match-clients { none; }; fix this

With the resolver and without forwarders you're not vulnerable to an attack known as cache poisoning where a compromised forwarder serves specially crafted malicious answers to redirect clients of the forwarder to sites that are part of an attack network.

@FreeMinded: 1. What does /etc/rc.dyndns.update do exactly? This blog post http://www.andysblog.de/pfsense-mit-ddns-hinter-einem-router in german suggests that it checks it's real WAN IP by using an external service. From looking at the source I can't see this happening. But I'm not a coder and therefore I probably miss looking at right place. Thank you for pointing to this page, it may have solved my problem with updating the ips for the dynamic dns entries. /etc/rc.dyndns.update uses code from /etc/inc/dyndns.class. This dyndns.class file uses checkip.dyndns.org for getting the routers online ip. As described in your linked article I have installed the cron package and edited the dyndns entry to check for an ip update every 10 minutes. I have changed the dyndns.class file according to this description to use a custom webpage with a simple php file to get my online ip from. @FreeMinded: 2. Running /etc/rc.dyndns.update from the command line in the webGUI renders the webGUI inresponsive and needs a reboot in order to get it working again. How can I run /etc/rc.dyndns.update manually? By executing "/etc/rc.dyndns.update" via ssh or via gui editing the dynamic dns entry and press the save & force update button does work for me. @FreeMinded: 3. What is the suggested way to handle Dynamic DNS in the case of a pfSense having a static IP on the WAN behind a ISP DSL router? Some posts suggest to increase the frequency of the mentioned cron job. But for that it should work properly in the first place. As the dynamic dns update script uses checkip.dyndns.org to monitor the pfs online ip it should notice an ip change and update the entries correctly. For me the check can't extract an correct ip from this url sometimes and it looks like the service isn't retrying correctly when such a failure happens. This failure will be listed under "Status->Systems Logs". I hope all the changes from 1. will fix the problems for me. I'll have to wait a few days to be sure it really works. My changes to dyndns.class function _checkIP()  – (PFSense version 2.3.1-RELEASE-p1): function _checkIP() { global $debug; if ($debug) { log_error(sprintf(gettext('Dynamic DNS %1$s (%2$s): _checkIP() starting.'), $this->_dnsService, $this->_FQDN)); } if ($this->_useIPv6 == true) { $ip_address = get_interface_ipv6($this->_if); if (!is_ipaddrv6($ip_address)) { return 0; } } else { $ip_address = get_interface_ip($this->_if); if (!is_ipaddr($ip_address)) { return 0; } } if ($this->_useIPv6 == false && is_private_Ip($ip_address)) { $hosttocheck = "www.MYDOMAIN.com/remoteip/index.php"; $try = 0; while ($try < 3) { //$checkip = gethostbyname($hosttocheck);                                         $checkip = file_get_contents('http://www.MYDOMAIN.com/remoteip/index.php');                                         //print('checkip is:'.$checkip); if (is_ipaddr($checkip)) { break; } $try++; } if ($try >= 3) { log_error(sprintf(gettext('Dynamic DNS %1$s debug information (%2$s): Could not resolve %3$s to IP using interface IP %4$s.'), $this->_dnsService, $this->_FQDN, $hosttocheck, $ip_address)); return 0; } $ip_address = $checkip; if (is_ipaddr($ip_address)) { if ($this->_dnsVerboseLog) { log_error(sprintf(gettext('Dynamic DNS %1$s (%2$s): %3$s extracted from %4$s'), $this->_dnsService, $this->_FQDN, $ip_address, $hosttocheck)); } } else { log_error(sprintf(gettext('Dynamic DNS %1$s (%2$s): IP address could not be extracted from %3$s'), $this->_dnsService, $this->_FQDN, $hosttocheck)); return 0; } } else { if ($this->_dnsVerboseLog) { log_error(sprintf(gettext('Dynamic DNS %1$s (%2$s): %3$s extracted from local system.'), $this->_dnsService, $this->_FQDN, $ip_address)); } } $this->_dnsIP = $ip_address; return $ip_address; }

I figured it out. I had an override for a specific host name, where the first alias was blank, aka the domain root. This worked with previous versions, but once upgraded to 2.3 this became a problem as the blank field probably where checked when looking for any aliases. Blank means none, everything deleted and so on. I switched the blank value and the specific host name, making the domain root the main override and the original host name an alias, and everything worked perfectly.

@cmb: @johnpoz: Why would students plug their routers into the network via lan side of their soho routers so the dhcp server is exposed to the dorm/school network?  Are they just stupid??  Maybe just stoned? You wouldn't believe how many idiots plug their routers in backwards and leave them that way for extended periods. Not just dorm networks, apartments, condos, you name it. Why? Hell if I know, before I got involved with a lot of networks like that I never would have believed how often that happens. And then there's the #$%^& who does it intentionally.

So I took the pfsense box out of the DMZ zone on the 2Wire router/modem. So now the pfsense WAN interface has a private IP of 192.168.100.254. The WAN interface has remained up so far. In addition, I plugged a router's WAN interface into the the 2Wire router/modem and put that into the DMZ zone on the 2Wire. The router was given the public IP from my ISP. After an hour, the WAN connection on the router is down and no longer has an IP. So, I think the issue is on my ISP's end.

I got started using .home for my RFC 1918 LAN many years ago when this RFC was still active: https://tools.ietf.org/html/draft-chapin-rfc2606bis-00 Network Working Group          - L. Chapin Internet-Draft                                          - Interisle Consulting Group Intended status: Standards Track      - M. McFadden Expires: December 2, 2011                  - ICC May 31, 2011 Reserved Top Level Domain Names draft-chapin-rfc2606bis-00.txt That suggested this list: .local .localdomain .domain .lan .home .host .corp As mentioned above .local has issues with Apple gear today. My pfSense box and anything I put into my DMZ gets a DDNS name, set by a program on that system from Afraid as they are a minimal aggravation compared by some others. https://freedns.afraid.org/menu/

@KOM: The MAC address d4:ca:6d:74:92:8a is for a device built by RouterBoard.  Was this your old DHCP server or some other device?  It appears to be spoofing a lot of your DHCP address range IPs. Yeah whatever that device is has a problem. Looks like it's proxy ARPing everything on the network.

I'm not sure what your internal DNS settings are, but you could try ticking the 'Register DHCP Leases in DNS Forwarder' under 'Services\DNS Forwarder'. Assuming your PFS is handling your DHCP internally and you're using the DNS forwarder.

@FreeMinded: Hi Isuress I'm adding my 2 cents to this discussion without having read through it in detail (it's just too long…). We seem to be doing something similar to what you are doing. We have an central AD (Samba) running on let's say 192.168.10.5 in a /24 subnet. Several client networks (192.168.20.0/24, 192.168.21.0/24, 192.168.2x.0/24) each behind a pfSense which connects to the AD subnet through openVPN. After a lot of trying and testing we ended up with a pretty simple setup that works for us. 1. AD domain is AD.yourcompany.com 2. on every pfSense we use a domain override for AD.yourcompany.com pointing to the actual AD server This way all requests regarding the AD are actually forwarded to the AD. The rest is just treated "normally". No need for specific DHCP DNS settings or host overrides for the single AD DNS entries like _ldpa... etc. Just make sure your AD knows how to get back to the clients by having the corresponding routes in your setup. I hope that helps... Hey there! Every little bit of information helps. That said, me and Johnpoz have already fixed the issue. It was a pretty long and arduous process as you can see, haha. That was one of the settings that had to be changed earlier on. There was other stuff in between. Thanks for the suggestion though :3

All those use cases would be BROKEN ;)  The only actual use case where public dns would not hand out public IP is you were using dns as a block list, so for example you hand out bad info for a site that you don't want to go to.  Like a spam list, where domains MX are returned as 127 something.. Telling the client - that is BAD don't use it! Public dns is for the public to use.. You putting in some rfc1918 address for a public name does not work for public.  So if your plan is for it not to work like a blacklist then ok.  But if your idea is for someone to resolve that rfc1918 and actually get to it then no its broken idea. Your stuff that needs to resolve some fqdn to a rfc1918 address should be using a name server that is not public and hosts these records for your network to resolve, be it local, vpn road warrior, etc. Putting records in the public just for your clients to use is broken! If you want your clients and pfsense to resolve the same thing, then they need to point to the same name servers.. What is your use case for these rfc1918 address, and be happy to discuss how your clients can resolve it without having to put it in public dns.  Validation that rfc1918 in public space is broken is the whole point of rebinding protection ;)  If your solution to some problem is putting rfc1918 in your public domain, what I suggest you do is re-evaluate what your problem actually is and find an actual solution that does not require some public dns server to resolve a FQDN its authoritative for to rfc1918.

@johnpoz: Not sure what your wanting to do here, but how is leaving black a valid configuration? I just assumed everything was correct from the beginning. What you see in Image #1 worked perfectly fine before 2.3 and it still did after 2.3. Until I wanted to add a new new host name under "Additional names". Which upon saving resulted in loosing all hosts under "Additional names" instead, with not message telling me why. Until I tried the changes in my second post, image #4. And It all works again. So I must have used it wrong from the beginning, but it still somehow worked.

There was a thread somewhere about write to config permissions.  I recall seeing a thread about it a few days ago or so.

No.  Just configured and enabled it.  Disabled DNS Forward.

What did it change to?

You can't add a host override directly to a MAC, but just add a static DHCP mapping for that MAC and define the hostname there, and enable registration of static mappings in DNS.

Anybody please?

Just trying to simulate real behavior in my test environment. So when time comes to deploy config on real hardware I want to be sure everything is OK and workin as I supposed.