Thanks for the repley. The Gateway was really the wrong approach. The real reason was, that I did not understand before, that "LAN network" does not contain "LAN address". So the FW blocked the lockup from pfSenses DNS.

@Fahrenhe1t: Good idea.  I disabled wifi and I stopped seeing the machine in the logs.  I went ahead and changed the SSID and password just to be safe. Did you have an open/unencrypted WiFi network/SSID that you were broadcasting?

Well i was kind of forced to setup bind as a resolver and authoritative local dns because of this: https://redmine.pfsense.org/issues/5413. Later I've set up a hidden master on a different view for my public domain. I see no problem in hosting your own hidden master….just my 2 ¢.

You can override MX, PTR, SRV and even SOA records with Unbound, no problem (not exposed trough the GUI in pfSense but you can use custom options). What I wrote above is bit incorrect. The reason the CNAME records won't work as host overrides is because they have to be resolved with an additional query either to the upstream forwarder or the authoritative server. A resolver like Unbound won't look at its own host overrides to resolve a CNAME, they have to be set in the authoritative server.

Alright. The override for the domain is setup and everything is working great. Thanks very much!

I lost my patience with this and moved back to forwarder. It works like supposed, no strage ip6 issues.

ROFL, Sonos strikes back again. These things should be shipped with giant warning labels "Proudly causing network loops. Since 2002".

OK I think I understand what I did wrong in the DHCP v6 configuration but if I try to do as you suggest, I have the following now : WAN interface in  IP v6 is set to 2a02:2788:feff:006a::8 Gtw for the WAN is 2a02:2788:feff:006a::1 when this is set, I can ping the opendns/google ipv6 hosts (actually I did a traceroute6 to google DNS)! Now I go to the LAN configuration and choose IPv6 configuration type : Track Interface I need then to fill the "Track IPv6 interface" but the Drop down box is not filled. \T,  

That's how the resolver works. It resolves all requests from the root/gtld servers down. One A record request might be 20 DNS queries. Then it will be cached. If it concerns you you should pcap port 53 on WAN and see if it's anything you should be worried about.

Did not know. Thanks for the quick reply, it is now solved.

With AD, your DNS must point to the AD DNS. Set up overrides for your domain/reverse zones to point back to your DCs.

OK that was it! I saw this in the logs: php: rc.bootup: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '/var/unbound/unbound.conf:88: error: cannot open include file '/var/unbound/pfb_dnsbl.conf': No such file or directory read /var/unbound/unbound.conf failed: 1 errors in configuration file [1484921851] unbound[37111:0] fatal error: Could not read config file: /var/unbound/unbound.conf' Sorry for not seeing it before. I saw I had something in the advanced box that matched the log: server:include: /var/unbound/pfg_dnsbl.conf I didn't see that file on the file system, so I removed it from the setup window and now it is working! I've no idea what that file is, why it was setup that way, or why things changed, but removing it lets the resolver run. I guess that file "used" to exist, but no longer does. EDIT: I did add the pfBlockerNG packages several months ago.  I don't remember making the change to the resolver, and looked back at the how to I used to set it up and it doesn't talk about making the change.  I wonder if they are related, due to the name of the file.  I've disable the package as well. thanks for all the help, david

Hi, did you solve this problem? can help me?

Correct. But it's not the forwarding that's actually my problem :) It's how the DNS override does not do the override unless I empty the custom DNS servers list in the General section. Thanks, I'll wait for your test results then ;)

Yes, do NOT do that; radvd is super retarded when you do this. https://redmine.pfsense.org/issues/6974

It's just an adopted convention that everyone seems to take as a "standard". There's nothing in the TCP/IP networking itself that requires you to use a specific addresses from subnet for DNS and/or default gateway or any other function such as NTP or NIS server addresses. You could for example use 192.168.1.128 as the default gateway out of 192.168.1.0/24 and it wouldn't be any different than using the usual 192.168.1.1.

As it looks there is some DNS servers switching going on at godaddy and parts of the world still have the old servers.