How do you think the proxy looks up the IP of where you want to go???  It gets forwarded to what you setup as your dns - which is clearly opendns.

Well 0.0.0.0/0 would route everything through the tunnel ;) Yes setting the remote networks to what they are and you should be good to go.

So why not just point the forwarder in pfsense at your remote site clients use pfsense for dhcp and dns to your DC in your main site.  You will then be able to look up anything domain related.  When you ask it for say google, the DC will forward that to your pfsense using the resolver and blocker. Say you lookup www.pfsense.org that is not blocked… Your remote client will get that IP, then using pfsense at its site to go to that IP using their internet connection. This way you have access to all your AD dns stuff, still leverage the blocker..

that is not how you would put in a network.. if you subset of a network that is not on a specific mask.  Then you would need to create an alias that contains the range of IPs you want to block..  In your specific example see my attached So I create an alias, I put in the range, once you hit save it will create a list of each IP in that range. Then in your firewall rule you pick the alias name, in my case blockrange. But I am curious what your trying to accomplish exactly..  So you only want 192.168.2.1 to .19 to be able to query outside dns??  Its normally better to do an allow or block on the least number of entries.  So in your case you have only 1-19 that you want to allow so easier to create a allow for that range, and then just block everyone else. If you explain what you want to accomplish exactly and post up your current rules sure plenty of people willing to help you write the rules in the most efficient and logical manner possible. [image: networkrangealias.png] [image: networkrangealias.png_thumb]

Running my DNS Forwarder with no issues as well. I'm set to ALL interfaces and have 2 of the register settings checked. My DNS is pointed at OpenDNS servers. [image: DNS_pfsense.JPG] [image: DNS_pfsense.JPG_thumb]

dude if your using the resolver.. You wouldn't use outside dns… All your pfsense box needs to do is point to itself, and the resolver would look up stuff directly. Pfsense has default to using the resolver for quite some time.  Are you using the resolver or the forwarder?  If resolver the only entry pfsense should have is itself, 127.0.0.1 Why would getting your dns from your isp be better??  More often then not the their dns blows ;)  And you are almost always better off using what you want to use as your forwarder or just being your own resolver is a much better solution all the way around.  Which is what pfsense defaults too.

More than welcome ;)  Glad I could be of help!

Yes, from a client that I am routing out a DNS connection, I don't want my ISP to be able to be able to see any information that could show internet history.  If I use a service to check for DNS leak, it is listing my real IP address as DNS server, which I have come to understand could be an issue.  Perhaps I am misunderstanding how this should work. I use firewall rules to route certain clients out my VPN gateway interface.

Happy to send your some referral links if you want, the $15 a year comes with IPv6 as well. Please post them publicly.  I'd be interested in not just cheap VPS but reliable from your point of view.

^ that is not how it works..  The client requests his old lease, his lease is still there so sure the dhcp server will give it out. You can get with the writer of the dhcp server if you feel it should be smart enough to say oh you have a reservation I can not give you the old lease you had with me, I can only give you this new reservation.  That sort of code is not a pfsense thing but a dhcp server thing. but guess you could put in feature request to allow pfsense gui to delete what it sees is a live.  But a simple solution is to just stop dhcp server, edit the lease file to remove your specific lease or just delete the lease file and let it rebuild. rm /var/dhcpd/var/db/dhcpd.leases

Agreed if you call it laptop.yourdomain.tld - and this is registered in dns be it has IP on wired or wireless what does it matter that those address are the same?  Your not going to be able to do this with dhcp.  You can not assign reservations for 2 different macs to get the same IP.. Defeats the whole purpose of a reservation. If you want it to get the same IP be it wireless or wired, change the mac on one of the interfaces to be the same as the other.  Just make damn sure you never have both the wired and wireless enabled at the same time.

So you have 2 domains there - what port are they hosted on.. DNS has nothing to do with ports some site is hosted on. I show them both resolving ;; ANSWER SECTION: www.oinnos.com.br.      14400  IN      CNAME  oinnos.com.br. oinnos.com.br.          14400  IN      A      177.47.103.78 ;; AUTHORITY SECTION: oinnos.com.br.          86400  IN      NS      ns1.oinnos.com.br. oinnos.com.br.          86400  IN      NS      ns2.oinnos.com.br. ;; ADDITIONAL SECTION: ns2.oinnos.com.br.      14400  IN      A      177.47.103.79 ns1.oinnos.com.br.      14400  IN      A      177.47.103.78 ;; QUESTION SECTION: ;www.sadeinfo.com.br.          IN      A ;; ANSWER SECTION: www.sadeinfo.com.br.    14386  IN      CNAME  sadeinfo.com.br. sadeinfo.com.br.        14387  IN      A      ;; QUESTION SECTION: ;www.sadeinfo.com.br.          IN      A ;; ANSWER SECTION: www.sadeinfo.com.br.    14386  IN      CNAME  sadeinfo.com.br. sadeinfo.com.br.        14387  IN      A      177.47.103.78 ;; AUTHORITY SECTION: sadeinfo.com.br.        86386  IN      NS      ns1.servidorbrasil.info. sadeinfo.com.br.        86386  IN      NS      ns2.servidorbrasil.info. To the same IP 177.47.103.78 which pings, and the sites come up.. So are you not able to resolve them?  That would explain why you can not ping them or get to their sites. user@clean:~$ ping 177.47.103.78 PING 177.47.103.78 (177.47.103.78) 56(84) bytes of data. 64 bytes from 177.47.103.78: icmp_seq=1 ttl=54 time=160 ms 64 bytes from 177.47.103.78: icmp_seq=2 ttl=54 time=155 ms 64 bytes from 177.47.103.78: icmp_seq=3 ttl=54 time=158 ms They are on standard http port 80.. [image: sites.png] [image: sites.png_thumb]

Dude how are you going to troubleshoot dns if you don't even know how to do a query?? Nslookup, dig, drill, host – all valid tools in doing a simple query.  If you say dcdiag is good - then post it! Can not help if you can not provide information... Yo say your clients can not find your domain - then test it with a simple query!! And lets figure out why it doesn't work https://technet.microsoft.com/en-us/library/cc959303.aspx Verifying Your Basic DNS Configuration Since you don't have dns on pfsense even on... How exactly is pfsense even involved in your problem?  You might have better luck on a MS forum, they are still going to want you to be able to do a simple dns query!

"As I do not have a internal DNS server" So you do not have pfsense running forwarder or resolver? for dns - your clients do not point to pfsense IP in their segment for dns??  They point to your isp or public dns on all your clients? if you point your clients to pfsense you can create host overrides for your fqdn to point to your local IP addresses, so that your local clients can access them by name vs using IP or having to setup that abomination that is nat reflection or loopback forwarding, etc..

So you have a computer and need to host your dns for why exactly??  What should be local is local dns, you need to resolve your stuff that is not public..  Anything that is public dude really leave the hosting of that to the companies that do that for their bread and butter. Is your dns ipv6?  So you have geographic diversity what about carrier?  Who are the internet providers, who are the peers?  Are they in a DC that you have ddos protect, or someone with a decent home connection could take down your dns ;) How many domains do you have?  Do you have ipv6 connectivity?  There really is just no reason to host your own dns, other than your own local authoritative and recursive caching servers..

I ended up having to do this additional step as how I had it working was wrong, I had my AD DNS IP's  in PFSENSE DNS servers and my AD DNS server was pointing to the IP of PFSENSE. I don't know how it was working that way but It was working quite slow :-( So I now have my ISP's DNS servers IP's in PFSENSE under general and my AD DNS servers forwarders pointing back at Pfsense. I have rules setup in my AD DNS servers for Hulu & Netflix to use Unotelly DNS. I have put in the domain override for my local network as suggested? Everything seems to be working and speed is back to normal speed. I appreciate your help :-) Regards Jamie

JP is absolutely right. I hadn't thought to check the DNS for that zone myself. So your public DNS is serving up private addresses?!!

found the problem… for some reason the router in the route table is shown as FQDN and the DHCP wasn't configured to provide domain search as shown in attached pictures [image: route.PNG] [image: route.PNG_thumb] [image: dhcp_domain.PNG] [image: dhcp_domain.PNG_thumb]