Problem solved (after many months of playing with the config). Thank you for your rapid, helpful and clear reply ;D

Thanks. I do have a feeling it's snort. I was surprised to see AOL's DNS server (as well as a bunch of others) tripped snort DNS rules. I will re-visit the datacenter over the weekend, hookup a lappy and pull that log and see what tripped the block.

There is NOTHING to relay on LAN when your DHCP server is on LAN. pfSense is not involved at all.

@ewhac: Right, but as a home user forwarder mode is the "polite" thing to do.  Otherwise I'm hammering on the root servers for every uncached name. Absolutely not. DNS is designed and implented to be used exactly like that and you're never going be able to cause any harm to the root servers with your low bandwidth home DNS resolver that only asks for the NS records of the top level domains from the root servers.

Well, 2.1.3 is something you definitely should NOT be using, DHCP relay or not.

Normally, I only access pfsense remotely. Nevermind, I will see the code in the page you suggest and figure out how to count in batch shell. Thanks a lot.

Thanks @johnpoz for the pointer to the packet capture feature. I know what happened now and short answer is yes, there was another DHCP server on the network, and once it was turned off, things work as expected. Everything with this was a clean install, including VirtualBox 5.1.12r112440 Packet capture showed a response from 10.0.0.100 beating in the response from 10.0.0.1 each time. DHCP responses from 10.0.0.100 were indeed missing the DNS and Router options followed by a response from 10.0.0.1 (attached) with all the information as expected. Solution: Virtualbox seems to not honor turning off the default DHCP server until the entire program is restarted. I verified that the settings were 'DHCP server off', applied, NULL'd out the server settings, applied; only until a full restart of the program did the settings take effect and the 10.0.0.100 server stopped responding. If that's in the VirtualBox documentation I missed it and will double check there before taking the issue to that community. Thanks again.  

1/ Best by using the GUI for host/domain overrides. 2/ Huh? No, you don't need to provide it with forward zones for anything.

I fixed it by changing in dns forwarder interfaces at bottom to "all" from lan and now it is all working… thank you for everyones help! George @georgeberz: Thank you I attached screen shot of  current issue. firewall>nat>port forward services>dns forwader It is working now all traffic forwarded to opendns dns servers and the filtering is working BUT/HOWEVER If I let house computers (kids etc all win10 machines) go on automatic DHCP they go nowhere on the net but things like facebook notifications and some chat works. If I put 8.8.8.8 and 8.8.4.4 into the DNS 1 and 2 settings on each of the computers, then it works… if I let auto assign DNS it wont. and we are not even using google dns, as it will reroute that to opendns. The android devices like Samsung cell phone and table will not work wirelessly anymore and just hang. the dns on my cell phone android samsung So the problem is DHCP is not assigning appropriate DNS settings it is assigning ip addresses ok just not DNS @KOM: how and where do I check that? Services - DNS Forwarder or DNS Resolver.

Rule? You mean host override??

Yeah, bingo, this forum is not for Ubuntu.

DNS is only going to affect your ability to FIND ebay, not to connect to it.  Are you sure it was a DNS problem? Its easy to diagnose if pfSense can't find it - there's a DNS Lookup tool in the Diagnostics section.  If it gets results, it should be working fine…

Wanted to follow up.  That did the trick!  No restart, hard stop hard start.  Thanks for the help!

@johnpoz: If you want a client to use a different dns then really that has zero to do with what pfsense is doing. I agree with that. And I was able to get the client to use a different DNS server. That all works as it should. The issue comes when for instance I request a site that is suppose to be blocked/blacklisted it doesn't black list it. It goes to it without the filtering. This is because OpenDNS and RAWstream DNS detect what IP the DNS request is coming from. Then if an account associated with that IP is on their server they apply that accounts filter. (I probably shouldn't say they don't see my IP. I just don't know how else to explain it) What I have experienced is that OpenDNS and RAWstream DNS is not detecting my IP and therefore applying zero filtering. I don't understand why neither OpenDNS or RAWstream DNS cannot see/link my IP to the request when I have the alternate configuration setup. To me that is what doesn't make sense. Everything else you explained as to how pfsense works makes total sense. This is above my pay grade. So to clarify I can assign as many different DNS servers to as many different clients I want, have the requests go through and websites are reached no problem. It is only when I visit pages that are suppose to be blocked through either OpenDNS or RAWstream DNS that it doesn't block anything and that can only mean that they are not for some reason applying my filters when the requests are made. This is what is confusing and what I cannot figure out at this point.

Thank you for the confirmation. Now that I have found the equivalent feature in the gui, I won't be needing dnsmasq, but it would be useful to have a feature for bulk import of static reservations.

"but when changing the name servers to Google on a networked device" So again you don't understand how a resolver works ;)  Nor how to use the trace command that I clearly posted.. Where is your **+**trace??  Your asking that server for the record trace in that format..