@johnpoz: And your confused to why your resolving .100 vs .101??? It was more of an observation. I didn't notice they have the same entry in DHCP mappings and DNS host overrides until I updated pfsense and they stopped working right. In DNS Forwarder (I'm using resolver) there is a checkbox to resolve DHCP mappings first, so I assume the reverse applies: if there's the same entry in DNS Forwarder as in DHCP, the host override takes precedence. But, again, for me it's not a problem, it was something I noticed.

I've noticed similar entries when troubleshooting my problem ( https://forum.pfsense.org/index.php?topic=126762.0 ). I've removed snort and pfblocker and the errors didn't show up anymore.

WAN and LAN shouldn't be in the same subnet.

Shortly after submitting this, I have checked the box "Provide a default domain name to clients" under Client Configuration in both my OpneVPN and IPSEC configuration settings and filled in my local domain and now everything appears to work. Is this expected behavior?

you can up the logging of unbound if you wish. Its not very friendly way to see what domains are being queried - you could also look into its cache if you wanted.  You could run something like dnstop on your network if your interested what domains are being asked for and or the amount of them. Or something like pihole gives a easy to read and understand listing of your top dns requesters from your client base and what domains are being asked for and just simple to look at the query log, etc. What exactly are you looking for in the record of dns queries - total number of them, what domains?  What the clients are asking for, etc.?

Check out the DHCP server log. When you hook up you banana, can you see the requests being generated ? The banana has a fixed IP setup (so it won't do a DHCP IP !) ? @Chraze: the DHCP don't divide an IP. Why? What d you mean by divide an IP ? IP can't be divided.

@bimmerdriver: @doktornotor: As said, LTSB is all that I'm interested in (or, any business unfortunate enough to have W10 boxes). I hear you. How they can break something that should have been stable for years is beyond me. I'm running version 1607 build 14393.693 (windows home, not preview) on another system and dhcpv6 seems to be working. I'll keep an eye on it. What is the latest version / build you using where it's not working? The dhcpv6 lease renewed again, so the problem appears to be fixed.

@johnpoz: why would it resolve to rfc1918?  Public resolve should not return public - this is why unbound blocks it even.. So your fix was to tell unbound that its private?  Curious why it resolves rfc1918 in the first place?  And how exactly would you get there anyway?  So you have a vpn connection to aws? Yes my coworkers haves vpn, and it resolving in private address only. I'm to really confused that they use public domains for resolving private networks IPs…  :- I deal with it like Derelict told me: @Derelict: You can also add: server: private-domain: "cy5eym4polgk.eu-west-1.rds.amazonaws.com" To the custom options box in unbound and keep rebinding protection enabled globally.

I had passion and so much interest learning networking that made me study cisco. Took me 3 years to get my CCNP R&S and I think I am going to get this switch from ebay. http://www.ebay.com/itm/Cisco-WS-C3750G-24T-S-Switch-24-Port-Layer-3-Gigabit-EnterpriseSwitch-Latest-IOS-/301698023821?hash=item463e9a818d:g:MKMAAOSwcu5UOiVe It says on their website http://www.ebay.com/itm/Cisco-WS-C3750G-24T-S-Switch-24-Port-Layer-3-Gigabit-EnterpriseSwitch-Latest-IOS-/301698023821?hash=item463e9a818d:g:MKMAAOSwcu5UOiVe that the power consumption of 3750G is 169W. If my calculation is right this will be my additional electric bill, what do you think? So I researched how to calculate electric bill 169 watts x 24 hours = 4000 watts 4000 watts per day / 1000 kWh = 4.056 kWh 4.056 x 30 days = 121.68 kWh 121 x 0.15 cents = $18.252 a month

@jarlel: I have a setup with several LANs and two WANs. The WANs are set up with failover were WAN1 is Tier1 and WAN2 is Tier2. I don't want any traffic to go over WAN2 before WAN1 goes down. This looks similar to what I've described at https://forum.pfsense.org/index.php?topic=126017 Did you find a solution for DNS using active tier only? If not, would you be able to test if this works for you? https://github.com/pfsense/pfsense/pull/3592

Well, you have an obviously correct point, and I'll be addressing that (I didn't spec the current equipment), but the rogue router was removed and  wasn't causing the BOOTP flood.

Nothing, that would be using SNI for HTTPS name-based virtualhosts. Apache does that on its own without much fuss.

Yep, that did the trick, thanks!

@Johnpz -  ahh - I begin to understand.  Thank you (genuinely) for taking the time to reply. I had been using both: -> a host in my fqdn AND -> not using a host in my fqdn I've attached a screenshot of what I had.  I did that without thinking, if I'm honest.  For the public DNS I nearly always have 'domain.com' and 'www.domain.com' pointing to my public IP.  And then on apache I had a 'server alias' from domain.com to www.domain.com (which seemed fairly common practice).  So I just blindly mimicked that setup when configuring DNS resolver - without understanding the implications. So I now understand what I was doing wrong.  I have tweaked my apache config a little and updated my DNS resolver settings (to remove the 'domain.com' entries) and everything works perfectly.  I can nslookup all my mx records etc..  I really appreciate the input - I'm much happier having a working pfsense box with less configuration than having it working, but for all the wrong reasons. Meas mór! T.  

sorry. my bad.  I had the /32 option configured, which would of course not allow any more hosts.  CHanged to /24 and now the interface shows. -dvh

I think I figured it out, and I think it is a bug… I was trying out traffic limiters / rate limiters. I was able to reproduce 3 times now that if you add/remove/add/remove traffic shapers a few times, it breaks DNS resolution until reboot. Specifically I was adding/testing bloat/removing/testing bloat/adding/testing bloat/removing codelq from my interfaces. No other queues or limiters.