Thanks.  Taking a look at the BIND package now.  I can see how views would accomplish what I'm trying to do. Is there any info out there about the BIND package in pfSense?  Going to dig around in the BIND documentation elsewhere, but anything directly related to pfSense would help.

While you could lagg/bond the interfaces if the nic support it and OS.. How many clients to this file server will there be.  What does the rest of your switching infrastructure look like?  You do have a smart switch right? You do understand that 1+1+1+1 does not = 4 when you bond interfaces..

OK thanks all. It's just too bad because I have a device with several unused IF's and it sure would save space, time and money to not have to use another managed switch. Alas, that's exactly what I'll do. Again, thanks!

If you want DNS updates then your best bet is to run DHCP on the DC.  However you imply that your DC is regularly broken. If I was you I would set pfSense to be the primary DNS server using resolver.  You can put in an override for your internal domain to your local and hopefully another AD DNS server, perhaps up a VPN. You could dream up a site subdomain say mysite.adrealm.co.uk and use pfSense as the DHCP server and update mysite.adrealm.co.uk.  By default Windows boxes will walk up the DNS hierarchy and it will all hang together.  You will have to add glue and NS records to your AD based DNS to point at your pfSense resolver for mysite.adrealm.co.uk if you want the complete the exercise properly.

And another thing was I just realized that the Host Override in DNS Resolver is unnecessary? I took deleted it and it still works even after rebooting the clients. I think pointing client DNS servers to the pfSense firewall was all I needed and the hostname and domain in General Settings takes care of it for me. I tried the Host override in DNS resolver only because at first I neglected to point client DNS to pfSense.

One note: At System / General Setup there is a checkmark at "Allow DNS server list to be overridden by DHCP/PPP on WAN". You sure like hell do NOT want that with a retarded ISP that is hijacking NXDOMAIN! It is the IP address of the "Page not found"-website from my ISP.

It is fixed… by updating PfSense to the latest release. I thought I already had the latest since I only did the setup yesterday. It seems there was an issue somehow in that version with DHCP... ...and now I get an IP lease of 192.168.1.10 - which is what I expected:-) Current version now is: 2.3.2-RELEASE-p1 (amd64) built on Tue Sep 27 12:13:07 CDT 2016 FreeBSD 10.3-RELEASE-p9 The system is on the latest version.

Hi Gertjan, Thank you for the reply! It's thankfully solved now, you are very right with the UPS because, yes, it went wrong in a million ways. As you say, I could connect directly to pfsense (the router) through cable and assigning static IP. The web GUI kept going down however and it was one hell of an uphill battle. Turnes out the DHCP was not receiving requests so after finally managing to access pfsense web GUI consistently again, I turned to the switches and solved it there.

well if you have a client adding its search suffix then yeah that is what it would do.. If your resolver setting is set for your local domain to be transparent..  Then yeah if does not have a record it can resolve it normally.  I have mine set to static.. So if you look for something say norecord.local.lan it will not try and resolve that.. Just sends back nx.. If your set to transparent which is the default type and you look for norecordfor.something.whatever.mynet.local then yeah it would try and resolve that upstream..

"I see my WAN address appear in the results as a DNS server.." You see your wan IP here is because as a resolver this is what did the query to the authoritative dns server for the domain they are using in the test to see where the query comes from.. If you had your resolver setup to only use your vpn connection for the outgoing queries then that is the IP you would of seen ad the dns server because that is what their dns would of seen the query come from when it hit there dns server..  Also keep in mind they are asking the machine you are running the test from.. So do you have more than just pfsense listed as your dns on this computer you ran the test from? These so called dns leak tests are nothing more than telling the client to query something specific that would not be cached, and then looking to where the query came from on the authoritative server for that record.  Since you are resolving and walking down the tree from roots to find that authoritative ns for what your looking for - yes your wan IP would be the source of that query. If you want to have it use your vpn connection.. Then set the resolvers outbound interface to your vpn interface..  So for example here I ran the dns test you linked too.. Notice first test shows my actual wan IP.. Oh noes I replied to a ping ;)  Really this is such scare tactics.. I then changed the resolver to use my vpn connection I have to one of my many vps I run.. This one happens to also be an authoritative NS for one of my domains I use for testing signing dnssec, etc. and other related stuff to dns.  I normally would not suggest anyone run their own public dns..  But this is only a test domain that I use for playing with setting up dnssec - be amazed how few registrar actually support it.  From my understanding its a requirement to be accredited registrar.. Real shame really - if they made it easier to setup maybe more domains would be using it. Anyhoo - I then ran the test again and you can see it now shows my dns is my vpn IP..  And now it complains that my IP that I was coming from rejected their dns queries - well yeah it did they sure didn't do a query for something its authoritative for ;) [image: resolvethruvpn.png] [image: resolvethruvpn.png_thumb]

I went ahead and did the host overrides, and added in a separate domain for the WORKVLAN.  This allows me to still have 'pfsense' on each one, even though the domains are different, since I don't require the full host/domain, it works out!

I'm also getting the same error as the OP, and looking at my host names one of them is HS110(UK). So it's the brackets causing the issue, but I can't change the host name on the device. I've tried adding a static IP and giving it a different host name but it still uses the one with brackets. Is there anyway around this? Also, just a thought but if a particular host name is causing that error to be added, would it not be a good idea to add the actual host name to the error? Although looking at the code @jimp posted it looks like the host name should be in the error, but it's not??? Unless of course that codes from a newer version than mine (2.3.2-RELEASE-p1).

"We have more than 300 devices at our office" Ok then use /23 that would give you 510 IPs to work.. More than enough IPs with room for growth even. A /8 or /16 is not really a valid host mask.. Those masks are good for summary routing, firewall rules, etc..  But not meant to be used on an actual network with hosts. A /8 gives you 16.7 million IPs - you would never want anywhere close to that on the same broadcast domain..  To be honest /22 could be considered too many, unless are quiet hosts.. If they love to squawk broadcast/multicast like windows yeah prob too many.. Your other option when you go over the /24 for hosts is to segment your network.  So all your hosts need to be on the same L2/Broadcast domain??  Do you not have different stuff, servers, printers, users, wifi that you might want to keep from talking to each other..  Different departments - Sales, Engineer, Finance, etc.. So you put them on different networks/vlans with pfsense say using /24 networks so 250 IPs each to work with and now you can firewall between them.. As mentioned already multiple times Classful networks A,B,C etc.. have been dead for long time - not sure where your getting your info.. But cidr (classless inter domain routing) or VLSM (variable length subnet masking) has been the standard since introduced - early 90's if I recall..  So to be honest unless your older then I am you shouldn't even remember having to be limited to classful.. I sure don't ;)  And I have been working with networking before tcp/ip was even a thing.. hehehe  I have been working on computers since before there really were computers and networks, and honestly do not recall ever being limited to classful masks.. Was never in a spot where oh.. yeah we need more than /24 have to use /16..  Back then used IPX and or netbeui and do recall having to go around and actually install tcp/ip on all the work computers.. Sweet 386's and 486's and such running windows for workgroups 3.1 etc.. Back then there were not so many devices that /24 wasn't HUGE…

Well; denyhosts and similar stuff is serious evil.

@johnpoz: Is dhcp running? So does your dhcp show discover?  Do a simple sniff on your opt1 interface for port 67 do you see clients trying to get an IP? UPDATE: Rebooted the appliance and DHCP started working as expected!

I guess I should have been more clear. After a reboot of pfsense, all clients started talking to my DNS server as it is configured in pfsense. Meaning all clients windows linux android and whatever sonos runs on(probably linux) started reporting into the DNS server at 192.168.1.52. So take it how you want….