@marc-vandevliet_proiect-be The root cause turned out to be an intermittend issue with arp, caused by a config error (resulting in 'looping' one vlan) on a Mikrotik switch. Troubleshooting this by activating logging on my NG8200 aggravated the issue, because extensive logging seems to bring down a firewall quickly ... Learned a few lessons ... Upgraded again to 24.03 (but stayed on ISC) and removed the static arp entries in my PFSense+ DHCP leases, as they also tend to complicate matters, when troubleshooting.

the problem was indeed in Pfsense side (I forget a parameter deny unknow client...)

I found the problem, hopefully this is useful to someone in the future. Domain overrides do work with unbound. My mistake was that I had not enabled the interface to C in Services -> DNS Resolver-> General Settings -> Outgoing Network Interfaces Which explains why the requests were never being sent.

@MrPete OK, let's see if I can make things clearer. I run the resolver that's included with pfSense. Guests are not allowed to access anything on my network, including DNS. The only thing they can do is ping the VLAN interface. I used static mapped IPv4 addresses for everything that lives here, other than my desktop computer and, of course, pfSense. I use SLAAC for IPv6. Local DNS has an entry for all those devices for both IPv4 and IPv6 addresses. Since I run a resolver, there's no forwarding involved.

@fdfdfff2 Microsoft Windows [version 10.0.22631.3593] (c) Microsoft Corporation. Tous droits réservés. C:\Users\Gauche>nslookup maps.google.com Serveur : pfSense.xxxx.yyyy Address: 2a01:cb19:dead:beef:92ec:77ff:fe29:392c Réponse ne faisant pas autorité : Nom : maps.google.com Addresses: 2a00:1450:4007:819::200e 142.250.178.142 C:\Users\Gauche>curl maps.google.com <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://maps.google.com/maps">here</A>. </BODY></HTML> Using a ordinary Windows PC, and pfSense using mostly default settings. Can't say more then this : go over what you've changed/added, undo/remove that, and you'll be fine.

@The-Party-of-Hell-No Another post: https://forum.netgate.com/topic/187510/dns_probe_finished_nxdomain-sporadically-for-anywhere-from-30secs-to-10min-works-flawlessly-at-all-other-times/31

@mwierowski said in Unbound crashing randomly after 24.03 upgrade: @Gertjan, so far, since unchecking that option, I haven't seen a single restart of unbound. Hopefully, this will resolve the issue. Thanks again for your help. I'd expect so. If you do need registration, the other option is to set a longer lease time. Clients normally renew their leases at 1/2 the lease duration. So a 1 hour lease with 30 devices would be an average of once per minute. I believe Netgate is working on improving this when they are further along in transitioning to Kea DHCP.

@Gertjan That's strange then since DHCP is turned off on both of them. Yeah these are client lists from the 2 APs on the network right now, I wasn't sure if it was relevant but I just thought it might be interesting

It could be implementing similar way how DNS overrides are. Example: [image: 1715857049784-kea.jpg]

@Gertjan You’re correct of course, but that’s why I’ve built a new one on initially 2.6 and that’s the one that’s having issues I’m not anyway an networking expert - just attempting to understand the “black art” and although some would say just use a consumer asus or netgear router powers that be have blocked the once useable wrt router hacks to allow vpns and other stuff Anyways- thanks for your help In the end there is a big chasm between engineers and end users

@Gertjan said in DNS error: Also : check every device connected to pfSense, and check every application (system, browser, everything) that it using the pfSense IP as a DNS. Be aware that browser, when you install them these days, can do (will do) DOT/DOH themselves, completely bypassing pfSense, bypassing unbound (and where unbound forwards to = your 194.242.2.4) With my rules, I think impossible to bypass)) [image: 1715683161176-cc42b186-3fb3-4a7e-9b9b-55d32d494497-image.png] [image: 1715683199044-639afd55-7c87-4f17-bca9-236d70a91f45-image.png] [image: 1715683226493-10795f50-6b06-414c-b6df-af852d980f6b-image.png] [image: 1715683305691-d5047651-cb0d-45b9-83c0-b2cc98489805-image.png]

Perfect - you are right, thanks so much!

@elfenquetsche your wanting a different PTR than what your forward is? If I create a A record nas.home.arpa, that points to 192.168.9.10.. This will automatically return the ptr.. ;; QUESTION SECTION: ;nas.home.arpa. IN A ;; ANSWER SECTION: nas.home.arpa. 3600 IN A 192.168.9.10 ;; QUESTION SECTION: ;10.9.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 10.9.168.192.in-addr.arpa. 3452 IN PTR nas.home.arpa. Same would go for a AAAA record. Do you control this xxx.me domain? Is it public IP, is this IP owned by an ISP.. Most isps will not allow you to control the PTR for the IP space they own. Now if you own the IP space, or it has been delegated to you and you can run your own Name Servers then yeah you could control the PTRs Now for IPv6 space, Hurricane electric will assign you a /48 and give you complete control over the PTRs for that whole /48 space. You can for sure create a host override for some public domain, and that ptr would return the ptr you want.. For example - I pointed www.cnn.com to 1.2.3.4 with a host override - notice the ptr for 1.2.3.4 is points to www.cnn.com [image: 1715551986001-host.jpg] ;; QUESTION SECTION: ;www.cnn.com. IN A ;; ANSWER SECTION: www.cnn.com. 3600 IN A 1.2.3.4 ;; QUESTION SECTION: ;4.3.2.1.in-addr.arpa. IN PTR ;; ANSWER SECTION: 4.3.2.1.in-addr.arpa. 3600 IN PTR www.cnn.com.

@empbilly it should only have actual leases that have been handed out. Take a look for example - here is lease my applewatch just got lease 192.168.2.221 { starts 5 2024/05/10 11:57:58; ends 6 2024/05/11 11:57:58; cltt 5 2024/05/10 11:57:58; binding state active; next binding state free; rewind binding state free; hardware ethernet 7c:61:30:ad:55:47; uid "\001|a0\255UG"; client-hostname "JohnsAppleWatch"; } Guess you could of something going bonkers and just kept grabbing new lease all the time.. But 18k some leases, is that the size of your network - do you have anything even close to that many devices on your network.. Or was something just grabbing up leases like crazy?

@iptvcld did you setup dns redirection.. That would explain it. https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html#redirecting-client-dns-requests

@Mr_JinX It does not have HA failover yet. https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#kea-dhcp-server-feature-preview-now-available

Hi! I removed old setting and create new ones for duckdns and now they are working... Need to check Cloudflare next. Yeap and Cloudflare working also ok. So... needed to upgrade pfsense. Remove old DDNS settings (just editing and force update did not work). Create new ones -> everything ok.

@Gertjan said in Unable to resolve acb.netgate.com: Diagnostics > Configuration History Note: the Command is: Diagostics-> Backup & Restore -> Config History

@pfjeet said in Kea -DHCP: Can anyone please suggest what is option 66 and option 67 in DHCP and how it can be enabled You mean the Standard DHCP Options Defined in ISC DHCP and Kea ? As said above, if you want to use any of these, use ISC DHCP. Kea doesn't have the pfSense GUI front-end (yet) to add these options.