You can use whatever you want to use forwarder or resolver.. Do you understand the difference between them??  To be honest while I commend moving to resolver with dnssec as default option - it seems basic understanding of the difference in a large chunk of the user base has confused them. Might of been better to just leave dnsmasq as default and let those that understand why they might want to use a resolver vs forwarder make the change to use that.  I think the goal, just my opinion on why they moved to resolver being default is so that sure dnssec was being used.  When you forward your at the mercy of where you forward to if dnssec is used. If you resolve you can be sure your using it, etc.  But there are some caveats to that - resolving depending can have issues if domains dns is not up to snuff or if its on the other side of the planet to you might time out first time a client tries to resolve it.  If using a forwarder to some major caching dns like google or opendns.. Domains that are shitty in responding for their dns are most always going to be cached if anyone using those dns uses them..  So in that case you might not notice their dns is below par, while if you were resolving and talking directly to their name servers you would with issues resolving their stuff. As to example of using the gui for over rides in the resolver. C:>dig click03.example.com +short    10.1.1.3 [image: guiexample.png] [image: guiexample.png_thumb]

@BlueKobold: Found some links to this D-Link router model: bridge mode From the manual: _Section 3: Set up Internet Connection The available Protocol modes are: PPPoE, PPPoA,Dynamic IP, Static IP, and Bridge QUICK SETUP –BRIDGE MODE CONFIGURATION If you are instructed to change the VPI or VCI numbers, type in the correct setting in the available entry fields. The Internet connection cannot function if these values are incorrect. Select the specific Connection Type from the drop-down menu. The available connection and encapsulation types are LLC and VC-Mux. Click Next to go to the last Setup Wizard window_ Thanks so much for taking the time to look into my problem. I will look into the VPI and VCI numbers for Costa Rica and see if I am able to turn the ISP router into bridge mode. I was able to do your second method with having pfsense LAN on a different subnet. If I am unable to make the ISP router go into bridge mode at least I can resort to this method. Thanks again!

1.  Yes.  It's quite common actually. 2.  As the network admin, that's your job  :D 3.  Looks OK to me. 4.  You could have pfSense handle your DNS and DHCP.

That has nothing to do with DNS rebinding specifically, it's that reflection isn't picking up the traffic. Most often because it's not enabled. Once it is enabled, you need to make sure you're initiating new TCP connections (fully close your browser and re-open it) that can be reflected.

You can't edit the file manually as it'll be overwritten. Just add them in the advanced box in the GUI.

Thanks for pointing me in the right direction.

Ah ok. Then i (we) have to wait for a super coder to stepup and help us.

why don't you just use an acl that includes both your networks - say 192.168/16 Are there people say on 192.168.11/24 that you do not want to be able to query?  YOu can include more than 1 network in an ACL, you can list as many networks or /32 host addresses as you want.. Sure there some limit but its more than 2 that is for sure.

Well yeah it would ;)  So much cleaner and better than a nat reflection hack..  And now your traffic not hairpinning every time you want to access a resource directly connected to the same network.

When in doot, reboot!

yeah I am with you dok.. Got to love the dns services that hand out parking and nonsense with nx domains vs nx.. Which is part of the reason I run a RESOLVER vs Forwarder ;) If you don't want such stuff to happen resolve don't forward would be my suggestion.. Many of the pop public name servers do that.. opendns was one of the first that was terrible at it with redirects, they got a lot of gruff about it too. google hasn't started doing it that I am aware C:>dig @8.8.8.8 lsjfdlsjsfd.odsjldsjfslfd.com ; <<>> DiG 9.10.3rc1 <<>> @8.8.8.8 lsjfdlsjsfd.odsjldsjfslfd.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10285 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;lsjfdlsjsfd.odsjldsjfslfd.com. IN      A ;; AUTHORITY SECTION: com.                    899    IN      SOA    a.gtld-servers.net. nstld.verisign-grs.com. 1441801312 1800 900 604800 86400 ;; Query time: 83 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Sep 09 07:22:12 Central Daylight Time 2015 ;; MSG SIZE  rcvd: 131

Just use the forwarder if that is what your use too.  Resolver can be a tad slower on initial look ups because your walking the full tree to lookup www.something.com - roots hey ns for .com please, hey ns for .com what is ns for something.com hey ns for something.com what is A record for www With forwarder you just ask your isp or googledns hey what is A record for www.something.com, if someone had recently looked that up - there you go you get the answer right away its cached.  If not then it has to walk the tree and find it for you.. But normally there are 1000's to 100's of thousands of uses using those name serves so most popular sites are always cached. Normally its just a few ms different, but sometimes sites that have shitty dns or on the other side of the planet from you can take a bit longer and you may see time outs now and then on that first lookup and then after the ttl expires, etc. But the advantage of resolver is you KNOW your talking to authoritative ns for that domain to get the answer not some cached entry that could be stale, all your sure you have full dnssec while with forwarding.. do you??  Where you forwarding, etc. Both forwarder and resolver support easy over rides for hosts or domains, they are just in their own menu area, they don't share a db or anything.. So if you create a host over ride in the forwarder section and usng resolver your host over rides won't be used. Also while unbound does have a forwarder option, the dnsmasq fowarder allows you to query your ns in parallel while I do not believe unbound does it that way.  So if your use to forwarding - just stick with dnsmasq would be my advice.

Thanks for your answer muswellhillbilly. Actually, the problem is more on the pfsense side. All my LAN clients within the HQ don't need to resolve the machines behind the pfsense box in the other branch office. But clients on the PFsense box need to resolve my servers hostnames. Anyway, I read everywhere that we should not use DNS Forwarder but Resolver instead. I give it a try though and guess what, it works flawlessly. I can resolve my servers hostnames, and nslookup for everything related to the internet is way faster than with DNS resolver. For youtube.com and famous others names, I used to have: timeout for 2 seconds timeout for 2 seconds RESULTS Now with DNS Forwarder it's quick. DNS Resolver worked partialy because when I set one of my server hostname in the "HOST OVERRIDE" section, my clients could resolve the name. But oddly, if I set a domain override, it doesn't work anymore. I'm wondering if DNS Resolver and IPSEC tunnel are working together ? Because for the domain override, it needs to send the query to my PDC in another subnet accross the VPN tunnel. It should know the route with the routing table, but in reality it kind of struggle. Or at least, I didn't get something. Anyway, DNS Forwarder is my way to go now. Hope it helps someone else.

Ah, a CLI expert. In that case : it's up to you ! Add to your plans: Goto /usr/local/www/services_dhcp_edit.php - lines 153 up to 340. read them to get the picture. These ones are validating setting, writing to the config.xml and "marking the subsystem dirty" (which probably winds up killing the DHCP server, to revive it with new settings) If you can handle this in CLI (and why not) then work out your plans ;) note: I'm not sure this is the only file to be considered. handling config.xml is considered 'madness'. handle all cases I just omitted for simplicity.

I rebooted the entire router and now it's working as expected. I guess something was just stuck so hard that only a hard reboot knocked it loose.

I don't show any issues with www.postbank.de dnssec and can resolve it just fine using unbound resolver with dnssec enable http://dnssec-debugger.verisignlabs.com/www.postbank.de why should you need youtube videos or config examples.  pfsense out of the box works with the resolver setup for you.  You shouldn't have to go messing with anything really to get it to work. why don't you go to your client and see if it resolves? use nslookup, dig, drill, host whatever your fav tool is.  or even the pfsense diag [image: dnslookup.png] [image: dnslookup.png_thumb]