Other than DHCP showing the in-scope lease and the out-of-scope reservation, are you having an issue?
Is the client receiving the expected address?

@Zotan well if your going to forward for the reverse you would to setup the in-addr.arpa zone to be forwarded.

lets say you have zone1.home.arpa and zone2.home.arpa and zone3.home.arpa

and lets say 192.168.1/24 is zone1, and zone2 is using 192.168.2/24 and zone3 is 192.168.3/24

Create your forward for 2.168.192.in-addr.arpa to point to your pfsense for that zone, and then do 3.168.192.in-addr.arpa for zone3

So for example I setup NS on my nas dns.. for both the forward zone testlocal.home.arpa and the reverse zone 0.168.192.in-addr.arpa created some records in it.. And setup some domain overrides to forward to my nas at 192.168.9.10

ptr.jpg

@coxhaus Thanks to answer.

I think I dont have choice to user another DHCP than pfsense for that case ... I dont understand why developper never worked on that? With all research I've done about that, a lot of people tried to do that with pfsense without success!!! Finally use another like Microsoft one!

Thanks!

@Gertjan
I think I will stay with DNS Forwarding on port 53 to QUAD9. I don't think anybody will hack from a US big ISP to QUAD9. I think it is a better risk than a query to a China DNS server using unbound. They could be making lists of all the queries hitting their servers. I rather not be on that list.

I am not interested in getting a returned broadcast address or a private address. Maybe I will install SNORT again. I think they have a DNS packet inspector.

@patient0 Thanks man ! I never even saw there was a 'Custom (v6)' option.

@marc-vandevliet_proiect-be

The root cause turned out to be an intermittend issue with arp, caused by a config error (resulting in 'looping' one vlan) on a Mikrotik switch.
Troubleshooting this by activating logging on my NG8200 aggravated the issue, because extensive logging seems to bring down a firewall quickly ...

Learned a few lessons ...

Upgraded again to 24.03 (but stayed on ISC) and removed the static arp entries in my PFSense+ DHCP leases, as they also tend to complicate matters, when troubleshooting.

the problem was indeed in Pfsense side (I forget a parameter deny unknow client...)

I found the problem, hopefully this is useful to someone in the future.

Domain overrides do work with unbound. My mistake was that I had not enabled the interface to C in Services -> DNS Resolver-> General Settings -> Outgoing Network Interfaces Which explains why the requests were never being sent.

@MrPete

OK, let's see if I can make things clearer. I run the resolver that's included with pfSense.
Guests are not allowed to access anything on my network, including DNS. The only thing they can do is ping the VLAN interface.
I used static mapped IPv4 addresses for everything that lives here, other than my desktop computer and, of course, pfSense. I use SLAAC for IPv6.
Local DNS has an entry for all those devices for both IPv4 and IPv6 addresses.
Since I run a resolver, there's no forwarding involved.

@fdfdfff2

Microsoft Windows [version 10.0.22631.3593] (c) Microsoft Corporation. Tous droits réservés. C:\Users\Gauche>nslookup maps.google.com Serveur : pfSense.xxxx.yyyy Address: 2a01:cb19:dead:beef:92ec:77ff:fe29:392c Réponse ne faisant pas autorité : Nom : maps.google.com Addresses: 2a00:1450:4007:819::200e 142.250.178.142 C:\Users\Gauche>curl maps.google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://maps.google.com/maps">here</A>. </BODY></HTML>

Using a ordinary Windows PC, and pfSense using mostly default settings.
Can't say more then this : go over what you've changed/added, undo/remove that, and you'll be fine.

@The-Party-of-Hell-No
Another post:

https://forum.netgate.com/topic/187510/dns_probe_finished_nxdomain-sporadically-for-anywhere-from-30secs-to-10min-works-flawlessly-at-all-other-times/31

@mwierowski said in Unbound crashing randomly after 24.03 upgrade:

@Gertjan, so far, since unchecking that option, I haven't seen a single restart of unbound. Hopefully, this will resolve the issue. Thanks again for your help.

I'd expect so. If you do need registration, the other option is to set a longer lease time. Clients normally renew their leases at 1/2 the lease duration. So a 1 hour lease with 30 devices would be an average of once per minute.

I believe Netgate is working on improving this when they are further along in transitioning to Kea DHCP.

@Gertjan That's strange then since DHCP is turned off on both of them.
Yeah these are client lists from the 2 APs on the network right now, I wasn't sure if it was relevant but I just thought it might be interesting

It could be implementing similar way how DNS overrides are. Example: Kea.jpg

@Gertjan
You’re correct of course, but that’s why I’ve built a new one on initially 2.6 and that’s the one that’s having issues
I’m not anyway an networking expert - just attempting to understand the “black art” and although some would say just use a consumer asus or netgear router powers that be have blocked the once useable wrt router hacks to allow vpns and other stuff
Anyways- thanks for your help
In the end there is a big chasm between engineers and end users

@Gertjan said in DNS error:

Also : check every device connected to pfSense, and check every application (system, browser, everything) that it using the pfSense IP as a DNS.
Be aware that browser, when you install them these days, can do (will do) DOT/DOH themselves, completely bypassing pfSense, bypassing unbound (and where unbound forwards to = your 194.242.2.4)

With my rules, I think impossible to bypass))

cc42b186-3fb3-4a7e-9b9b-55d32d494497-image.png

639afd55-7c87-4f17-bca9-236d70a91f45-image.png

10795f50-6b06-414c-b6df-af852d980f6b-image.png

d5047651-cb0d-45b9-83c0-b2cc98489805-image.png

Perfect - you are right, thanks so much!