• 0 Votes
    9 Posts
    1k Views
    Sergei_ShablovskyS

    @johnpoz said in Could interface-automatic block pfSense Unbound Resolver from running proper DoH server?:

    @ddoh94 said in Could interface-automatic block pfSense Unbound Resolver from running proper DoH server?:

    version of Unbound to accept DoH (DNS over HTTPS)

    Pretty sure unbound requires nghttp2 to do doh, is that available in pfsense? I have never looked into it very deep because well not really of fan of either dot or doh.. Other than blocking it from my clients using it ;) I have zero use for either of them...

    Sorry, I’m little bit shocked about You: with a so lot of knowledge, ignoring the fact that DoH/DoL become standard (because incredibly rapidly growing numbers of DNS-related attacks in both on private business/industrial and government level) - that’s looks like no having “bird view” what happened in communication world. Am I wrong ?
    Take my apologies again, I appreciate You in general.

    While they might have some use in some scenarios.. The way browsers are forcing use of doh on users that have no clue is not good.. And the way it can be leverage to circumvent local dns controls is again not good..

    But IN EVERYDAY’S REALITY most browsers (Safari, Chrome, Firefox) extensively using DoT/DoH.
    So this is reality (also like TTL of DNS records decreasing year by year) in which we may live.

    Other than a learning exercise I can really not see a scenario where I would want to use doh locally.. Who would be sniffing dns traffic on my local secure network?? Other than me??

    For example: any black hacker, that compromise one node and obtain access to one of pfSense’s internal LANs. And this is not only about CARP.

  • DNS Resolver, DNSSEC, and Harden DNSSEC Data

    19
    0 Votes
    19 Posts
    6k Views
    johnpozJ

    @Antibiotic I am not using pfblocker for dnsbl - I only use it to create aliases that I use in my firewall rules myself. So I have no use for it.

  • Cloudflare DDNS: UNKNOWN ERROR

    5
    0 Votes
    5 Posts
    424 Views
    P

    Works fine on this end, exactly the same way but the configuration in 2.7.2 no longer asks for a username for Cloudflare. Instead, it is blank and the password is the API key.

  • Cannot seem to use DHCP server on a public IP subnet

    2
    0 Votes
    2 Posts
    361 Views
    patient0P

    @ebsense the log is from the KEA dhcp server (the new DHCP that will replace ISC DHCP in the future) but in the settings screenshot it looks like you using ISC DHCP.

    Which one do you use?

    And a /28 subnet is pretty small (14 usable IPs) so is the pool you created set accordingly?

  • Conflicting reservation for address

    2
    1 Votes
    2 Posts
    580 Views
    J

    @thearamadon KEA is not fully functioning. Go back to ISC until they fix it.
    System/Advanced/Networking.

  • Can't get DNS Wildcarding to work properly

    7
    0 Votes
    7 Posts
    566 Views
    B

    @johnpoz Got it. Thanks.

  • DNS Resolver is lacking some settings / options?

    4
    0 Votes
    4 Posts
    214 Views
    GertjanG

    @littlebi

    Again : select "ISC" as your DHCP server, as this is the one that makes the manual valid again.
    Read the blog post, and you'll understand.

  • KEA DHCP - lacking features

    60
    5 Votes
    60 Posts
    21k Views
    johnpozJ

    @CyberCow said in KEA DHCP - lacking features:

    i assume this is a bug, but if someone else could confirm...

    You want to report/confirm a bug in a feature that is listed as not supported yet, in the preview release?

  • I can't find this DNS entry anywhere in my GUI. How do I change this?

    9
    0 Votes
    9 Posts
    588 Views
    johnpozJ

    @roveer google and cloudflare only filter bad stuff.. Or at least they say, but only in rare cases with google, clouldflare is more open in saying hey we block bad stuff.. But lets say dns service A filters bad site X, but service B does not.. But since you don't know where your forwarder might ask at any given point in time, are you protected from bad site X or not?

    So what is the advantage of their filtering? And once its looked up once, all your clients will get that answer if they ask for it, etc..

    The filtering or not filtering would come more into play if you were using say a blocking dns service to block stuff that you want blocked, like adult related stuff, etc. etc.. While your 2nd service does not. Opendns or Umbrella or Adblock sort of services.

    Many people choose to use say quad9 because they list blocking bad sites as one of their advantages.. Cloudflare kind of says the same, while google says hey only in really bad cases, etc..

    The point is these example services are not all filtering the same way, even if only bad. But that they filter at all - and you wouldn't know which one might get asked at any given time - kind of really throws all of their filtering out the window.. So if your going to use different services, but you don't know if service A and B would block the same thing - you can not be sure you would ever be protected by such a service.

    Maybe you forward to these services because of their bad site blocking, but also maybe they block stuff because government says hey block this.. The point is such services are not all going to filter the same way, but if you ask more than one will you or will you not actually be protected, or filtered from something you want to get to, etc.

    Same thing goes for if they do dnssec or not - most all the major players do, unless you specific use a special IP they list, etc. But this is another thing that can be different if you don't actually know who your asking when you forward.

    While I am not a fan of forwarding - many people do, and hey that is their choice.. My only point is if your going to forward.. No matter who you forward you should get the same answer.. If not it can be very problematic trying to track down some weirdness with some some specific dns query.

  • Unbound restarting 20-30 times a day without any reason

    18
    0 Votes
    18 Posts
    1k Views
    GertjanG

    @michmoor said in Unbound restarting 20-30 times a day without any reason:

    but i can see it being a problem with several 100 endpoints.

    Things will get even better when you 'some' Wifi connected devices that roam among several APs.
    DHCP will fire away every x seconds .... and as much unbound restarts.

    Quickly, unbound is more busy 'restarting' as actually doing 'DNS' for you.

  • DNS rebinding breaks local DNS names

    5
    0 Votes
    5 Posts
    354 Views
    M

    @johnpoz
    Thanks. Going back to ISC fixed it.

  • DHCP custom set hostname are not resolving

    15
    0 Votes
    15 Posts
    1k Views
    GertjanG

    @iptvcld said in DHCP custom set hostname are not resolving:

    I had to reboot the laptop each time even if I do a release and renew - not the best

    If it's a windows PC :

    ipconfig /release ipconfig /renew

    will do.

    And that's even not needed.
    A cable disconnect, and the device will 'loose' that lease by default.
    When you select then with the Wifi a SSID, a lease will be obtained automatically.

    When going back to cable, it might be best to actually disconnect - mouse click - from the SSID, and then put the cable in place.
    Always worked for me like that for the better part of this century.
    Info valid for every possible OS.

  • 0 Votes
    6 Posts
    2k Views
    bmeeksB

    @Gertjan said in Dynamic DNS Client with GoDaddy not updating - Authenticated user is not allowed access:

    @bmeeks said in Dynamic DNS Client with GoDaddy not updating - Authenticated user is not allowed access:

    My GoDaddy dynamic DNS stopped working as well

    And no information, like a mail, warning about this ?

    Nope. Nothing that I ever saw. Some searching around on Google will find a lot of folks complaining about the exact same issue. They changed their service without notice apparently. Here is a Reddit thread: https://www.reddit.com/r/selfhosted/comments/1cnipp3/warning_godaddy_silently_cut_access_to_their_dns/.

  • Kea DHCP UEFI PXE boot sends wrong boot file

    14
    0 Votes
    14 Posts
    6k Views
    C

    @TheNetStriker Your patch resolved order, so UEFI client can get .efi boot file.
    I edited services.inc file (by Diagnostics / Edit File) and changed mentioned lines.
    But similar as @nockdown now my UEFI client receive boot file with addtional ÿ.
    Not sure if I should do anything related to "Path Strip Count" ? And how to do it...

  • Cannot Connect to Samba Shares on TrueNAS Server Via Domain

    12
    0 Votes
    12 Posts
    760 Views
    N

    @johnpoz Looks like. Dig looks different. Getting through to the domain like it used to. That's the thing that changed that FUBAR'd it. I changed to Kea.

  • unbound with ULA: connection timed out (nslookup)?

    14
    0 Votes
    14 Posts
    1k Views
    GertjanG

    @eightfold said in unbound with ULA: connection timed out (nslookup)?:

    I typically get assigned a new prefix.

    Omg.
    I just posted this where I was positif about IPv6, and I forgot about those stupid ISPs totally breaking RFC's / IPv6.

  • The upcoming DHCP server page

    3
    0 Votes
    3 Posts
    242 Views
    C

    @patient0

    Thanks.

    I kind of suspect the warning notice is tersely written and not especially relevant to my concerns. But I could be wrong. They could be doing something wacky as the message implies if you read it without researching anything.

    I have no plans to do anything just yet. I don't spend much time here and I'm very sure passing the time to read about variants of DHCP servers is not how I would spend my free time. As long as my basic needs are met, they can do anything they want about the rest of DHCP. In fact, I didn't know and seriously don't care about any other aspects of DHCP other than my primary concerns. If they want to change me over on their own they are free to do it as long as I don't lose my static IP addresses.

    Every other router I've ever used can fill my basic needs so I'm sure the next changes to DHCP here will also do what I need. I do not want to have to reenter static mappings on another page .... just because.

  • DNS as Conditional Resolver

    4
    0 Votes
    4 Posts
    318 Views
    GertjanG

    @wojciech__

    Wait .... what about this :
    Use unbound as the resolver with pfBlockerng, and have it listing (bind to) on DMZ only.
    Now you can also activate the DNS Forwarder (dnsmasq) using also port 53, and use this one on the LAN interface only, and set up the DNS servers where it has to forward to. Your LAN won't benefit from pfBlockerng.

  • Kea Server won't start after adding static lease

    4
    0 Votes
    4 Posts
    335 Views
    johnpozJ

    @aaronouthier

    https://www.netgate.com/blog/netgate-adds-kea-dhcp-to-pfsense-plus-software-version-23.09-1

    Basic functionality is present in version 23.09, but the Kea implementation lacks the following DHCP server features:

    Local DNS Resolver/Forwarder Registration for static and dynamic DHCP clients
    Remote DNS server registration
    DHCPv6 Prefix Delegation
    High Availability Failover
    Lease statistics/graphs
    Custom DHCP options

    https://docs.netgate.com/pfsense/en/latest/releases/23-09.html#rn-23-09-kea

    kea.jpg

    Same warning about preview in the 2.7.1 release notes

    https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html

  • 2 DHCP Pool and running one - static mapping / the other - on demand

    1
    0 Votes
    1 Posts
    105 Views
    No one has replied
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.