Yes, and the good part of the extra field option is, as I've seen javascript used to change the visible fields for example when you choose custom from the list, the extra field could be made to only show when using dynamic DNS providers where this could be an issue.

The back-end code is in /etc/in/unbound.inc
I added a comment to https://redmine.pfsense.org/issues/4367

Looks better now…

I differ. It is actually a good thing you offload pfsense for regular intervlan routing, and maybe the most important reason being that your L3 switch does that routing way more efficiently, no need to change that. (it's another story if you need/want security between those vlans but that was not your question)

There's a "but" though here. Currently it is only possible to configure dhcp scopes for "own" subnets. Meaning, if the subnet is not assigned to any physical or vlan interface, you won't be able to have it hand out dhcp offers to anything (scopes) it does not know.

It is (or better technically it can be) possible to have all dhcp to be handled by pfSense, possible but not standard yet. (see https://forum.pfsense.org/index.php?topic=65736.0)
You will also need ip-helper on each SVI on the L3. (easy part)
I have it running with good results…

If you don't go with the mod by Marcello, the only way to accomplish that dhcp story is by presenting each vlan to pfSense, either physical, either by dot1q.

If the local-zone configuration option works the way it sounds like it should, then this should be a more direct approach by using the unbound configuration options.

https://unbound.net/documentation/index.html
https://unbound.net/documentation/unbound.conf.html

local-zone: static

If you switched from dnsmasq to Unbound after upgrade, it can have different behavior depending on what you're doing and what you have setup vs. what was in dnsmasq. Are you using forwarder mode in Unbound?

That worked like a charm!

Thanks a lot!

@Derelict:

Seems to me the culture of pfSense when something like this is encountered is to provide the GUI widget and leave the default alone so when people upgrade as little behavior as possible changes.

So I suggest a "disable responses to bootp requests" checkbox or something, or an advanced config textarea, etc.

Yeah that'd be the proper approach. While rare these days, there are some devices that use BOOTP out there, and disabling it by default would cause havoc for some. That's the type of thing we don't change by default, but could add something to allow people to change it if they want.

dnsmasq (DNS Forwarder) does not have any way to specify multiple addresses in the "–server=" parameter.
http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
I remember having a look at this, because I would like it for some of my remote sites so they can point to multiple DNS servers for some internal domain names (some of which might be across site-to-site OpenVPN links).

So there is no way to do it in 2.1.n

But unbound (DNS Resolver) in 2.2 does have the ability to specify multiple stub-addr in a stub-zone. So it seems it will be possible to have this with Unbound DNS Resolver on pfSense 2.2.?
Actually I would like to be able to specify this - so I will have a go at adding it to the GUI and if I get it working will submit a pull request.

Redmine feature request: https://redmine.pfsense.org/issues/4350

@johnpoz:

… maybe there should be a basic skills tests before you can even download pfsense - like what is an IP address, what a mask is - what is the function of a gateway.

Smite them with the clue stick - that's the ASR approach, then firewall them with real fire.

Actually, thinking about it, response time must have something to do with it as the DNS running on the AD, is obviously local…

Config file is located in /var/unbound/ so use the -c switch

If you see its the same domains that are always being affected then there may be a possibility that the NS's themselves have data that differs from one another.

Hi David
You can do is lookup the ip for forcesafesearch.google.com which is

216.239.38.120

and then activate the dns forwarder and create an entry

Host: www
Domain: google.com
IP: 216.239.38.120

Then you point the DNS-entry of your client machines or your dhcp server to the IP of your pfsense.

If you also want to block all other 195 domains that google has active you can import the forwarder file I created (see below) by going to :

Diagnostics -> Backup/restore -> Restore configuration -> Restore Area: DNS Forwarder

Hope this helps. Keep in mind that the IP-Address can change in the future.

[google safesearc hosts import for pfsense.txt](/public/imported_attachments/1/google safesearc hosts import for pfsense.txt)

After poking around i was able to solve the problem. I'm sharing my findings hopefully it will help others.
From what i was able to find, dhcpd supposed to use  SOA record to locate DNS server to send DNS updates to. This was working fine on pfsense 2.1.5 (not sure what version of dhcpd it has).The only configuration i had is the domain name under Dynamic DNS section of DHCP server.

Now, with 2.2 i added primary dns and key information (which i took from:```
/cf/named/etc/namedb/named.conf

Some related discussion here: https://forum.pfsense.org/index.php?topic=84184.0

As a work around I do attach another third NIC to pfSense & create two DHCPs on each NIC the first is static with the options "Enable Static ARP entries" & "Deny unknown clients" ticked… the second is dynamic without those options,
both pointing to the same switch  ;D , with another network & subnet
the static entries get the IP from the static DHCP... & the not listed MACs get there IP from the dynamic DHCP with ARP entry.