Back to back?  Like a double nat setup?  Or is one pfsense just a downstream router in your network.. Out of the box pfsense would be using the resolver and putting an IP in the general setup is going to do nothing.. Drawing of your network would be fantastic.  And what exactly your doing for dns on the pfsense boxes.  Resolver, forwarder?  Resolver in forwarder mode?  So this box b pfsense is the dns for your whole local network? Going to need more details to help.

You have not really spent any effort on reading right? Create firewall rule to pass traffic to the other network for each interface.  Done. Of course the orbi has an ip, otherwise you couldn't route it. The first google result on "orbi network ip" shows how to set it to static. So I don't get what the problem might be?

Understood, thank you anyway.

I am logging DNSBL query intercepts. pfBlockerNG works in both IPv4 and DNSBL modes with the DNS Resolver in Forwarding Mode.

I believe I've found my issue. I think it all boils down to the $ORIGIN option. In standard "master file format" files if you don't add the trailing '.' then the name is assumed to be relative to the current zone file's $ORIGIN (which is either specified in the zone file, or taken from the zone statement in named.conf otherwise). My pfsense Bind installation is appending a "." after my CNAMEs (in the file, not the web interface).  The . makes the name be relative to the root, without it, it the name will be relative to the current zone. The standard zone format is defined in rfc1035 and rfc1034. A workaround?  Use FQDN for the CNAME. In the very possible senerio I'm missing something, here is my named.conf: _**#Bind pfsense configuration #Do not edit this file!!! key "rndc-key" {         algorithm hmac-md5;         secret "U2pHDolr0KZStIQrFOVPTw=="; }; controls {         inet 127.0.0.1 port 953                 allow { 127.0.0.1; } keys { "rndc-key"; }; }; options {         directory "/etc/namedb";         pid-file "/var/run/named/pid";         statistics-file "/var/log/named.stats";         max-cache-size 512M;         listen-on-v6 { ::1;  };         listen-on { 192.168.0.254; 127.0.0.1;  };         notify yes;         allow-query    { any; };^M         empty-zones-enable  yes; }; logging {         channel custom {                 syslog daemon;                 print-time no;                 print-severity yes;                 print-category yes;                 severity dynamic;                 };         category default { custom; }; }; acl "kc.corp" {         192.168.0.0/24; }; view "LAN" {         recursion yes;         match-clients { any; };         allow-recursion { any; }; zone "kc.corp" {                 type master;                 file "/etc/namedb/master/LAN/kc.corp.DB";                 allow-query { any; };                 allow-transfer { kc.corp; };                 allow-update { kc.corp; };         }; zone "0.168.192.in-addr.arpa" {                 type master;                 file "/etc/namedb/master/LAN/0.168.192.DB";                 allow-query { kc.corp; };                 allow-transfer { kc.corp; };                 allow-update { kc.corp; };         }; zone "." {                 type hint;                 file "/etc/namedb/named.root";         }; };**_ My kc.corp zone file: In it, notice the trailing periods after the CNAME value.  By placing kc.corp after the gw CNAME, it worked as expected. _**$TTL 6h ; ; Database file kc.corp.DB for kc.corp zone. ; Do not edit this file!!! ; Zone version 2 ; kc.corp. IN  SOA 6BH3S52.kc.corp. zonemaster.kc.corp. ( 2 ; serial 1d ; refresh 2h ; retry 4w ; expire 1h ; default_ttl ) ; ; Zone Records ; @ IN NS 6BH3S52.kc.corp. @ IN NS  X7DWE.kc.corp. 6BH3S52 IN A  192.168.0.254 gateway IN CNAME  6BH3S52. gw IN CNAME  6BH3S52.kc.corp. X7DWE IN A  192.168.0.1 SRXC606 IN A  192.168.0.69 me IN CNAME  SRXC606. N5550 IN A  192.168.0.2 ns1 IN CNAME  6BH3S52. ns2 IN CNAME  X7DWE. NextCloud IN CNAME  X7DWE. switch IN A  192.168.0.253 p1 IN A  192.168.0.22 p2 IN A  192.168.0.23 HS1 IN A  192.168.1.1 HS2 IN A  192.168.1.69 AP1 IN A  192.168.0.50 AP2 IN A  192.168.0.51 pfsense IN CNAME  6BH3S52. VM-Sandbox IN A  192.168.0.110 ns3 IN CNAME  N5550.**_ I did try $ORIGIN kc.corp. in the zone custom options, but it threw and error on zone load of Unknown Option.

So yeah you have to enable the interfaces before dhcpd becomes available to enable.

@JKnott: Here's a work around, but it will require some effort of your part.  Since it tries to use the previous address in the same subnet, then perhaps you can force it temporarily to use a different subnet.  You can do this either by temporarily changing the subnet in psSense and causing each computer to release/renew or just grab a cheap router, configured for a different network, and then connect each computer to it, then put them back on the real network. BTW, I have been working with networks for about 20 years and have often found MS breaks things. Thanks for the suggestion, but as I've mentioned in the original post I already have a functioning workaround which is arguably more viable.

This touches on my goal (post here: https://forum.pfsense.org/index.php?topic=128449.msg708181#msg708181). I want pfsense's dyndns service to push updates to bind (in this case, the bind service available in the package manager). I've spent a few hours trying to find a solution, no real traction yet. But I'm not really a Bind pro either.

Excellent  8) 8) 8) Thank you for your clarification…

"security through obscurity.  " Is NOT security.. ;) And again dns has zero to do with ports..  And this box is internal, why would it not just go to the standard port.. It does not need nat reflection or forwarding.. Its internal.  It just need to resolve the FQDN to the rfc1918 address 10.0.0.99.  If that is the port the application normally uses you shouldn't even have to tell the application/software the port.

I find the legacy method of dyndns with easydns works. I cannot find references to their newer Authentication Token approach, so I wonder if they backed out of that? The problem I have with easydns & dyndns with pfsense is that if I give a subdomain of my domain, it works. but I want my base domain to sync and that fails. Instead of showing my current public IP, when I have it sync my base domain, the latest Cached IP is red and reads as 0.0.0.0. (by base domain, I mean munch.com as opposed to a subdomain, like butt.munch.com) Update: I think I don't see easyDNS's authentication token for dynDNS because I'm not paying for that level of service. They have a higher tier that expressly supports dynamic DNS, whereas the basic one I'm on, does not.

Thanks All sorted :D

That should be sufficient, so long as it is a valid http site they attempt to fetch first.

I am still waiting for an answer. Thanks Bye

What does a multihomed server have to do with it??  Nothing your pointing a fqdn to an IP.. Doesn't matter if all those IPs are the same box or not.. Yes from the outside if you want to poing www.domainX.com to IPX and www.domainY.com or host.domainX.com to IPY then yes a reverse proxy would be able to do that.