@BCMguy Time to activate the 'show me the answers' mode. You have a console, or better, easier, SSH. Use it. Go for option 8. If this happens : @BCMguy said in DNS Failing every hour?: I lose all internet connectivity for about 3-4 minute everything that is WAN related will not work anymore. This : @BCMguy said in DNS Failing every hour?: Clients cannot resolve internet addresses would be true if, at that moment, one of your clients was asking for a unknown - not cached at pfSense - host name. Resolving can't happen without a working connection. But is is unbound that can't answer, as it can't resolve, or is it unbound that is not running (= restarting) at that moment ? @BCMguy said in DNS Failing every hour?: including from the pfSense ping tool Yeah, normal. If your uplink (WAN) is down, ping's won't pass neither. Nothing will pass. @BCMguy said in DNS Failing every hour?: WiFi connectivity remains functional (Unifi equipment) and I'm able to log into local resources like pfSense and my media servers Normal. It's only the WAN link that is down, not your other interfaces. What does the system log tells you what happens at xxh02 ? Use the console or SSH with menu option 8: tail -f /var/log/system.log to see the same system log, but way faster.

@Gertjan Did not mean to imply the problem was with KEA as much as pfSense configuration options. Looking forward to the next release of pfSense, but not enough to start playing with pre-production releases on my production network.

The thread is a bit old, but since June 2024 the latest FRITZ!OS addresses this issue: ‘Im PPPoE-Passthrough-Betrieb der FRITZ!Box werden DNS-"Root Queries" über UDP nicht mehr gefiltert’. When I reported the issue, AVM found the culprit, a Firewall rule. Furthermore, just UDP/IPv4 was affected, TCP or IPv6 worked for DNS root queries. Consequently, with the upcoming FRITZ!OS 8, this should be fixed for everyone. Not sure if @mk873425 @float (or someone registered for notifications to this thread) still uses a FRITZ!Box as DSL modem, anyway please give it a try. @mk873425 I think you had a Reddit about this as well, please, update there if still possible.

@johnpoz ah man, I thought from your first post that the arp cache cycle was for all devices and if one is offline during the next cycle it will perform an update and show the actual device status. Per device cycle will be 100% fine for me with a script pull every 5 to 8 mins. (Most likely will stick to 5 mins)

@Gertjan Thanks a lot, I thought the whole time I had 24 but I had 32. Now it appears in the DHCP Server

@Davide-gdl said in DNS on DHCP slow first page loading: Are yo that expert that uses dnsmasq and unbound at the same time ? Noop. It is possible thought. Its important to chose for example LAN and OPT2 as the interfaces to be served by unbound and OPT2 and OPT3 by dnsmasq. But I never found a usage case where this was needed (for me).

@slu said in Uid lease for client is duplicated: Is there a (safe) way to clean up this old leases? If the lease is old, before you went to static - you can just hit the trashcan to delete the old lease [image: 1720182225402-oldlease.jpg] I have never ran into a problem with an old lease, normally I let a client just get a lease - then I change it to a reservation and renew the lease on the client and it gets the new reservation. But if its problematic - then clear the old lease.. If the device is still using the old one and its actively up it won't present the trashcan.. If that is the case you could either maybe clear pfsense arp cache so it doesn't think the devices is online and delete the old lease in the gui.. Or worse case manually edit the lease file. If you want an option to delete all expired leases en masse you could prob put in a feature request. edit: btw the leases page doesn't show you expired leases unless you click the show all configured leases at the bottom of the page

@walkingwounded kea does have lots of things to look forward too.. And isc was getting a bit long in the tooth.. With new you will have developers that are excited, etc. The logging looks way more intense - but also looks like you can do filtering of what is logged, etc. Don't feel bad - lots and lots of people have failed to grasp the "preview" of the current implementation.. But it is getting old kicking this dead horse ;) Only thing can hope for is next time maybe they rethink the wording a bit when they make such a announcement actually on a page in the software. But I can fully understand it.. Hey our users are techy.. They read the release notes, etc. They will check what isc says about the eol of their product and how its not really going anywhere.. Just no longer being developed actively, etc. So just keep it sweet and to the point.. Which hasn't gone over how they planned I don't think.. Also I don't even know - is register dynamic and static even default? For all we know we have like 2 million users that have switched over to kea without incident because all they do is hand out IPs.. Which works just fine..

@bchipman well then your auto acls should work unless this network your clients are on not directly attached. Here fired up one of my vms.. You can see the auto acls in the config. [image: 1720115832675-acl-resized.jpg] Then I added a new network via a vlan, enabled it gave it an IP 192.168.42.1/24 Restarted unbound and you see it updated the access list to include my new 192.168.42 network

@danielatblueskyit said in Domain Overrides not working: mcm.arpa is having a detremental effect on domain override? No not really - but its just a bad choice.. home.arpa is specific for this sort of use.. so use say mcm.home.arpa would be fine. sitex.home.arpa, sitey.home.arpa sitez.home.arpa would be fine to use.. .internal is supposed to be new tld for local user so mcm.internal, cakora.internal would be good choices, etc.. Do you have dnssec enabled? .arpa believe dnssec enabled - this could cause some issues. .local could be problematic with how the client might handle it, etc. I would prob set private and non secure settings for the domains your using that you set domain override for. If your using it as default domain in pfsense, prob wouldn't have the zone type set to transparent either. if you have site A with a domain overide to B.. If your going to have rfc1918 as an answer, you need to setup private in site A. To validate your domain override is working. Validate you can actually query it directly from pfsense A, to IP address B. This would also validate that ACLs at site B allow for pfsense A ip address to query it. Set it as private and nonsecure if your using tld that is dnssec Also are you using pfblocker on any of these sites - those tlds could be problematic with it.

@CloudNode here is what the box use to look like [image: 1719858970350-fingbox.jpg]

OK - so I celebrated too soon. There are weird, sporadic dropouts of the DNS resolution of duckdns.org. Why this would be special to this site, I have no idea, as far as I can think there is no special handling of this site in particular, beyond the mydomain.duckdns.org custom option listed above. All other sites seem to work just fine. Between each nslookup is about 20 seconds... ~ nslookup duckdns.org Server: 10.0.0.1 Address: 10.0.0.1#53 Non-authoritative answer: Name: duckdns.org Address: 15.156.222.126 ➜ ~ nslookup duckdns.org Server: 2a00:6020:... ipv6 address Address: 2a00:6020:... ipv6 address#53 Non-authoritative answer: Name: duckdns.org Address: 15.156.222.126 repeated 3x in a couple of minutes, and then for no apparent reason... ➜ ~ nslookup duckdns.org ;; connection timed out; no servers could be reached ➜ ~ nslookup duckdns.org ;; connection timed out; no servers could be reached ➜ ~ nslookup duckdns.org ;; connection timed out; no servers could be reached As a workaround I will try HAProxy as @johnpoz suggests, but I am quite unhappy to leave something like this unresolved. Any ideas?

@johnpoz /me facepalms. Sorry for not reading the "Basic functionality present in 23.09" sentence all the way to the end. I usually look at the release notes before running the upgrades. But in this case the combination of : 2.7.0 not suggesting upgrade to 2.7.2 HD Crash leading to fresh install from freshly downloaded 2.7.2 Configuration restore Got deprecation warning at start-up, followed the advice. did not help. I guess we can now close this question with a will work later on when kea implements DHCP-> DNS resolver updates. Thank you very much for your help.

@chrisjx bug reports can be made at Redmine.pfSense.org.

@wmw509 glad you got it sorted.

@kramer9 https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#upgrade-not-offered-library-errors

Whole bunch of exciting work happening for Kea right now. Should be in 24.08-dev snap real-soon-now. (but really, actually, soon!)

@Flemmingss You can either duplicate the DDNS entry in pfSense such that there is one for every A record you want to change. Or you could keep changing only one of the A records and use CNAMES for the others.