Can't go a day without someone bringing up I have a dns leak ;)  Freaking sky is falling ;) Oh my gawd, the authoritative servers for domain.com will have my IP that I looked up www.domain.com - oh my gawd.. They are going to hack me or sell my info.. That this IP looked up the record they are authoritative for ;) If so worried just use the resolver via vpn connection…

And you still have it checked to let dhcp override your settings!!  So pfsense is asking who exactly for its own name?

Never. How exactly you imagine this to work? You can either relay the requests or handle them yourself on DHCP server, not both.

That did it. Thanks Dok. Unbound's working (and I noticed that bug is still present that causes unbound to bounce upon every DHCP request due to enabling the resolver). All good!

THANKS guys for the prompt responses. Sorted! BBcan177  - full marks for spotting the typo which, despite me thinking I had checked for obvious things like that, passed me by. Should I flag that on the guide post I referred to (which is where the error came from), or would that be considered necroposting?

Suggest you Wireshark DNS of an actually http://pfSense.org/ browsing session after the TTL has expired. The attached Wireshark screen capture is of browsing to http://pfSense.org/ (in a new browser session with the sites cache and cookies cleared; not that that should matter) after having been there several times already within the past hour and the DNS TTL had expired. Up the chain it goes to: Name:    a0.org.afilias-nst.info Address:  199.19.56.1  

@TS_b: https://calomel.org/unbound_dns.html Thank you!

What is at  System: General Setup?

Thanks John - so in a nutshell, the resolver should be good for almost all circumstances, but selecting ISP DNS might improving CDN/akamai caching then? I'm going to experiment with both - at the moment I'm just noticing (rarely) buffering of Facebook content for example, which might be a CDN/akamai based issue. Cheers

Thank you for clarifying that for me! Yes the loop back addresses are something different than link locale addresses. Thank you for your response and the tutelage!!

This happens over IPsec VPN.  I'm not sure if its the same problem over OpenVPN.  But you can try… See the explanation here: https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN In DNS Resolver settings, you can set the "Outgoing Network Interfaces" to LAN and Localhost, instead of All. However, if you want other services to be able to work from the router over the VPN, you could add a route instead: To add this route to pfSense, perform the following configuration: Navigate to System > Routing on the Gateways tab Click + to add a gateway Select LAN for the Interface Enter the Local LAN IP address in the Gateway (e.g. 192.168.0.1) Check Disable Gateway Monitoring Click Save Click Apply Changes Navigate to the Static Routes tab Click + Enter the remote VPN network in the Destination Network box (e.g. 192.168.1.0/24) Select the LAN IP Gateway that was created before Add a Description if desired Click Save Click Apply Changes

Doesn't seem like it should be too difficult to update the dyndns.class _checkip() function to utilize the services.inc dyndnsCheckIP($int) function. At first glance maybe something like replacing this. $ip_ch = curl_init("http://{$checkip}"); curl_setopt($ip_ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ip_ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ip_ch, CURLOPT_INTERFACE, 'host!' . $ip_address); curl_setopt($ip_ch, CURLOPT_CONNECTTIMEOUT, '30'); curl_setopt($ip_ch, CURLOPT_TIMEOUT, 120); if ($this->_useIPv6 == false) { curl_setopt($ip_ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4); } $ip_result_page = curl_exec($ip_ch); curl_close($ip_ch); $ip_result_decoded = urldecode($ip_result_page); preg_match('/Current IP Address: (.*)<\/body>/', $ip_result_decoded, $matches); $ip_address = trim($matches[1]); With this. $ip_address = dyndnsCheckIP($this->_if); And don't let that _useIPv6 test confuse you. if ($this->_useIPv6 == false) { curl_setopt($ip_ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4); } That test is redundant and should be removed anyway.  It is already included by the parent if test at line 1726. if ($this->_useIPv6 == false && is_private_ip($ip_address)) { So if _useIPv6 is not false none of that code is executed anyway.

If your familiar with bind then sure that is good option.. But the unbound method is pretty simple to do, especially if you only have a handful of fqdn to worry about.

I would hope so farfar - this post is from 2014 ;) If you need help I would suggest you start your own thread.

I'we found a way to make this decision work. For me it work with only Custom (v6) Profile, configured like pictures in this post. Link I used for DDNS looks like: https://ipv6.duiadns.net/dynamic.duia?host=yours-v6.duia.eu&password=from_link_below https://www.duiadns.net/account/update-url.html [image: 02.jpg] [image: 02.jpg_thumb] [image: 01.jpg_thumb] [image: 01.jpg]

Ah, thanks!  I looked everywhere under 'advanced settings' per the doc, but didn't think to poke around the other tab. :)