@JonathanLee said in DoH list: There is something we can use to detect DoH use DoH is a TLS data stream going a some destination IP using port 443. Just by looking at the random bit stream, the size of entire stream open - data exchange and stream end, you might be able to say : hey, that's not a classic web page, but something way smaller like a DNS request. But how to be sure ? DoH server are special, and by nature their IP addresses are semi static or 'always the same', so they can't hide for long time, they will get known. If you're not sure, throw a DoH DNS request on it, and you'll be sure its a DNS server, as a web server will say 'sorry, error'. To block DoH the explicit way, there is only one solution : go MITM.

@frater Unbound does seem to need a restart to see new interfaces. In many places pfSense will overwrite files based on the pfSense config file. Best to make changes in the pfSense GUI.

@ojosaghae said in Connection Problem for some devices: It pops up a Screenshot 2024-08-15 at 10.31.17.png from time to time. That's nasty and probably means : radio wave issue. As we humans can see these waves, we can't see interference, collisions, leaking micro waves and things like that. And its not because we can't see it, it isn't there. The logs that follow is normal and correct : as soon as the connection comes back up, the wifi device starts with negotiating a DHCP lease. The same thing happens when you disconnect a wired device : when putting the cable back in place, DHCP kicks in first. Do this ten times a minute, and this will happen ten times a minute. The thing is : this could have a lot of causes ... If your AP has a 'scan' mode, use it to see if there are other SSID's around using the same frequency. Or de activate all your wifi stuff, and activate them one by one. In between, test for a while. As soon as things go down hill, you've found the device acting bad : remove it permanently. Or look a the zillion "My wifi is bad, what can I do ?" youtube videos

@Gertjan talked to my isp, they just replaced all of my coax lines since they were bad and they wouldn't let me talk to them about the dns problem. This was in fact not my current problem, it did improve my upload and download speeds but thats about it. very unexpected. Tomorrow ill call again since they are closed now.

@viragomann Thanks for asking question, problem solved.... Some information : The interval between the 2 parts of log where only 3 seconds no gateway display in the pfsense... But in System->Routing menu, the default gateway IPV4 was in "automatic" If I set it to WAN_DHCP it works!!!

@AndyRH I made a local A DNS record for every IP Adress :) This also worked for me since I dont have that many devices :)

I have this problem also. Way havednt they manage to fix this when they have added the new DHCP server version, it most get this working fast as its a verry important thing.

@Uglybrian Thanks. There are no settings relating to handoff in the WiFi setup. I will open a case with NetGear support.

Turns out it wasn't too difficult to do myself. PR: https://github.com/pfsense/pfsense/pull/4693

@Uglybrian You'd need two NAT rules for IPv4 and IPv6 anyway, they can't be combined.

@NickJH well register static, is what you have made a reservation for, that is loaded when unbound loads, so yeah changing the config would be instant because unbound restarted and loaded in all your dhcp reservations.

@mcury that is what I was looking for thank you.

@McMurphy keep in mind whenever you forward, ie your domain override is a forward, if the answer is rfc1918 it would be a rebind. So where your creating the domain override you would also need to set the domain as private. https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections You also need to make sure where your sending the query that the ACL on unbound allows for the query. I would do a directed query to the unbound on the far side of the vpn and make sure you actually get an answer, this would not take into account any rebind, but would validate your firewall rules and unbound acls allow for the query.

@McMurphy yes you’d have exclude the AD DNS IPs, perhaps an alias that contains only other IPs. See the tip there; “With this port forward in place, DNS requests from local clients to any external IP address will result in the query being answered by the firewall itself. Access to other DNS servers on port 53 is impossible. Tip This can be adapted to allow access to only a specific set of DNS servers by changing the Destination network from “LAN Address” to an alias containing the allowed DNS servers. The Invert match box should remain checked.”

@johnpoz I tried following this guys video https://www.youtube.com/watch?v=ReSE3Bn5dFQ&t=11s. Like i said before just wanted to see if i can put all this stuff in pfsense but you are right. I decided to put it in a rasberry pi seperately. Works like a charm to be honest and less hassle. I didnt want to put it into another VM as I am running a few already in UNRAID so didnt want to stress it but this was interesting. I still would like to know how this guy made it to work in pfsense to be honest but I will do that when I have more time.

@conover yes is the default, you can see it in the conf if you look in the conf right at the top [24.03-RELEASE][admin@sg4860.home.arpa]/var/unbound: cat unbound.conf ########################## # Unbound Configuration ########################## ## # Server configuration ## server: local-zone: "0.168.192.in-addr.arpa" typetransparent chroot: /var/unbound username: "unbound" directory: "/var/unbound" pidfile: "/var/run/unbound.pid" use-syslog: yes port: 53 verbosity: 2 hide-identity: no hide-version: no harden-glue: yes do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes do-daemonize: yes If you set no in the options box it will be lower in the conf # Unbound custom options server: do-ip6: no ede: yes

@agmc tem algum switch no meio do caminho ?

@Gertjan yeah i was aware of that Problem. But since Everything worked so far, i didnt put changing my Home Domain to anything else aside. It is interesting though, that dnsmasq does Not have this Problem but unbound does