Ok, with internet explorer i could download the list. So there's either a firefox bug or a scripting bug on pfsense itself, however, no errors are shown on firefox web console

so I do not normally use dnsmasq, I use the resolver (unbound).  But I turned resolver off, and turned on dnsmasq (forwarder) and created a host overrride of test.pfdnsmasq.for and it resolves just fine from openvpn connection. C:\>dig test.pfdnsmasq.for ; <<>> DiG 9.10.4-P2 <<>> test.pfdnsmasq.for ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16481 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test.pfdnsmasq.for.            IN      A ;; ANSWER SECTION: test.pfdnsmasq.for.    1      IN      A      10.0.0.1 ;; Query time: 118 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Tue Sep 06 14:02:12 Central Daylight Time 2016 ;; MSG SIZE  rcvd: 63 You can see here my vpn connection Ethernet adapter Local Area Connection:   Connection-specific DNS Suffix  . : local.lan   Description . . . . . . . . . . . : TAP-Windows Adapter V9   Physical Address. . . . . . . . . : 00-FF-EE-16-B9-3C   DHCP Enabled. . . . . . . . . . . : Yes   Autoconfiguration Enabled . . . . : Yes   Link-local IPv6 Address . . . . . : fe80::fd9b:6799:7fc9:2969%23(Preferred)   IPv4 Address. . . . . . . . . . . : 10.0.8.100(Preferred)   Subnet Mask . . . . . . . . . . . : 255.255.255.0   Lease Obtained. . . . . . . . . . : Tuesday, September 06, 2016 11:36:22 AM   Lease Expires . . . . . . . . . . : Wednesday, September 06, 2017 11:36:21 AM   Default Gateway . . . . . . . . . :   DHCP Server . . . . . . . . . . . : 10.0.8.254   DHCPv6 IAID . . . . . . . . . . . : 369164270   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-4C-CA-26-3C-97-0E-99-DF-75   DNS Servers . . . . . . . . . . . : 192.168.9.253   NetBIOS over Tcpip. . . . . . . . : Enabled

https://www.unbound.net/ Unbound is a validating, recursive, and caching DNS resolver. While you can get it to act as authoritative, its not really the primary design purpose of unbound.  Not from anything I have read.. Now I have it setup to return SOA for my local domain, etc. C:\>dig local.lan SOA ; <<>> DiG 9.10.4-P1 <<>> local.lan SOA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22076 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;local.lan.                    IN      SOA ;; ANSWER SECTION: local.lan.              10800  IN      SOA    pfsense.local.lan. root.local.lan. 1 3600 1200 604800 10800 ;; Query time: 115 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Tue Sep 06 10:26:35 Central Daylight Time 2016 ;; MSG SIZE  rcvd: 87 C:\>dig flssljf.local.lan ; <<>> DiG 9.10.4-P1 <<>> flssljf.local.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36032 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;flssljf.local.lan.            IN      A ;; AUTHORITY SECTION: local.lan.              10800  IN      SOA    pfsense.local.lan. root.local.lan. 1 3600 1200 604800 10800 ;; Query time: 112 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Tue Sep 06 10:26:44 Central Daylight Time 2016 ;; MSG SIZE  rcvd: 95 The integration of unbound package in pfsense does is not really setup to do that, any sort of authoritative info you would like to place would have to be in custom box on your own.. Not part of the gui, and doesn't handle cnames like an authoritative ns would do.. If you look at wiki for comparison of different dns software you will see that unbound authoritative is listed as partial https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software While you might be able to do what you need to do to pass the cert ipv6 tests from HE with unbound.  Unbound would not be my go to software for setting up authoritative zones.  I do not believe it you could do any sort of zone xfer with it, doesn't support slave mode for sure and tsig is not an option either AFAIK, etc.

up  :D :D :D

@johnpoz: But was is it your actually trying to prevent, your dns from doing the forward of the query?  Who cares if your client gets back AAAA for something they queried?  If you have ipv6 blocked they sure are not going there, unless your allowing them to use teredo or something? You are correct. I realized the same thing thinking about this last night. So I guess it's more of a cosmetic issue. What I do for ad blocking is load up list into unbound, but I use the redirect command so for example local-zone: "neodatagroup.com" redirect local-data: "neodatagroup.com A 127.0.0.1" Now when I do a query for the A record I get back loopback..  If do a query for AAAA get back noerror and just nothing..  Is that what your looking to do? > dig d.neodatagroup.com ; <<>> DiG 9.10.4-P2 <<>> d.neodatagroup.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 969 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;d.neodatagroup.com.            IN      A ;; ANSWER SECTION: d.neodatagroup.com.    3600    IN      A      127.0.0.1 ;; Query time: 1 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Sat Sep 03 03:40:16 Central Daylight Time 2016 ;; MSG SIZE  rcvd: 63 > dig d.neodatagroup.com AAAA ; <<>> DiG 9.10.4-P2 <<>> d.neodatagroup.com AAAA ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1588 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;d.neodatagroup.com.            IN      AAAA ;; Query time: 1 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Sat Sep 03 03:40:20 Central Daylight Time 2016 ;; MSG SIZE  rcvd: 47 Thanks. I looked into unbound, but if what is quoted below is still accurate, then it wouldn't work for me. I have about 600 domains completely blocked with wildcard entries (address=/.doubleclick.net/) in addition to a separate hosts file with a couple hundred thousand entries, including a bunch that overlap with the wildcard domains. I maintain both lists and share the hosts with friends (most of whom don't run dnsmasq). This setup is nice because I can periodically check the logs for any domains that return a result from 'config' and add it to the master host list. @Criggie: @Yowsers: This is in the wiki as well. https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder/Resolver Yes - and that page also misses a big gotcha. As someone coming from dnsmasq / "forwarder"  I had multiple host overrides too. Unbound / resolver refuses to start if you set up a wildcard subdomain AND have host overrides that match.  So you need to delete all the host overrides that use the same subdomain. If you want to override a host in your domain override with unbound, best to do it on the resolver at which you are pointing.

I only pointed one (the primary) DNS server to OpenDNS Adresses.. All clients & servers are pointing to two AD DNS Servers… Dude what is confusing here.. If you have clients that talk to both your AD ns, and you only set one to forward to opendns – if I ask ns 2 what do you think is going to happen???

A quick update… First... ever notice that you have LESS free time on a holiday weekend?  pfftt... Anyway, I have this running (somewhat) on my own pfsense box to see how well the idea works.  It isn't as nice as I thought it'd be... First, my config: I have multiple vlans, and all use a DHCP and DNS on a windows domain server.  My windows server is running "windows server essentials" which likes to figure out the IP of your router, and forcibly reconfigures it's own DNS server to use your router as a DNS forwarder.  (Fun! Fun! Fun!) Because I have multiple vlans, I'm ignoring any linklocal Ipv6 addresses.  If I included them, there'd be IP address collisions.  That dropped the usefulness of this a small amount. So, I have an hourly cron job that runs this program to add a bunch of lines to an unbound configuration.  Each line is just something like this: local-data-ptr: "1:2:3:4:5:6:7:8 10 hostname.domainname" After that config is re-written, it forces unbound to re-read it's config via: kill -HUP `cat /var/run/unbound.pid` One issue with my odd DNS configuration is that it usually takes about 2-5 minutes before the reverse lookups appear in queries.  (If I use "dig @localhost -x", I can see that unbound has already updated… so I know it's just the windows crud that's taking several minutes.) Once Windows catches up, I'm somewhat limited on what I can use to view the results.  Two things in particular I'm using to test: 1.  "ndp -a".  This works great. No issue. 2.  "ntopng"  This doesn't work so great.  ntopng is a bit slow on doing DNS lookups.  Also, I'm finding that ntopng's ipv6 support isn't all that great.  (This might be fixed in a current ntopng version - I don't know.)  What happens is that it resolves the ipv4 to a hostname... and a ipv6 to the same hostname.  Then, in things like "Top Hosts (local)", it might show the same hostname multiple times. That's not so bad. What IS bad is that the "details" URL for both hosts are pointing to the same place. For example: https://192.168.1.1:3000/lua/host_details.lua?host=hostname.domainname In other words, it doesn't have distinct URLs for IPv6 vs IPv4 hosts.  It's confusing! What I'm thinking about doing to try and work around that is add a switch to my program so that it mangles the hostname.  For example, instead of "hostname.domainname" for ipv6 addresses, I might change it to "hostname.XXXX.domainname" (where XXXX is replaced with the last 4 nibbles of the ipv6 address.) (Of course, ideally, ntopng would get fixed, and pfsense would be updated to use the most recent ntopng version… but that likely won't happen for a while, so I'm trying to give some option in the meantime.) Finally, there are a couple cases where I'm not getting any names for ipv6 addresses.  This is usually for hosts that are always using IPv6 for everything (meaning there's nothing in the (ipv4) arp cache to match it with.)  There are ways around this (ping floods, raw ARP packets, etc), but I'm not sure I want to get into that. ... I'm still working at it... (when time permits.)

Found the powerline was issuing its own MAC address on the WAN network and ISP was picking it up, so had to tell pfSense to emulate that. Seems to have stopped drop outs.

Thanks johnpoz for the very clear response and for confirming what I wanted to do..

Diagnostics > Command Prompt cat /var/db/dhclient.leases.WAN_IFNAME eg. cat /var/db/dhclient.leases.igb1 https://www.freebsd.org/cgi/man.cgi?query=dhclient&sektion=8&n=1

Nobody have dyn ip ? Nobody on dOm and CL …. okok ... thx...  :'( :'( :'(

i just need to share my wan net to lan I'm still not clear on what you mean by this.  You want someone from the Internet to be able to use a service on your LAN?  You want LAN clients to be able to connect to the Internet?  The former needs a port-forward, the latter just works like that out of the box.

Yes I did make that statement, as it was the observed behavior. Though in my case, it was not an OPT interface, it was on LAN (unsure that would make any difference). I have other setups, where I have many vlans on the same IF and as you say that works fine. However, I was setting my WAN and LAN as tagged on the same IF (different tags off course ;)), and from the moment I changed LAN as a tagged IF I did get an IP but no DNS server etc. Therefor I made this topic. The more I think on it the more I have the idea I must have done something odd… Anyway, allow me to test again (this weekend) & report back before wasting too much bandwidth on this (while it's unconfirmed).

Ya, it has been a while … ;-). Will change it over, thanks for the pointers!

^that. Use the vendor MACs range to setup controls so that all VMware MACs get served from the one pool. For example, deny "00:0c:29,00:50:56" from the main pool and allow "00:0c:29,00:50:56" in the second pool. That should catch all automatic and manual VMware MACs.

I still have this problem on 2.3.2.