@doktornotor:

However, the idea to run OpenVPN on 53/UDP is something quite astonishing for me. It really does not attract unwanted traffic for you?  :o

Don't think it'd attract anything. Those scanning the Internet for DNS servers won't get any response. It will make OpenVPN log spam "Authenticate/Decrypt packet error: packet HMAC authentication failed" when a DNS request is sent to its port, but it doesn't reply. Just looks like an IP with nothing listening to DNS scanners.

You need to have a WINS service running on your local server with an entry for the remote NAS device. Then you should be able to resolve \hostname and connect to it. Otherwise, you can just as easily use the FQDN (\hostname.example.com) if you want a quicker solution (assuming you've entered this address in your DNS settings, that is).

Problem Resolved i must add pfsense to the DHCP reservation 0.o Now its working. Thanks for help: )

Fix the subnet mask on the interface with 192.168.2.x. It's a cosmetic bug that it shows .2 through .0 but the root of the issue is you have an interface configured with a mask that has no other hosts available on the subnet and hence cannot run a DHCP server on it.

No idea if this is doable, but its nice to ask.  Maybe its super easy?  No idea.

To me it sounds like a good idea if it helps lots of people.

Use reverse proxy. You certainly do NOT want to run any DNS server on WAN.

Enable the DNSSEC related hardening options in unbound and stop forwarding to OpenDNS that does not support DNSSEC at all. Preferably, just stop forwarding (period).

Ok, if I desactive "DNSSEC support", test failed.

In order to make the plugin work in Chrome, we have to install a bin: https://www.dnssec-validator.cz/pages/download.html#package

thanks :-)

@johnpoz:

Don't be hijacking threads… Create your own.

This is MY thread and I thought my question is related to DNS, so I posted here. Anyway, I'll just transfer the contents of this thread to a new thread.

Thank you for your help. I am feeling a little sheepish now and should have my eyes checked.

just to validate dok's great answer

2.2-RELEASE][root@pfSense.local.lan]/root: unbound-control -c /var/unbound/unbound.conf lookup pfsense.org
The following name servers are used for lookup of pfsense.org.
;rrset 82095 5 0 2 0
pfsense.org.    82095  IN      NS      dns1.registrar-servers.com.
pfsense.org.    82095  IN      NS      dns2.registrar-servers.com.
pfsense.org.    82095  IN      NS      dns3.registrar-servers.com.
pfsense.org.    82095  IN      NS      dns4.registrar-servers.com.
pfsense.org.    82095  IN      NS      dns5.registrar-servers.com.
Delegation with 5 names, of which 5 can be examined to query further addresses.
It provides 0 IP addresses.
[2.2-RELEASE][root@pfSense.local.lan]/root:

I have a similar setup (One PPPoE WAN, one DHCP WAN) and it works for me with a variety of providers (Namecheap, HE.net).

Does pfSense actually have the public IP address from either of those WANs? Or is each WAN also doing NAT of some sort (and pfSense has a private IP)?

It could also be something specific to No-IP, do you have some other provider to try?

I finally got this sorted out.  In an obscure location the syslog server revealed that DNS lookup is disabled in their basic package, the pro version is needed.  Or a separate static host file can be pre-loaded.  So for now I reformatted the host file for the syslog server to load and all private IP's are being resolved by both PfSense internally and the external syslog server. Yes, all privates are RFC1918. By 20.x I mean 192.168.20.x.

Whew!  Glad this is resolved, pun intended.  Been working off and on for weeks trying to get this going. Thanks again John for all your help.

Not really, but your call.

I think it's good for me to do it.

@sloppy:

Ok, so right now there is just a second entry for static but the first entry is showing me the current ip of the server.
Btw. is the edit link broken for static mappings? For me it points always to http://xy.xy.xy.xy/services_dhcp_edit.php?if=lan&id=0

Thx

Yes, if there are multiple static entries without IP address, the Edit points to "id=0" for all of them.
This fixes it for me: https://github.com/pfsense/pfsense/pull/1503
This is better, handles the case when there are static entries on multiple interfaces with the same MAC address: https://github.com/pfsense/pfsense/pull/1504

So it happened again this evening, I guess Virgin use 7 day leases.
Gateway goes down, dhcp broadcasts for an address and one isn't found.
Eventually tries cached one which doesn't get accepted by the gateway as no traffic flows between the superhub and pfsense. FML! Can't figure out how to get these to re sync. Tried static IP, tried disabling gateway monitoring but not joy.

I had a similar situation here, on 2.1.5 i ran dnsmasq, and all went well with resolving, to internet and to my two connected vpn sites. When i upgraded to 2.2 and unbound came in sight, it didn't function anymore.
The clue is in the outbound interface (as stated in the post: https://forum.pfsense.org/index.php?topic=84184.0 )
When you want to resolve certain domain overrides who are connected by vpn the outgoing interface has to be part of your vpn domain ( e.g. your lan interface )

why do people test with a browser for some as simple a dns query?

From a cmd line use your fav tool.. nslookup, dig, drill or just ping - what does it resolve too for your fqdn query?

Browsers can be using proxy, could be highjacked, use their own cache, etc..

So your fqdn is camdriveway.zebra ?  not really of single label domains.  about zebra.lan or zebra.net, etc.  Single labels while they should be fine tend to have weirdness depending on OS, application, etc. etc.

So from a cmdline do - see attached

simpleoverridetest.png
simpleoverridetest.png_thumb