ok quick update. I think I have figured out that the problem isn't with the pfsense box but rather with the modem in front of it. I don't know what would be causing the problem in the modem though. The firewall is turned off and I'm pretty sure the NAT is also turned off.

As mentioned your static or dhcp reservations are outside the pool, if you need more statics then shrink the pool to leave more IPs in the network for static reservation vs being held by the pool to hand to to just dhcp clients.

Why would you think you need to open ports on wan?? So you have a router/firewall in front of pfsense?  What is the point of pfsense then??

Sure I use save all right. You are missing what I am saying. It only works after I make a change to that particular setting. After I reboot the setting is still there an indication that the save worked. But the forwarder does not work for the list of predefined custom FQDNs unless I make a change. Once the setting has changed it works. It does not matter if the box is checked or unchecked. – Wil

I you have 192.168.10/24 on one interface of pfsense, and 10.0.0/22 on another any need them to talk - then create the firewall rules to allow them to talk.. Simple as that.

there is something easier also. go to https://freedns.afraid.org/dynamic/v2/ You'll see a url there copy that url. Make a custom entry. Fill in the url at update url and click save. No need for username or password or resulting match. Not sure how often its updated this way. but it works.

Currently your pfSense is waiting to see packets without tags (default LAN interface), and packets with tags that identify themselves as belonging to VLAN10 (LAN_VLAN10 interface). Typically, endpoints (such as computers) do not tag packets themselves. That is the job of the smart-switch/managed-switch/wireless-AP that they connect to. If you are not using a smart/managed switch to tag packets, or your AP is not tagging packets, then it'll be unusually difficult to tag your own packets. Once the packets are tagged (and are allowed/able to access pfSense), then pfSense will see the VLAN-tagged packets and respond to your DHCP requests.

Any time you have some question of your rules - post them.. As to dns open to any.. My lan is any any to all.. I have no specific rules.  Your rules are what you want them to be.. Do you want all your devices on lan to be able to query any dns anywhere?  Or just ask pfsense for dns? "when I change the destination to the active directory IP" What?

I have the same problem, anyone have experience with this?  I have installed BIND and configured a slave zone to sync with the master, but it's not syncing.  Firewall is open on the LAN side so that shouldn't be an issue.

ok solved it, I have set the outgoing interface to WAN only, whops.

Ah. I have DNS resolver/forwarder disabled though. Could it possibly be a phantom BIND instance of a sort? Will do more tests later.

OK.  That looks more readable.  So, the first clump is querying the root server, the second clump handles the .com suffix, and the final clump actually resolves the address.  Thanks.

The patched worked for pfsense 2.3.3 but I would like to update all the subdomains and root domain of a zone with the same ip, how can I do that? The wild card thing doesn't seem to work nor can I use the asterisk for the host name.

@johnpoz: A resolver is always going to be a better choice vs forwarding from a security point of view, and once you have cached an entry and you use prepop, and let your resolver look up a record when it has 10% of the ttl left your clients queries for common stuff you look up should always be only 1 or 2 ms away.. vs having to go ask googledns again which is prob 30+ ms away anyway every time the ttl expires for something. You've made a convincing argument, I'll stick with the Resolver. I do have a few more questions: I'm nearly certain, 11 days ago when this became an issue for me, I found both the Resolver and Forwarder disabled (unchecked).  Everything was working.  Was DNS working solely from the settings on pfSense's System / General Setup page? If I'm right that the Resolver was unchecked…I wonder why.  I don't remember making any changes in this area. Is the Forwarder going to be removed from the next major release of pfSense?  Just curious, I think I read this somewhere. Finally, thanks again for your help.  Much appreciated!

@johnpoz: There are many devices that will not pull the search suffix from dhcp.. You should set it on the machine - or just use the fqdn when your looking for something vs having to hope it gets added when you just type host.. I mean really how lazy are you? ;) Personally, I am dangerously lazy which, mixed with my networking ignorance, makes simple networking changes occasionally catastrophic. Learning by necessity is more efficient. Wait… no it isn't.