I would use the DNS Resolver in 2.2.2, put overrides in for local hostnames, and give the local pfSense IP address to my local clients to use.  If having two is important, then by all means have two local DNS servers. The name servers configured on the clients must all return the same answers to the same queries from the same sources for the same information.  If there are two name servers configured like that, great.  If not, you will get different behavior depending on which server the client decides to use. There are terms used like "primary and secondary" when it comes to DNS resolvers.  There is no such thing.  If a client has more than one DNS server defined it can do anything it wants with them.  Query one then the other in any order.  Query both at the same time and accept the first answer it receives.  Query one, wait for a timeout period, then query the next in any order.  It is completely up to the client and they all behave differently so, I say again, all the servers set in the client have to return the same answers to the same questions from the same sources.

if you really want to piss them off use transparent proxy  ;D for http and pfblockerNG to block https (use hurricane list to find the ip of the sites using https)

@sdtrinicor: I frequently use pfsense controllers alongside ruckus r300 AP's. I have been trying to get the automatic provisioning working through option 42. Ruckus seems to require a sub-option with a code of 3 for this to work. Is there a way to configure a suboption? Thank you in advance FYI, it's this option. [image: dhcp_options.jpg] [image: dhcp_options.jpg_thumb]

well your subdomains have to resolve public net to get directed to pfsense public IP so you can forward that traffic on 80 or 443 in, etc.  What do you think router/pfsense has to do with that?? Where is the authoritative dns for this domain and its subs?

I don't understand why you don't just resolve yourself as well.. This is I believe the new default in pfsense.. If you have issues with that, then use say level3 open - 4.2.2.2 is one I always used.. Comcast dns use to be horrific, its has gotten better over the years.  But I like doing my own recursion so have full support of dnssec for sure, etc.

Probably it is a side effect from what is being discussed here: https://forum.pfsense.org/index.php?topic=89589.0 IPv4 DHCP hosts are loaded into the DNS Resolver 'unbound' when a new host leases an IPv4 (unbound restart while doing so, that's where https://forum.pfsense.org/index.php?topic=89589.0 is all about). Dealing out IPv6 doesn't inform the local DNS (= unbound) so the local host name stays non-resolved. I didn't looked it up in the code …

Yeah pfsense does not have that feature.  You can setup a dns forwarder or actual resolver.. Its not a dns proxy. dns proxy would be something like palo alto has https://live.paloaltonetworks.com/docs/DOC-4633

while might be nice to be able to sort by IP, they are not in some random order, the host names are in alphabetical order. See example, I added host starts with A its at the top, different host starts with N, its in the middle where N would be.. [image: alphaorder.png] [image: alphaorder.png_thumb]

It may be an option in other gear, but our DHCP server configuration doesn't have any tie-ins to RADIUS currently.

@MakOwner: I'm on a fresh install of 2.2.2 and I don't see an Advanced button as in your image on the advanced tab of the DNS Resolver.  At any rate, I resolved this with a backup/restore. Just FYI, it's not  on the advanced tab, it's on the main tab.

Well, you either have screwed permissions on the box, or screwed filesystem, or possibly both. There's no way I'd continue running a system with such unexplicable issues when it takes minutes to re-image and get a sane install.

Services like this, as all services, are enabled (set up and eventually activated), or not. If the need to be switched on or of - pretty rare - you do so by visiting the GUI. Why should this service be activated by SSH access ?

Set static mappings in the DHCP server for those two MAC addresses.  You can set specific DNS servers there.

and again I showed you it works with .local just fine..  See my examples - so you go something else going on..  dns doesn't really care - if your doing the query to the name server and it has that record.. There you go..  It gives you the answer. Do you have some sort of search domain with local that is auto adding that when you do your pings so your doing something like search.local.local – why don't you do a simple sniff on your machine that is not resolving it via ping and see what query is doing.

"But the truth is… I'm really just trying to understand why what I did was a bad thing to begin with" I gave you clearly 2 reasons to not do what you were doing that has nothing to with rules or best practice. If google.com is hosted on 1.2.3.4 address and you say 1.2.3.0/24 is local -- how do you think your ever going to get to google.com When any or your applications try and do a PTR say a ssh server or email server, firewall for example - there are plenty of applications that will do a PTR (lookup the IP to map it to name.  Reverse lookup of you looking up mail.gmail.com to point to 1.2.3.4) on the IP that hits it..  So unless you have setup that in-addr.arpa zone that says you are the authoritative name server for that netblock, that query will go out to the internet. Now when your workstation does something your firewall will say for example that mail.google.com did it.. example ;; QUESTION SECTION: ;mail.google.com.              IN      A ;; ANSWER SECTION: mail.google.com.        604800  IN      CNAME  googlemail.l.google.com. googlemail.l.google.com. 300    IN      A      173.194.46.117 ;; QUESTION SECTION: ;117.46.194.173.in-addr.arpa.  IN      PTR ;; ANSWER SECTION: 117.46.194.173.in-addr.arpa. 86400 IN  PTR    ord08s13-in-f21.1e100.net. So would you like your host say if you were using 173.194.46.117 locally, and you firewall tried to resolve that IP for you and came back as ord08s13-in-f21.1e100.net "the laptop will switch to the IP addressing across port 3 when I enable DHCP on that interface." Sorry that is just not possible.. Unless you have your interfaces bridged in pfsense?  Or you have a switching loop.. So you have this - see attached.  So unless you have dhcp enable on your wifi router or pfsense 1 and 2 interfaces bridged?  Or maybe if have set static IP in pfsense for these macs of these devices.  There was something odd a while back where if you had a static setup and then limit dhcp leases to known macs, etc. But I find it unlikely your doing that. Why don't you look at ipconfig /all of one of these devices, and then when switches IPs to this other lease and what is the IP address of the dhcp server? [image: layout.png] [image: layout.png_thumb]