I figured out the issue by going to another machine, it was not a pfsense configuration issue but a workstation issue. My workstation had been set to always use Google DNS and wasn't polling the pfsense box at all. So no matter what I changed in pfsense it wouldn't impact my testing machine.

Are you running any IDS, etc. i have SNORT running and noticed a few months ago that google ip addresses would somehow get on the block list, don't know whats google has changed? i ended up creating a Google white list and placed all google wildcard domains on it, you can google how to do it. there are heaps

Yes it is for setting an address and the mask of the networks pfsense is in..

If I choose my interfaces in resolver and include "IPv6 link-local" my resolver will not start when rebooted or updated. This has happened in the past and seems to have regressed. Starting the service manually does work.

I'm using an Meraki (Cisco) MR33 AP. Atm, I'm trying to install a different one to sort things out.

just aa, so single label.. Yeah bad idea.. Your domain could be thisismydomainanditsverylongsoIhatetotypeit.com and it would still be done auto if you would just setup your clients correctly in the right domain and or use suffix search.. And you have yet really given an example of why you need it…  As I went over there are ways resolve the name locally via broadcast LLMR, etc.. that has nothing to do with dns..  So what exactly is not resolver that you need a single label domain that is really short because your too lazy to type in domain.com etc.. Yes for dns to resolve it needs and should be Fully qualified.. not just hostname..

I also think it makes no sense to use the 'old' IP but this is standard behavior of dhclient. If you look at the beginning of the log (Aug 16 03:20:38) you will see dhclient: connection closed, exiting. Possibly because the Modem is restarting, I cannot verify this because it happens randomly and mostly at night, every few days. Then about a minute later a new process of dhclient starts PREINIT and requests a lease. After 60 seconds (default setting) of trying it gives up (TIMEOUT), it then uses the recorded lease ending with .25 which is the old lease. I always get the same dynamic IP from the ISP. This would all be fine since the lease seems to still be valid (renewal in 135593 seconds, 37,6h), but in the end the dhclient deletes the 'old routes' taking PFSense offline because it deletes the default route! And then it is offline for the next 37,6 hours until it renews the lease again or I manually renew it. This seems to be a bug that quite a few people are struggling with or at least it seems that way when searching the forum. I think it is a bug because the 'old routes' are not old routes if the same (old) lease is used again! Do you see the problem?

@sporkme: I know this is old, but it's the most recent topic on this I'm finding. I have the exact same error, and I'm not finding any obvious fixes.  I'm on 2.3.4. Strange. What hardware ? pfSense will not create a sub directory called /test in /var/unbound. I'm using the resolver also on a classic PC configuration, using a normal hard disk, and the config files are present in /var/unbound : There is one sub directory called, called /conf.d : [2.3.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/var/unbound: ls -al total 64 drwxr-xr-x  3 unbound  unbound  512 Aug 14 07:20 . drwxr-xr-x  32 root    wheel    512 Jul 14 21:58 .. -rw-r--r--  1 root    unbound  302 Aug 14 07:20 access_lists.conf drwxr-xr-x  2 unbound  unbound  512 Jul 14 21:58 conf.d -rw-r--r--  1 root    unbound  1676 Aug 14 07:20 dhcpleases_entries.conf -rw-r--r--  1 root    unbound  3578 Nov 25  2015 dnsbl_cert.pem -rw-r--r--  1 root    unbound    0 Aug 14 07:20 domainoverrides.conf -rw-r--r--  1 root    unbound  5590 Aug 14 07:20 host_entries.conf -rw-r--r--  1 root    unbound    0 Jun  7  2016 pfb_dnsbl.conf -rw-r--r--  1 root    unbound  1216 May 30  2016 pfb_dnsbl_lighty.conf -rw-r--r--  1 root    unbound  300 Jan 29  2015 remotecontrol.conf -rw-r--r--  1 unbound  unbound  1252 Aug 14 07:20 root.key -rw-r--r--  1 root    unbound  1660 Aug 14 07:20 unbound.conf -rw-r-----  1 unbound  unbound  1277 Jan 29  2015 unbound_control.key -rw-r-----  1 unbound  unbound  802 Jan 29  2015 unbound_control.pem -rw-r-----  1 unbound  unbound  1277 Jan 29  2015 unbound_server.key -rw-r-----  1 unbound  unbound  790 Jan 29  2015 unbound_server.pem If the file system is not writable, start checking for disk error (full, damaged, etc). I run the resolver instead of the forwarder so I can have DNSSEC (very nice if you use ssh's sshfp record stuff). @sporkme: I also find that when DNS is screwed, the web UI is basically not usable.  How does one work around that? If unbound can't write to disk, well, the GUI will complain or worse, die. Your entire pfSense will be crippled at best, blow up at worst.

I pushed a fix for this yesterday: https://redmine.pfsense.org/issues/7771

Cheers for that, works perfectly.

Fixed it for now at least. Turned that port to fixed speed on the switch side (doing it on the router side didn't help) and for whatever reason, it hasn't gone down in days.

@johnpoz: "if I hit details it show me the pfsense certificate…" That is not host override or split dns, that is nat reflection issue.  Your iphone is prob not using your local dns..  And getting your public IP vs the local override you setup. lol… You are completely right. I checked the iPhone setting and of course there was a Google DNS entered... After changing to internal DNS it works how it should. Thanks!

Hi, i coincided this issue with updating to 2.3.4_p1, which i found strange, that it worked for so long then suddenly stopped working. at some point, dyn.com implemented Client Updater Key. this is a password only for clients that update your IP. apparently a security measure to separate account login password from update clients. anyways, check that you're using the client updater key (you can generate new ones too). just log into dyn.com and go to your account settings. hope this helps. [image: my_account.jpg] [image: my_account.jpg_thumb]

i just changed the time in the cron plugin /usr/bin/nice -n20 /etc/rc.dyndns.update removed the every 1 hour default and made it more frequent..

Thank you.

It's easy to miss this. When I originally saw "time format change", I kept looking for time zone. It really should be called time zone, because that's what it is. Time format is something different altogether.

I use OpendDNS. I have used OpenDNS. It is very good at blocking content by category and blocking specific sites. However, when it comes to Google web browser , especially the incognito mode, OpenDNS does not enforce safe search. So they can google any image they want. The same for Youtube. Once they have logged into google they can access nsfw and porn that Youtube has not removed.

@Xentrk: I need this information as I want to route certain traffic between two OpenVPN client gateways depending on the domain names the traffic generates.  For example, I am able to use this information to identify what domains are being called when I turn on a certain media steaming site.  I can then create firewall rules to route this traffic to a VPN server in a large market to have more channels. If anyone need help in creating policy rules to do the above, let me know. I'll work on the instructions and post in the OpenVPN forum soon.