Thank you for the explanation. This has been driving me bats.

Since you have a local DNS server you can add an A record on your DNS server with the local IP address.  I have done this for a Web server so when you accessed the server from an outside registered DNS name the web server will resolve to an outside IP address from outside and if you are local the local DNS server will resolve the Web server name to a local IP address. Chaining DNS server should work the same way as long as you are local since private IP addresses are not allowed on the internet.

@ryan29: Hey, I didn't get to this yesterday, but did it today: https://forum.pfsense.org/index.php?topic=106305.0 That's basically every step needed to configure a fresh install. That guide is excellent and I thank you for taking the time to put it together.  I really appreciate your help with all of this.  I am going to go through each of the steps that you outlined and make sure that my setup is properly configured. (If any moderators are reading this, I would like to suggest that ryan29's guide be sticky-ed somewhere so newbies like myself can benefit from it)

yup that would work for sure..

well your browser is sending the host headers for what your wanting to go to that IP.. If that IP doesn't like the host header, then sure it would most likely send you a 404 for what your trying to look up. You can't just change an IP that is looked up for a site to something else and expect it to work – depends on how the other site serves up the page.  If your saying it use to work, I would take that they changed something on their end.  As you can see from your query dnsmasq is serving up what you setup..

you want them to resolve to something that is not even their address? You would have to do it with views in bind if you wanted to use the exact fqdn, or use subdomains so wifi.lan1.server.net 1.1.1.1 wifi.lan2.server.net 1.1.1.2 wifi.lan3.server.net 1.1.1.3

If I am reading this correctly I have had the same problem.  My first install I had resolver working.  My reinstalled of pfsense with immediately turning off IPv6.  I added static routes for my other networks.  Normally my local LAN lives behind a layer 3 switch in different networks.  Everything was working except DNS.  If I plugged in my local ISP's DNS servers in the PC IPv4 config it all worked but I had my layer 3 switch handing out pfsense IP for DNS and nobody could use DNS from pfsense.  I could ping 8.8.8.8 no problem.  I finally uncheck resolver and checked DNS forwarder and everything was working.  Next time I will try to seed DNS. I spent about 2 hours on this because I had just had pfsense working.  I could not figure it out why DNS would not work. I wish I would have seen this thread last night. PS I am not using DNSSEC.  Just a basic install.

Yeah I use local.lan myself, glad you got all sorted! I don't see anyone grabbing up .lan anytime soon - but you never know now that pretty much anyone with some cash can setup their own .tld ;)

Thanks - that's reassuring :)

Problem found - turns out that unbound is not requesting recursion when talking to the remote resolver, but it is using EDNS to allow for larger replies. That should be okay, except the remote resolver was an older version of PowerDNS that was unhappy with this combination. I proved it using dig from a client talking to the remote resolver directly, by adding    +recurse    returned the bad "formerr" reply. Turns out theres a project to upgrade the powerDNS servers, to get things like SQL backend instead of text file support, so this is a work in progress.  We'll have to stay with dnsmasq / forwarder until the infrastructure is ready.

Did you look at pfBlockerNG DNSBL with DNS Resolver ? https://forum.pfsense.org/index.php?topic=102470.15

Sounds reasonable, I will try that.

Still could be either device - realtek isn't my favourite NIC.    Link is being detected as dropped - you need to figure out which side dropped the link.  Try connecting different devices and see if the link is still flapping.

@Yowsers: This is in the wiki as well. https://doc.pfsense.org/index.php/Wildcard_Records_in_DNS_Forwarder/Resolver Yes - and that page also misses a big gotcha. As someone coming from dnsmasq / "forwarder"  I had multiple host overrides too. Unbound / resolver refuses to start if you set up a wildcard subdomain AND have host overrides that match.  So you need to delete all the host overrides that use the same subdomain. If you want to override a host in your domain override with unbound, best to do it on the resolver at which you are pointing.

Are you using the forwarder?  New versions of pfsense use the resolver by default. So if you setup a host override for cisco.yourdomain.tld then your clients using that dns should be able to hit smb://cisco.yourdomain.tld This is simple enough to verify with simple dns query.

There isn't a way to have multiple next-servers, IIRC in the spec the field is only four bytes. You could run some IP-level redundancy on the next server IP address (like CARP, VRRP, or something like keepalived on Linux)

I am not a fan of redirecting traffic - I would block access to outside dns, and if they want a working dns they have to use yours.  This is much better IMHO than redirecting traffic that the user might no know is redirected. Authoritative is the name server that actually holds and owns the records for a domain.  Pretty much every other server just asks another recursive server if a forwarder, or if a resolver will end up asking the authoritative server. Unless you install the bind package on pfsense, the 2 included with pfsense dnsmasq and unbound are really just recursive caching name servers.  Dnsmasq is just a forwarder, while unbound can be a forwarder or it is better at being a true resolver. Ie it walks down the tree from the roots servers until it finds the owning authoritative nameservers for whatever domain your wanting to look something up in.. ie pfsense.org or google.com.. here are the authoritative servers for pfsense.org ;; QUESTION SECTION: ;pfsense.org.                  IN      NS ;; ANSWER SECTION: pfsense.org.            300    IN      NS      ns2.pfmechanics.com. pfsense.org.            300    IN      NS      ns1.pfmechanics.com. pfsense.org.            300    IN      NS      ns3.pfmechanics.com