@laov said in Override website address (DNS lookup):

Thus I would like to automatically redirect all website.com lookups to website.net.

Both have the same IPv4 and or IPv6 ?

@Gertjan if you are blocking bogons and local addresses on WAN, a double nat may not be possible with an ISP router.

@kevdog A different (sub-)domain, right.

For WireGuard, it would be better if at least one side has a static IP-address. But when both are dynamic, sure, go with DDNS. If it doesn't change regularly, you shouldn't notice any problem.

@NickJH

Check this one :

0a2b3de4-9ed3-4396-9d83-12078a0f97fa-image.png

and hit the big bleu save button at the bottom of the page.
Worked for me ©

edit :
and we never believe a GUI as it nature is hiding all the info we're looking for :
a test !?!

Because I know I've entered this :

9d3fe825-15f5-4190-ad49-62c7c62fe8ec-image.png

This must work :

C:\Users\Gauche>nslookup bureau2 Serveur : pfSense.bhf.tld Address: 2a01:cb19:beef:a6eb:92ec:77ff:fe29:392c Nom : bureau2.bhf.net Addresses: 2a01:cb19:beef:a6eb::88 192.168.1.2

and this is correct ...
I'm also using static "IPv6 leases" because I really dont want to have to deal with IPv6 like '2a01:cb19:beef:a600:46d4:54ff:fe2a:36dc'.

My LAN IPv6 '2a01:cb19:beef:a6eb:92ec:77ff:fe29:392c' is already a horror. Gone are the day you can 'quickly' ping LAN using "192.168.1.1" 😵

It is switched back to ISC and thought I was sure it was set to register dynamic and static leases (I mean, it worked before, so it had to be set at some point). However, I realized I didn't do a full reboot since switching back to ISC, and after doing that, those were both unchecked... Either I'm crazy or it was a gui glitch resolved by the reboot.

Thank you very much for your time

@RyanM said in DNS request timed out., then works:

It doesn't provide a work-around for the lack of DNS registration of static DHCP leases. Is this capability on the roadmap?

Has been said here on the forum : this is the initial pre lease of KEA.
Its been worked on right now.
"The next pfSense version is always better".

@MatDepInfo well that isn't sending it to your local anything - yourdomain.outlook points to public IPs owned by MS.. So your sending the email there, and then it forwards that to you I take it.

@BCMguy

Time to activate the 'show me the answers' mode.
You have a console, or better, easier, SSH. Use it.
Go for option 8.

If this happens :

@BCMguy said in DNS Failing every hour?:

I lose all internet connectivity for about 3-4 minute

everything that is WAN related will not work anymore.
This :

@BCMguy said in DNS Failing every hour?:

Clients cannot resolve internet addresses

would be true if, at that moment, one of your clients was asking for a unknown - not cached at pfSense - host name. Resolving can't happen without a working connection.
But is is unbound that can't answer, as it can't resolve,
or is it unbound that is not running (= restarting) at that moment ?

@BCMguy said in DNS Failing every hour?:

including from the pfSense ping tool

Yeah, normal. If your uplink (WAN) is down, ping's won't pass neither.
Nothing will pass.

@BCMguy said in DNS Failing every hour?:

WiFi connectivity remains functional (Unifi equipment) and I'm able to log into local resources like pfSense and my media servers

Normal. It's only the WAN link that is down, not your other interfaces.

What does the system log tells you what happens at xxh02 ?

Use the console or SSH with menu option 8:

tail -f /var/log/system.log

to see the same system log, but way faster.

@Gertjan

Did not mean to imply the problem was with KEA as much as pfSense configuration options.

Looking forward to the next release of pfSense, but not enough to start playing with pre-production releases on my production network.

The thread is a bit old, but since June 2024 the latest FRITZ!OS addresses this issue: ‘Im PPPoE-Passthrough-Betrieb der FRITZ!Box werden DNS-"Root Queries" über UDP nicht mehr gefiltert’.

When I reported the issue, AVM found the culprit, a Firewall rule. Furthermore, just UDP/IPv4 was affected, TCP or IPv6 worked for DNS root queries.

Consequently, with the upcoming FRITZ!OS 8, this should be fixed for everyone. Not sure if @mk873425 @float (or someone registered for notifications to this thread) still uses a FRITZ!Box as DSL modem, anyway please give it a try. @mk873425 I think you had a Reddit about this as well, please, update there if still possible.

@johnpoz ah man, I thought from your first post that the arp cache cycle was for all devices and if one is offline during the next cycle it will perform an update and show the actual device status.

Per device cycle will be 100% fine for me with a script pull every 5 to 8 mins. (Most likely will stick to 5 mins)

@Gertjan Thanks a lot, I thought the whole time I had 24 but I had 32. Now it appears in the DHCP Server

@Davide-gdl said in DNS on DHCP slow first page loading:

Are yo that expert that uses dnsmasq and unbound at the same time ?

Noop.
It is possible thought. Its important to chose for example LAN and OPT2 as the interfaces to be served by unbound and OPT2 and OPT3 by dnsmasq.
But I never found a usage case where this was needed (for me).

@slu said in Uid lease for client is duplicated:

Is there a (safe) way to clean up this old leases?

If the lease is old, before you went to static - you can just hit the trashcan to delete the old lease

oldlease.jpg

I have never ran into a problem with an old lease, normally I let a client just get a lease - then I change it to a reservation and renew the lease on the client and it gets the new reservation.

But if its problematic - then clear the old lease.. If the device is still using the old one and its actively up it won't present the trashcan.. If that is the case you could either maybe clear pfsense arp cache so it doesn't think the devices is online and delete the old lease in the gui.. Or worse case manually edit the lease file.

If you want an option to delete all expired leases en masse you could prob put in a feature request.

edit: btw the leases page doesn't show you expired leases unless you click the show all configured leases at the bottom of the page

@walkingwounded kea does have lots of things to look forward too.. And isc was getting a bit long in the tooth.. With new you will have developers that are excited, etc.

The logging looks way more intense - but also looks like you can do filtering of what is logged, etc.

Don't feel bad - lots and lots of people have failed to grasp the "preview" of the current implementation.. But it is getting old kicking this dead horse ;)

Only thing can hope for is next time maybe they rethink the wording a bit when they make such a announcement actually on a page in the software. But I can fully understand it.. Hey our users are techy.. They read the release notes, etc. They will check what isc says about the eol of their product and how its not really going anywhere.. Just no longer being developed actively, etc.

So just keep it sweet and to the point.. Which hasn't gone over how they planned I don't think..

Also I don't even know - is register dynamic and static even default? For all we know we have like 2 million users that have switched over to kea without incident because all they do is hand out IPs.. Which works just fine..

@bchipman well then your auto acls should work unless this network your clients are on not directly attached.

Here fired up one of my vms.. You can see the auto acls in the config.

acl.jpg

Then I added a new network via a vlan, enabled it gave it an IP 192.168.42.1/24

Restarted unbound and you see it updated the access list to include my new 192.168.42 network

@danielatblueskyit said in Domain Overrides not working:

mcm.arpa is having a detremental effect on domain override?

No not really - but its just a bad choice.. home.arpa is specific for this sort of use.. so use say mcm.home.arpa would be fine.

sitex.home.arpa, sitey.home.arpa sitez.home.arpa would be fine to use..

.internal is supposed to be new tld for local user so mcm.internal, cakora.internal would be good choices, etc..

Do you have dnssec enabled? .arpa believe dnssec enabled - this could cause some issues. .local could be problematic with how the client might handle it, etc.

I would prob set private and non secure settings for the domains your using that you set domain override for.

If your using it as default domain in pfsense, prob wouldn't have the zone type set to transparent either.

if you have site A with a domain overide to B.. If your going to have rfc1918 as an answer, you need to setup private in site A.

To validate your domain override is working. Validate you can actually query it directly from pfsense A, to IP address B. This would also validate that ACLs at site B allow for pfsense A ip address to query it.

Set it as private and nonsecure if your using tld that is dnssec

Also are you using pfblocker on any of these sites - those tlds could be problematic with it.

@CloudNode here is what the box use to look like

fingbox.jpg

OK - so I celebrated too soon. There are weird, sporadic dropouts of the DNS resolution of duckdns.org. Why this would be special to this site, I have no idea, as far as I can think there is no special handling of this site in particular, beyond the mydomain.duckdns.org custom option listed above. All other sites seem to work just fine.

Between each nslookup is about 20 seconds...

~ nslookup duckdns.org Server: 10.0.0.1 Address: 10.0.0.1#53 Non-authoritative answer: Name: duckdns.org Address: 15.156.222.126 ➜ ~ nslookup duckdns.org Server: 2a00:6020:... ipv6 address Address: 2a00:6020:... ipv6 address#53 Non-authoritative answer: Name: duckdns.org Address: 15.156.222.126

repeated 3x in a couple of minutes, and then for no apparent reason...

➜ ~ nslookup duckdns.org ;; connection timed out; no servers could be reached ➜ ~ nslookup duckdns.org ;; connection timed out; no servers could be reached ➜ ~ nslookup duckdns.org ;; connection timed out; no servers could be reached

As a workaround I will try HAProxy as @johnpoz suggests, but I am quite unhappy to leave something like this unresolved. Any ideas?