As the author of this post I can now confirm that dnsmasq is behaving nicely in pfsense version 2.3.1.

what .99 and what is .10 those seems like host to me.. do you mean 192.168.99/24 and 192.168.10/24 or 10.0.99/24 or 10.0.10/24 ??  Or some other mask? There is no reason to try and hide rfc1918 address space. Why don't you post up configuration of your interfaces and firewall rules.  I can tell you for sure dhcp server is never enabled during setup, unless you say to set it up on that interface.. So wan to pfsense is your internal network?  So did you disable nat or still natting into your normal network?

Thank you, NOYB for this and your other guides regarding this topic on this forum. I have modified your above instructions in a new post to work for the G1100 FiOS Quantum Gateway. The packet impersonation is slightly different (option 61 instead of option 125). FIOS - Fake WAN DHCP Setup for G1100 (FiOS Quantum Router)

In theory, no a MAC address shouldn't be case-sensitive. Many things are case-sensitive in *nix OSes though. dhcpd apparently requires them in all lower case to match.

@imWACCo: @cmb This? doc.pfsense.org/index.php/Unbound_DNS_Resolver Yes.

You don't want to disable that. Split DNS, or NAT reflection, is what you want. read the bottom of: https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

@pan_2: If those Exchange server are in different DNS domains - use HAProxy, add both servers as backend and route between them by their hostname ("hostname contains" rule in HAProxy) That will work alright as long as traffic is http/https but if you also expect to perform such a trick for other protocols like SMTP for example, that is not going to work, as no initial header is send by the client to determine the right backend. Just f.y.i.  ;) Regards, PiBa-NL

I can ping all the sites successfully.

It seems like my issue has been resolved. I didn't do anything about my DNS Config, what I did was I enabled the NAT Reflection of my 1:1 NAT entry for our mail server. Then, when I re-tested, I can now access our mail server on our Public Wifi network without DNS Rebind Attack message. I would like to thank everyone for offering their help! ;D

Figured it out, bloody access lists… Thanks for all your help. James

your client got dhcp, and he is pointing to pfsense.. So do a nslookup.. What is that output??  If it times out then your client is not talking to pfsense on 53.. I just at a loss to why anyone would run unbound in forwarder mode and have dnssec disabled??  What a pointless setup…  If all you want to do is forward why not just use dnsmasq.. Atleast it can query your dns in parallel. So where exactly are you forwarding these queries too??  What is your dns settings in pfsense?  Can pfsense even lookup anything.. Go to diag, dns lookup and lookup something like www.pfsense.org  Post that.. what do think you are doing with that rrecc suffix??

Again what I would suggest you do is not point your clients to pfsense, use your AD for dns, and even use it for dhcp.  I don't see any reason to run dhcp and dns services off your pfsense box when you have AD setup.

You want a port forward on LAN for: Source LAN net port any dest any port 80 NAT address X.X.X.X port 80 SSL/TLS won't work but there you go.

Right, I didn't think of that. Thanks for all your help.  Much Appreciated.

"I want the database to update every 24-48 hours using Google or some other DNS database. " You need to do some more research on how dns caching works.. While stan tried to go into how ttl works, his example is just bad..  The ttl on cname of pfsense.com is large, while the A record is short..  He did not get that A record from his cache because it would of been something less than 300 and it wouldn't of taken 153 ms to pull it from his cache.. So here is query that was authoritative ;; QUESTION SECTION: ;pfsense.org.                  IN      A ;; ANSWER SECTION: pfsense.org.            300    IN      A      208.123.73.69 ;; Query time: 31 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Mon Jun 13 06:10:54 Central Daylight Time 2016 Notice how it took 31 msec… I then looked it up again and was 0 msec because it just grabbed it from the cache notice how the ttl has started counting down from the 300 ;; QUESTION SECTION: ;pfsense.org.                  IN      A ;; ANSWER SECTION: pfsense.org.            292    IN      A      208.123.73.69 ;; Query time: 0 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Mon Jun 13 06:11:02 Central Daylight Time 2016 Currently pfsense uses unbound as resolvler and not a forwarder out of the box.  But if your using the forwarder dnsmasq or unbound the resolver they both cache.  And items will be cached for the length of their ttl.  This is how dns is designed to work.  There really is little need to pre-populate this cache or update it on any sort of schedule. But if you wanted you could turn on the prefetch feature in unbound.. [image: unboundprefetch.jpg] [image: unboundprefetch.jpg_thumb]

Thank you!  It is now working.

The advantage of resolving vs forwarding is you getting the info from the horses mouth so less likely to have to worry about a cache poisoning. When you forward you are at the mercy of where you forwarded it to provide you with good info.  No thanks I will get my own info thank you from the source. The only advantage to forwarding is possible faster initial query for something that is not in your cache.  I ask for www.somenewdomain.com that initial query has to walk the tree, but after that any client that looks for it on my network will just get the cached copy. Where forwarding has advantage to this when you ask it for www.somenewdomain.com - its possible that someone else had already looked that up and its cached.  If not then guess what your forwarder is either forwarding to somewhere else, or is going to actual resolve.  So you get no real speed increase there, and it fact could be slower since you just added a step in the process.  And you also just really have to trust the info your getting is current and good. Have you validated that who your forwarding too actually supports dnssec?