@cmb: That's up to the client machines themselves as to what they'll use. Generally speaking, no that's not possible. You have to either use the resolver for everything, or nothing. Thanks cmb. I'll just use host file entries then. Just for home network, so no big deal.

Hi Phil, Well, I suppose technically speaking it's all "private" since none of it routes outside of the corporate network, however, subjectively speaking, since the 192 address space is reachable by everyone in the company, and to use common terminology, it's considered "public" space within our organization.  The 10 space is truly private as it only exists in my environment behind pFsense. But I think you answered my question, the domain override tells pFsense to look at X dns server for all addresses in the foo.com domain. I think that's the piece of the puzzle I was missing, thanks a ton!

How to handle local mail server. And ip cameras… How du I add them to Forwarder. Services->DNS Forwarder Add entries for them in the Host Overrides section.

there is only one domain name on the entire network, no NAT just routing. Then you can't use domain overrides to refer lookups sensibly to one of the other pfSense. In your setup there is no DNS instance that has full knowledge of all the names in the domain. Thus you need to run some separate DNS server that is authoritative for the domain and comes to know all the names in the domain. If you put each pfSense and associated LAN in a different sub-domain then it would be easy to setup like JimP posted.

I am guessing this might be some weird interaction between the client domain suffix lookup and the domain on pfSense. Does it make any difference on the client if you just: ping mail (and let the client add "abc.com" suffix) compared to ping mail.abc.com ? Or does it sometimes fail to lookup mail.abc.com and actually end up doing some lookup of mail.abc.com.abc.com ? (Putting the domain suffix on the end of what is already the FQDN) When it goes wrong, flush the client DNS cache (like "ipconfig/flushdns" on Windows) and do the ping again. Does the answer stay wrong for a while? Or is it an really intermittent error? I am thinking that perhaps there is some other mechanism somewhere that is causing the pfSense DNS server to get the public IP 1 time (goodnes knows why), and then it has that cached for the time-to-live, which effectively overrides the host override.

If you have client systems/people who are trying to get around your DNS by setting a different DNS in their device, then you also need to put block rules on LAN for TCP/UDP to places other than LAN IP. That will stop their changed DNS from working. You can even forward that to the DNS listening on LAN IP so that the clients can change their DNS but still really you will just send everything into the pfSense DNS anyway.

Solved it with a different approach: Set Unbound to use nxfilter as upstream server and disabled private addresses scrubbing. I still have no idea why pfSense base system didn't work with nxfilter. If anyone has any idea, please let me know, however for the moment I'm happy it's working as it is.

Maybe shorten the lease time so when they switch between the two the defunct one isn't tied up so long being unused. Also, are the clients WiFi configured to auto disconnect when connected to wired Ethernet ("Disable Upon Wired Connect")?  If not doing so may also help. Another thing that may free up some IP address space would be to configure clients according to their needs; LAN only, WiFi only, both LAN and WiFi with auto disconnect when wired.  That way not as many clients consuming multiple IP addresses. Just a few thoughts perhaps you can make use of.

IMHO, have your friend set his LAN range to something like 10.0.1.0/24 to avoid the whole issue. I always get off of 192.168.0.0/16 entirely and go to a 10.0.0.0/8 range instead to avoid these issues. Too many networking devices default to 192.168.0.0/24 or 192.168.1.0/24 that you'll eventually get hit with this conflict (like trying to VPN into your pfsense LAN from a hotel and realizing that you can't because of the subnet conflict).

I doubt that was the problem - what would that have to do with something else running on the port [1422117824] unbound[69703:0] debug: creating udp6 socket :: 53 [1422117824] unbound[69703:0] error: bind: address already in use [1422117824] unbound[69703:0] fatal error: could not open ports From how I read the is something was already listening on udp6 port 53..  That has nothing to do with if unbound is set to "Harden DNSSEC data" or not..

Where did you get the idea that .lan is reserved - did you even read the rfc you linked too? To safely satisfy these needs, four domain names are reserved as   listed and described below. .test                 .example                 .invalid               .localhost ".test" is recommended for use in testing of current or new DNS       related code. ".example" is recommended for use in documentation or as examples. ".invalid" is intended for use in online construction of domain       names that are sure to be invalid and which it is obvious at a       glance are invalid. The ".localhost" TLD has traditionally been statically defined in       host DNS implementations as having an A record pointing to the       loop back IP address and is reserved for such use.  Any other use       would conflict with widely deployed code which assumes this use. Those are the 4 that are reserved.. not .lan You can use whatever tld you wnat.. fsdkjslfdj would a horrific choice in my opinion.  Too hard to type, keep it short and simple.  Same with .local is bad – Apple likes to query for stuff.local etc..  Use your name.lan -- I highly doubt they are going to add .lan to the public tld list any time soon..  You should not be using single label ie just tld.. so you could use something.homenet if you wanted or something.localnet so your fqdn would be host.something.localnet, again single label not a good idea..  pick a name for your domain and then a tld that tells you its not public.  maybe .notpublic ;) pfsense sends out the domain yes in option 15, as to if windows uses that is suffix search.. That is by default what it does yes.. It would normally walk up the tree so in my case it would look for host.local.lan and if that didn't answer it would ask for host.lan -- which is pointless in my network so I uncheck that box on my windows machines. [image: windowsdnssettings.png] [image: windowsdnssettings.png_thumb]

@twaters: When trying to start the DHCP Service I recieve the following error. /var/db/dhcpd.leases line 0: whitespace too long, buffer overflow. How big is that file?  It should be a plain text file that you can view with less or cat. Suggest you simply delete it then restart the dhcpd server, which will recreate the leases file. Also remember there's a chroot so its really reading    /var/dhcpd/var/db/dhcpd.leases

@doktornotor: @Jason: I tried adding an "addn-hosts" line with the "address" lines Yeah, that is the problem. You are doing it wrong; it should have no address= lines, it should look like a hosts file. Yup, just figured that out.  Thanks.

Also seeing this.  Using 2.2.2.  Any hints for debugging? Sometimes a new DHCP client will register ~instantly in the DNS, others take many minutes or never show up at all.  It doesn't seem to be particularly tied to a given MAC.  Restarting Unbound will cause them all to register.

Agree if you do not understand bind, why are you running it.  Either the forwarder dnsmasq in pfsense or resolver unbound are more than capable being used for name services in resolving both your local hosts and outside hosts with very simple gui to add host entries.  Or pfsense can auto resolve stuff it gave a lease to with its dhcp services, etc. Unless you had some specific reason to use bind, like zone xfers or something not sure why you would go with that unless you felt more comfortable with it then either of the other 2 options included with pfsense. I would recommend just using forwarder or resolver in pfsense vs using bind. If your looking to learn bind, I wouldn't think installing it on your pfsense would be best option.  I would install it else where and play with it so its not your main name server.  Once you get familiar with it, then you could move it to pfsense if you so desired. But as dok so eloquently stated there is really nothing we could help you figure out without a copy of your bind config to look at to see what you might have wrong. I have ford focus, it doesn't start - can you tell me what is wrong ;)  The wiper blades work though..

and does use.typekit.net resolve.. dig, nslookup - ping even are tests to see if it resolves.. Is your browser using a proxy?  if resolves and does not ping - as you see in my example.. You might have issue with connectivity to that network/IP [image: queryto.png] [image: queryto.png_thumb]

Split DNS is the way to go.  What are you using for a DNS server?  What did you do to it?  What do you get on your client when you do an nslookup on your dynamic domain?