@johnpoz said in Could interface-automatic block pfSense Unbound Resolver from running proper DoH server?:

@ddoh94 said in Could interface-automatic block pfSense Unbound Resolver from running proper DoH server?:

version of Unbound to accept DoH (DNS over HTTPS)

Pretty sure unbound requires nghttp2 to do doh, is that available in pfsense? I have never looked into it very deep because well not really of fan of either dot or doh.. Other than blocking it from my clients using it ;) I have zero use for either of them...

Sorry, I’m little bit shocked about You: with a so lot of knowledge, ignoring the fact that DoH/DoL become standard (because incredibly rapidly growing numbers of DNS-related attacks in both on private business/industrial and government level) - that’s looks like no having “bird view” what happened in communication world. Am I wrong ?
Take my apologies again, I appreciate You in general.

While they might have some use in some scenarios.. The way browsers are forcing use of doh on users that have no clue is not good.. And the way it can be leverage to circumvent local dns controls is again not good..

But IN EVERYDAY’S REALITY most browsers (Safari, Chrome, Firefox) extensively using DoT/DoH.
So this is reality (also like TTL of DNS records decreasing year by year) in which we may live.

Other than a learning exercise I can really not see a scenario where I would want to use doh locally.. Who would be sniffing dns traffic on my local secure network?? Other than me??

For example: any black hacker, that compromise one node and obtain access to one of pfSense’s internal LANs. And this is not only about CARP.

@Antibiotic I am not using pfblocker for dnsbl - I only use it to create aliases that I use in my firewall rules myself. So I have no use for it.

Works fine on this end, exactly the same way but the configuration in 2.7.2 no longer asks for a username for Cloudflare. Instead, it is blank and the password is the API key.

@ebsense the log is from the KEA dhcp server (the new DHCP that will replace ISC DHCP in the future) but in the settings screenshot it looks like you using ISC DHCP.

Which one do you use?

And a /28 subnet is pretty small (14 usable IPs) so is the pool you created set accordingly?

@thearamadon KEA is not fully functioning. Go back to ISC until they fix it.
System/Advanced/Networking.

@johnpoz Got it. Thanks.

@littlebi

Again : select "ISC" as your DHCP server, as this is the one that makes the manual valid again.
Read the blog post, and you'll understand.

@CyberCow said in KEA DHCP - lacking features:

i assume this is a bug, but if someone else could confirm...

You want to report/confirm a bug in a feature that is listed as not supported yet, in the preview release?

@roveer google and cloudflare only filter bad stuff.. Or at least they say, but only in rare cases with google, clouldflare is more open in saying hey we block bad stuff.. But lets say dns service A filters bad site X, but service B does not.. But since you don't know where your forwarder might ask at any given point in time, are you protected from bad site X or not?

So what is the advantage of their filtering? And once its looked up once, all your clients will get that answer if they ask for it, etc..

The filtering or not filtering would come more into play if you were using say a blocking dns service to block stuff that you want blocked, like adult related stuff, etc. etc.. While your 2nd service does not. Opendns or Umbrella or Adblock sort of services.

Many people choose to use say quad9 because they list blocking bad sites as one of their advantages.. Cloudflare kind of says the same, while google says hey only in really bad cases, etc..

The point is these example services are not all filtering the same way, even if only bad. But that they filter at all - and you wouldn't know which one might get asked at any given time - kind of really throws all of their filtering out the window.. So if your going to use different services, but you don't know if service A and B would block the same thing - you can not be sure you would ever be protected by such a service.

Maybe you forward to these services because of their bad site blocking, but also maybe they block stuff because government says hey block this.. The point is such services are not all going to filter the same way, but if you ask more than one will you or will you not actually be protected, or filtered from something you want to get to, etc.

Same thing goes for if they do dnssec or not - most all the major players do, unless you specific use a special IP they list, etc. But this is another thing that can be different if you don't actually know who your asking when you forward.

While I am not a fan of forwarding - many people do, and hey that is their choice.. My only point is if your going to forward.. No matter who you forward you should get the same answer.. If not it can be very problematic trying to track down some weirdness with some some specific dns query.

@michmoor said in Unbound restarting 20-30 times a day without any reason:

but i can see it being a problem with several 100 endpoints.

Things will get even better when you 'some' Wifi connected devices that roam among several APs.
DHCP will fire away every x seconds .... and as much unbound restarts.

Quickly, unbound is more busy 'restarting' as actually doing 'DNS' for you.

@johnpoz
Thanks. Going back to ISC fixed it.

@iptvcld said in DHCP custom set hostname are not resolving:

I had to reboot the laptop each time even if I do a release and renew - not the best

If it's a windows PC :

will do.

And that's even not needed.
A cable disconnect, and the device will 'loose' that lease by default.
When you select then with the Wifi a SSID, a lease will be obtained automatically.

When going back to cable, it might be best to actually disconnect - mouse click - from the SSID, and then put the cable in place.
Always worked for me like that for the better part of this century.
Info valid for every possible OS.

@Gertjan said in Dynamic DNS Client with GoDaddy not updating - Authenticated user is not allowed access:

@bmeeks said in Dynamic DNS Client with GoDaddy not updating - Authenticated user is not allowed access:

My GoDaddy dynamic DNS stopped working as well

And no information, like a mail, warning about this ?

Nope. Nothing that I ever saw. Some searching around on Google will find a lot of folks complaining about the exact same issue. They changed their service without notice apparently. Here is a Reddit thread: https://www.reddit.com/r/selfhosted/comments/1cnipp3/warning_godaddy_silently_cut_access_to_their_dns/.

@TheNetStriker Your patch resolved order, so UEFI client can get .efi boot file.
I edited services.inc file (by Diagnostics / Edit File) and changed mentioned lines.
But similar as @nockdown now my UEFI client receive boot file with addtional ÿ.
Not sure if I should do anything related to "Path Strip Count" ? And how to do it...

@johnpoz Looks like. Dig looks different. Getting through to the domain like it used to. That's the thing that changed that FUBAR'd it. I changed to Kea.

@eightfold said in unbound with ULA: connection timed out (nslookup)?:

I typically get assigned a new prefix.

Omg.
I just posted this where I was positif about IPv6, and I forgot about those stupid ISPs totally breaking RFC's / IPv6.

@patient0

Thanks.

I kind of suspect the warning notice is tersely written and not especially relevant to my concerns. But I could be wrong. They could be doing something wacky as the message implies if you read it without researching anything.

I have no plans to do anything just yet. I don't spend much time here and I'm very sure passing the time to read about variants of DHCP servers is not how I would spend my free time. As long as my basic needs are met, they can do anything they want about the rest of DHCP. In fact, I didn't know and seriously don't care about any other aspects of DHCP other than my primary concerns. If they want to change me over on their own they are free to do it as long as I don't lose my static IP addresses.

Every other router I've ever used can fill my basic needs so I'm sure the next changes to DHCP here will also do what I need. I do not want to have to reenter static mappings on another page .... just because.

@wojciech__

Wait .... what about this :
Use unbound as the resolver with pfBlockerng, and have it listing (bind to) on DMZ only.
Now you can also activate the DNS Forwarder (dnsmasq) using also port 53, and use this one on the LAN interface only, and set up the DNS servers where it has to forward to. Your LAN won't benefit from pfBlockerng.

@aaronouthier

https://www.netgate.com/blog/netgate-adds-kea-dhcp-to-pfsense-plus-software-version-23.09-1

Basic functionality is present in version 23.09, but the Kea implementation lacks the following DHCP server features:

Local DNS Resolver/Forwarder Registration for static and dynamic DHCP clients
Remote DNS server registration
DHCPv6 Prefix Delegation
High Availability Failover
Lease statistics/graphs
Custom DHCP options

https://docs.netgate.com/pfsense/en/latest/releases/23-09.html#rn-23-09-kea

kea.jpg

Same warning about preview in the 2.7.1 release notes

https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html