Renato has already committed it to master and RELENG-2-2 so it will be in the 2.2.2-DEV snapshots and 2.2.2-RELEASE Really easy changes like this happen same day, that's Open Source for you :)

@cmb: Upgrade to 2.2, if that doesn't fix it, post your system log from after the NIC regains link. Hi, I upgraded to 2.2.1 and you where right. Everything is better, but now there is a problem with squid3 and squidguard for squid3. That does not function. You can´t start both services working in 2.2.1. Even going back to squid2 and squidguard for squid2 on 2.2.1 is buggy. Hope to see a bugfix soon. Therefor thnx for your help.

Looks like the last change I made was to enable the forwarder after switching to unbound.  There was no check at all for unbound being enabled when enabling the forwarder. https://redmine.pfsense.org/projects/pfsense/repository/revisions/06e847a72929245fd8bc71c26b309bb3b7d71921/diff/usr/local/www/services_dnsmasq.php That makes sense since the requirement to force this network to OpenDNS was the more recent change.  I remember being pleased it actually worked. It looks like I probably would have hit the same problem (with the old test/error message) when saving any unbound changes, regardless of 2.2.1.

Yes, if you just tell pfSense software to ignore the certificate problems and do the update anyway, then it will work! It could be updating your dynamic name/IP with a provider that is impersonating SelfHost if it cannot validate the certificate chain. In notes to this pull request cmb notes that update.eurodyndns.org has a broken certificate chain: https://github.com/pfsense/pfsense/pull/1570 https://www.ssllabs.com/ssltest/analyze.html?d=update.eurodyndns.org The site that processes the updates for selfhost.de DynDNS does not get a glowing report: https://www.ssllabs.com/ssltest/analyze.html?d=carol.selfhost.de&s=82.98.87.18&latest By contrast, a selfless promotion for pfSense, an A rating: https://www.ssllabs.com/ssltest/analyze.html?d=pfsense.org

Have a nice weekend. And yeah, give them a call. (None of madness this would be possible if Google signed their DNS with DNSSEC.)

I fixed the changelog (See also https://redmine.pfsense.org/issues/4402 )

"we configured a few services with their IP addresses and it would cause some problems if those addresses were to change suddenly…" So you hard coding services to point to IP vs FQDN?  And this IP is not even static, nor even reserved in dhcp? I would say you should fix that.  It is BAD BAD admin/developer/any one in IT that has input to allow services in a corp/business/school/home to point to IP for services.  FQDN is what you should be pointing at, this allows you to change where those services are provided from with no impact to the people using them, no changes in code, no configuration changes on machine.  1 simple change on your dns and bing bang zoom your pointing to the right place. I can't wait to see how that bad practice dies when ipv6 becomes common place ;)

"First hit I expect to be bad but I see second and third hits sometimes take upwards of a second if not longer" How are you testing this just that one screenshot?  Lets look up something unique, and then look it up again inside the TTL of that RR.. So I have a domain I recently setup to play with dnssec, I had to setup 2 authoritative servers because my registrar, and even the registrar I used for the dnssec free dns did not support it, etc. So I have 2 NS setup on vps, one in LV, NV and the other in Luxumberg.  You would be surprised at the lack of dnssec support dns services, at least free or reasonable priced ones, etc.  So I setup my own.  Anyway As you see from the first query, with dnssec yes it takes a bit longer - 391 ms in this example.  But you notice the 2nd hit that your talking about is 1 ms..  You can see that 7200 TTL, and then second hit was 6 seconds later, and you can see the timestamps of my query in the post.  Sorry for the censorship, but no reason to promote that domain or the IPs of my vps, etc.  More than happy to send you uncensored example in a PM if you want, etc. You can validate dnssec domains are setup correctly here http://dnssec-debugger.verisignlabs.com edit: And sometime later, still within the TTL of all records involved, etc. ;; Query time: 1 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Wed Mar 18 06:13:25 Central Daylight Time 2015 ;; MSG SIZE  rcvd: 179 And I have all the TTLs really low at 2 hours, if I need to move this to somewhere else for testing.  I picked the .xyz domain because it was cheap first year $5 and has dnssec support. edit2:  Oh to show that doing query against unbound and not the forwarder ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;version.bind.                  CH      TXT ;; ANSWER SECTION: version.bind.          0      CH      TXT    "unbound 1.5.3" ;; Query time: 0 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Wed Mar 18 06:21:13 Central Daylight Time 2015 Also added your cnn example.. They have a short ttl on the cnn, so that portion only cached for 5 minutes..  But anyway, you notice that 2nd hit was pretty much instant. btw does not have anything setup for dnssec.. [image: 2ndquery.png] [image: 2ndquery.png_thumb] [image: validdnssec1.png_thumb] [image: validdnssec1.png] [image: cnnquery.png] [image: cnnquery.png_thumb]

@doktornotor: 1/ Get your own domain 2/ https://dns.he.net/ Looking in to this now.  Thanks. FYI - Some time ago I was watching the IP Viking map and a lot of attacks were hitting a hole-in-the-wall town in NW Missouri for some reason.  After some research I found that HE may have some sort of node up there, or something related to their infrastructure.  I could only assume that whatever HE has there was the target, or taking the hits before they got to the intended target. ETA:  Logged in, can't seem to figure out how to get this set up.

After some testing, the custom Dynamic DNS is looking for what is physically returned (what is displayed in the web browser) from what I can tell. I thought it might be able to pick up something hidden in the code, but it doesn't seem that way. Thank you for the help in pointing me to the file that DDNS uses.

Works a charm. Thanks for this.

No - All it means is that you should not add an allow rule on your WAN, thereby exposing port 53 to external traffic. If you want to check your service ports to see if port 53 is open or closed you can use: https://www.grc.com/x/ne.dll?bh0bkyd2

Just got it to work using the sticky note about wildcard DNS. I have updated my own original post with the solution. Thanks, /Mattias

Look at pfblockerng, it handles all this for you with a few simple clicks Arghh, sorry.  this feature isn't in the mainline yet…..soon hopefully

https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Post your settings. I use DynDNS for my various dynamic public IPs and it works - DynDNS is one of the providers in the dropdown list. It works fine for me.

Domain members are pointed to the domain controller since its ip address is listed as a dns server in pfsense. They have always been able to register their names and we havn't had any other problems with domain credentials. I guess the only reason It was set up this way is because there were only a few computers connected to the domain. Most are not domain members. I'm not saying its right, its just the way things evolved over time. But perhaps to simplify things for the future it might be time to move dhcp to the dc instead of pfsense.

@johnpoz: Are we sure unbound logs would be sent to syslog? No I'm not :D But I hope.