Best scenario I can think of is to set your SBS server as your PFS's DNS forwarder. Set the DNS forwarders on the SBS to point to an external public DNS server. That way, all your LAN hosts as well as your firewall can resolve internally and externally.

Mad Professor's issue is an ISP problem. First it's trying to renew via unicast to the server that gave it the lease, which isn't replying to unicast requests (which per RFC, it should, but that's not a problem in itself). Then it falls back to broadcast, and obtains a new lease from the same server. Then 2 hours after that, when it got a 12 hour lease, it stops working until released and renewed. It likely would have recovered on its own had you waited 6 hours, when it would have gone through renewal on its own. DHCP won't renew until half the lease time has past, so breaking your connection 2 hours into a 12 hour lease is the ISP breaking something. pyttsen: no telling what's happening in your case without seeing the dhclient logs.

Wouldn't be looping. You're sending the offer, either the network in between is dropping it so it never reaches the client, or the client isn't accepting it. Most likely the former, could be the latter.

I know exactly what a wild card cert is - but that has NOTHING to do with dns, nor did you mention it in your post..  Why would you be accessing pfsense from multiple names… Why not just access pfsense.example.org when you hit the gui.. You could always just use different host names pfsense-dmz.example.org, pfsense-wifi.example.org - now your wild cart is still valid.. If bind does not support 0x20, have not looked into that then just forward to unbound to do your public look ups..  Nothing saying that dns has to be run on pfsense, or that pfsense has to do the external queries, etc..  You seem to want your cake and eat it too ;)

Thanks JohnP, everything is working and I am good to go.  ;D

@MMacD: @johnpoz: If you want it to provide services to LAN, then it would need to listen on lan..  And then most likely you would set it to only query on WAN..  So for example here is that section of my config. Exactly what I thought!  But it refused to let me, saying _The following input errors were detected: This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces._ I don't know if you ever sorted this out, but I received the same message when I was making changes to DHCP resolver.  I was able to fix this by choosing localhost for "network interfaces" and de-selcting localhost for "outgoing network interfaces".  Maybe this would help you too? (I originally posted that in this thread: https://forum.pfsense.org/index.php?topic=106305.msg593028#msg593028)

"Why is resolver (unbound) making DNS request to these non root servers?" Because they are the authoritative name servers for some domain something asked for…  You do understand unbound just uses roots to find the authoritative servers for the domain your looking for right - and then goes and asks them directly.. ;; ANSWER SECTION: 93.56.75.185.in-addr.arpa. 86400 IN    PTR    ns1.maxtv-ks.net So clearly those are the name servers for maxtv-ks.net ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;maxtv-ks.net.                  IN      SOA ;; ANSWER SECTION: maxtv-ks.net.          86400  IN      SOA    maxtv-ks.net. root.maxtv-ks.net. 100 3600 60 604800 86400 ;; AUTHORITY SECTION: maxtv-ks.net.          86400  IN      NS      ns1.maxtv-ks.net. maxtv-ks.net.          86400  IN      NS      NS2.maxtv-ks.net. ;; ADDITIONAL SECTION: ns1.maxtv-ks.net.      86400  IN      A      185.75.56.93 NS2.maxtv-ks.net.      86400  IN      A      185.75.56.94 ;; Query time: 156 msec ;; SERVER: 185.75.56.93#53(185.75.56.93) ;; WHEN: Sun Feb 14 04:47:23 Central Standard Time 2016 ;; MSG SIZE  rcvd: 150 They may be name servers for lots and lots of other domains as well...  If you don't want unbound doing queries for them, then I would find out what is asking for stuff they are authoritative for..

One week and no crashes at all! Seems like this was the solution!

@jeffboyce: So to make sure I am clear, what you are describing is not split DNS at all.  I just need to have a fixed DNS record for cloud.companydomain.com pointing back to my internal box. No, it is split DNS. An internally defined DNS zone which resolves internal addresses against hosts which also have external addresses defined externally is split DNS.

Maybe this video help you. Setting up Domain Name (Dynamic DNS) for Verizon Fios Router : https://www.youtube.com/watch?v=nIPi1Hf3SOA

Why would it forward??  Its default mode is resolve…  Did you put it into forwarding mode??  That is a different problem then answer your queries for local stuff.. Here is the part you need to understand about the query method of windows 3. "the DNS Client service sends the query to all DNS servers on all adapters that are still under consideration and waits another two seconds for a response." "if it has not received a response from any DNS server on a specified adapter, then for the next 30 seconds, the DNS Client service responds to all queries destined for servers on that adapter with a timeout and does not query those servers" "If at any point the DNS Client service receives a negative response from a server, it removes every server on that adapter from consideration during this search." Also you need to read this which gives better examples of where a query might go http://blogs.technet.com/b/stdqry/archive/2011/12/15/dns-clients-and-timeouts-part-2.aspx The client tries to resolve a name and DNS1 times-out but DNS2 answers. The next query that this client tries to resolve is going to go DNS2 first before being retried in DNS1, because DNS2 would have a higher priority than DNS1. Configure the clients to point to more than one DNS server for fault-tolerance. Do not list more than one server to overcome disjoint DNS namespaces, and if you are going to do so, understand the risks and consequences. Why don't you watch what it queries via a sniff!!  You can not be sure that its actually doing a query to the one listed first… You just can not...  And using 2 different servers, 1 local that resolves local stuff and one that does not resolve local stuff is going to cause you pain..  That is disjointed namespace.. As to unbound not resolving public stuff or local have to do with you doing queries to 4.2.2.1????  How does that show anyone that unbound is not working??? Out of the box, and even from your screenshot unbound is not in forwarder mode, its a resolver.. So its going to work its way down from roots to find the authoritative server for what your looking for so it can query it directly for the record you looking for.. If you have outbound 53 blocked to the internet other than to specific nameservers or address space, then the resolver is not going to work.. If your isp forces you to use their dns then resolver mode is not going to work.. Why do you sniff on your wan where unbound will do its queries when you ask it for something so you can see what is happening..

Is that your WAN? Some cable modems, especially Motorola surfboards, will hand out 192.168.100.x addresses with a 30sec lease when they have lost sync on the line with the cable provider. Ostensibly that is so you can reach the modem to configure it during an outage, in reality it's a PITA to deal with. You can put "192.168.100.1" in the reject leases box on the WAN to stop it from accepting those requests.

That´s why I can reach it from some parts, and some parts not on the net… Time to start digging more around this now! Cheers for the feedback all! :)

…while I couldn't sleep last night I came to the same conclusion! :-D Thanks for the reply to this NOOB mistake. Now I disabled the "Enable static ARP entries" requirement, but only on this interface. Let's see how the dynamic clients behave today! Is it a problem if "static ARP" is enabled on other interfaces, does this have to be consistent over all interfaces? I remember a recent problem that the list of static ARP is shared across interfaces...

Do the domain overrides go to a different dns server ip? If so you may be able to set up some firewall rules or static routing to direct the query through the relevant gateway.