@CyberCow said in KEA DHCP - lacking features: i assume this is a bug, but if someone else could confirm... You want to report/confirm a bug in a feature that is listed as not supported yet, in the preview release?

@roveer google and cloudflare only filter bad stuff.. Or at least they say, but only in rare cases with google, clouldflare is more open in saying hey we block bad stuff.. But lets say dns service A filters bad site X, but service B does not.. But since you don't know where your forwarder might ask at any given point in time, are you protected from bad site X or not? So what is the advantage of their filtering? And once its looked up once, all your clients will get that answer if they ask for it, etc.. The filtering or not filtering would come more into play if you were using say a blocking dns service to block stuff that you want blocked, like adult related stuff, etc. etc.. While your 2nd service does not. Opendns or Umbrella or Adblock sort of services. Many people choose to use say quad9 because they list blocking bad sites as one of their advantages.. Cloudflare kind of says the same, while google says hey only in really bad cases, etc.. The point is these example services are not all filtering the same way, even if only bad. But that they filter at all - and you wouldn't know which one might get asked at any given time - kind of really throws all of their filtering out the window.. So if your going to use different services, but you don't know if service A and B would block the same thing - you can not be sure you would ever be protected by such a service. Maybe you forward to these services because of their bad site blocking, but also maybe they block stuff because government says hey block this.. The point is such services are not all going to filter the same way, but if you ask more than one will you or will you not actually be protected, or filtered from something you want to get to, etc. Same thing goes for if they do dnssec or not - most all the major players do, unless you specific use a special IP they list, etc. But this is another thing that can be different if you don't actually know who your asking when you forward. While I am not a fan of forwarding - many people do, and hey that is their choice.. My only point is if your going to forward.. No matter who you forward you should get the same answer.. If not it can be very problematic trying to track down some weirdness with some some specific dns query.

@michmoor said in Unbound restarting 20-30 times a day without any reason: but i can see it being a problem with several 100 endpoints. Things will get even better when you 'some' Wifi connected devices that roam among several APs. DHCP will fire away every x seconds .... and as much unbound restarts. Quickly, unbound is more busy 'restarting' as actually doing 'DNS' for you.

@johnpoz Thanks. Going back to ISC fixed it.

@iptvcld said in DHCP custom set hostname are not resolving: I had to reboot the laptop each time even if I do a release and renew - not the best If it's a windows PC : ipconfig /release ipconfig /renew will do. And that's even not needed. A cable disconnect, and the device will 'loose' that lease by default. When you select then with the Wifi a SSID, a lease will be obtained automatically. When going back to cable, it might be best to actually disconnect - mouse click - from the SSID, and then put the cable in place. Always worked for me like that for the better part of this century. Info valid for every possible OS.

@Gertjan said in Dynamic DNS Client with GoDaddy not updating - Authenticated user is not allowed access: @bmeeks said in Dynamic DNS Client with GoDaddy not updating - Authenticated user is not allowed access: My GoDaddy dynamic DNS stopped working as well And no information, like a mail, warning about this ? Nope. Nothing that I ever saw. Some searching around on Google will find a lot of folks complaining about the exact same issue. They changed their service without notice apparently. Here is a Reddit thread: https://www.reddit.com/r/selfhosted/comments/1cnipp3/warning_godaddy_silently_cut_access_to_their_dns/.

@TheNetStriker Your patch resolved order, so UEFI client can get .efi boot file. I edited services.inc file (by Diagnostics / Edit File) and changed mentioned lines. But similar as @nockdown now my UEFI client receive boot file with addtional ÿ. Not sure if I should do anything related to "Path Strip Count" ? And how to do it...

@johnpoz Looks like. Dig looks different. Getting through to the domain like it used to. That's the thing that changed that FUBAR'd it. I changed to Kea.

@eightfold said in unbound with ULA: connection timed out (nslookup)?: I typically get assigned a new prefix. Omg. I just posted this where I was positif about IPv6, and I forgot about those stupid ISPs totally breaking RFC's / IPv6.

@patient0 Thanks. I kind of suspect the warning notice is tersely written and not especially relevant to my concerns. But I could be wrong. They could be doing something wacky as the message implies if you read it without researching anything. I have no plans to do anything just yet. I don't spend much time here and I'm very sure passing the time to read about variants of DHCP servers is not how I would spend my free time. As long as my basic needs are met, they can do anything they want about the rest of DHCP. In fact, I didn't know and seriously don't care about any other aspects of DHCP other than my primary concerns. If they want to change me over on their own they are free to do it as long as I don't lose my static IP addresses. Every other router I've ever used can fill my basic needs so I'm sure the next changes to DHCP here will also do what I need. I do not want to have to reenter static mappings on another page .... just because.

@wojciech__ Wait .... what about this : Use unbound as the resolver with pfBlockerng, and have it listing (bind to) on DMZ only. Now you can also activate the DNS Forwarder (dnsmasq) using also port 53, and use this one on the LAN interface only, and set up the DNS servers where it has to forward to. Your LAN won't benefit from pfBlockerng.

@aaronouthier https://www.netgate.com/blog/netgate-adds-kea-dhcp-to-pfsense-plus-software-version-23.09-1 Basic functionality is present in version 23.09, but the Kea implementation lacks the following DHCP server features: Local DNS Resolver/Forwarder Registration for static and dynamic DHCP clients Remote DNS server registration DHCPv6 Prefix Delegation High Availability Failover Lease statistics/graphs Custom DHCP options https://docs.netgate.com/pfsense/en/latest/releases/23-09.html#rn-23-09-kea [image: 1717127675555-kea.jpg] Same warning about preview in the 2.7.1 release notes https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html

Other than DHCP showing the in-scope lease and the out-of-scope reservation, are you having an issue? Is the client receiving the expected address?

@Zotan well if your going to forward for the reverse you would to setup the in-addr.arpa zone to be forwarded. lets say you have zone1.home.arpa and zone2.home.arpa and zone3.home.arpa and lets say 192.168.1/24 is zone1, and zone2 is using 192.168.2/24 and zone3 is 192.168.3/24 Create your forward for 2.168.192.in-addr.arpa to point to your pfsense for that zone, and then do 3.168.192.in-addr.arpa for zone3 So for example I setup NS on my nas dns.. for both the forward zone testlocal.home.arpa and the reverse zone 0.168.192.in-addr.arpa created some records in it.. And setup some domain overrides to forward to my nas at 192.168.9.10 [image: 1717087422876-ptr.jpg]

@coxhaus Thanks to answer. I think I dont have choice to user another DHCP than pfsense for that case ... I dont understand why developper never worked on that? With all research I've done about that, a lot of people tried to do that with pfsense without success!!! Finally use another like Microsoft one! Thanks!

@Gertjan I think I will stay with DNS Forwarding on port 53 to QUAD9. I don't think anybody will hack from a US big ISP to QUAD9. I think it is a better risk than a query to a China DNS server using unbound. They could be making lists of all the queries hitting their servers. I rather not be on that list. I am not interested in getting a returned broadcast address or a private address. Maybe I will install SNORT again. I think they have a DNS packet inspector.

@patient0 Thanks man ! I never even saw there was a 'Custom (v6)' option.