from unbound. https://www.unbound.net/documentation/unbound.html 3)  Turn off the automatic and then create the ones you want in the ACL tab.. When set to automatic I do not believe they show up in the ACL tab.. 4)  Not unless you have specific needs, like a plex server?  Or you want to load a bunch of domains your redirecting, etc. Kind of like a manual version of pfblocker can be done by loading wildcard domains for a redirect to say loopback.

Hello Gertjan, I love your personality :P .  I am running the latest firmware; however, I agree that a reinstall will be necessary.  Throughout the day I've been losing my configuration across the whole firewall.  I found the issue- du -sh /var/log/* Revealed that Surricata log was taking 5.6G of the 7G drive.  LOL!  Now I looked at the config, and I think the logs should have rotated…perhaps logging TLS certs was a bad idea. I'll reinstall, that's something I'm very familiar doing (too many times). Thanks!!

Yeah. You might get the ISP DNS server dynamically but I would bet if you CALLED THEM AND ASKED they could give you a list of addresses to use.

They have 2 methods, pfSense is aware of the old method only. Old method - use "freeDNS" in pfSense GUI New method - version 2 as they call it - use "Custom" in pfSense GUI and put something like this in Update URL: https://sync.afraid.org/u/YourCodeHere/

You are right,i had /32 i changed now to /24 thanks.

In case anyone else comes across this query I thought I would post an update. Since posting my original message I have continued to experience intermittent key errors lasting for minutes at a time (with consequent loss of DNS resolution). Now it may be mere coincidence, but since I enabled Pre-fetch DSN Key Support (Services/DNS Resolver/Advanced Settings I have not experience a repetition of these key error message. I don't profess to know the reason why this might have resolved my issue.

OpenDNS is set as the default DNS in General. It seems as if new IP’s that come on to the network use that OpenDNS unless specifically set to use a different DNS in the Static IP mapping. Is that not how it works? Any help is appreciated.  ;D my noob status is confirmed.

This is an old post, but I just resolved this exact issue, which in my case turned out to be having DNSSEC enabled. Try disabling DNSSEC to see if your clients can then resolve names.

"This train of logic actually suggests that it is the client (Windows 10) not OpenDNS which can't do DNSSEC" Sorry but that is not what that train of non logic suggests at all…  Suggest you research how dnssec works, and why asking opendns for dnssec is not going to work..  But why it does work when you acktually resolve, etc.

@jimp: Additionally, DHCP does not work that way. The second device will be given a random address from the pool since the first is in use. Not just while the first device is in use.  DHCP uses leases and until the lease expires, the device the IP address is assigned to "owns" that address until the lease expires.  This means that even if that first device is shut off, the IP address will not be available to any other device, until the lease expires.

Many thanks for that, johnpoz! Actually the rule was configured initially but with mistake. Once I figured that out this split dns idea came to my mind. In a mean time I just manually configured NTP server IP (from the same subnet) instead of the hostname for a few devices. Will do something nicer later on. Thanks again!

Do you maybe have a link with a proper tutorial on configuring this? Not specifically.  There are a million of them online.  Start with squid.  Get it working either transparently or explicitly.  Then add squidguard and get it working.  Ask for help if/when you get stuck.  That's how the rest of us learned. That said, the OpenDNS solution using their child-friendly DNS feature may be the quicker & easier solution for you, but less flexible.