Anything of interest under Status - System logs - Resolver?  If you go to System - General Setup - DNS servers, what do you have for a Gateway, none or something?

Do you mean you only want to see those DHCP leases from clients on a particular network, or you only want to serve IPs to clients on a particular network?

You can fix this by either configuring NAT reflection, or by getting your internal DNS server to point your domain to your internal IP instead of the public IP address.  I use the latter technique at work.  My external DNS is handled by a pair of Linux boxes, and my internal DNS is handled by Windows AD controller.  Even though my external Linux boxes handle our public IP, I added all my external FQDNs to my Windows AD controller DNS and pointed it towards the public server's (mail, web, ftp) internal IP addresses.  Works like a charm.  I found NAT reflection giving me pain when I was trying to connect to our FTP server by going out the firewall and then back in.

Anyone?

That worked! I'll take it and not ask why ;) I unchecked use tcp and put in the IP.

Thanks!

I assume very little CPU and network is needed. I just did a release+renew on my desktop with Wireshark running, and the entire process took 2ms

DHCP Discover: 4.7292
DHCP Offer: 4.7303
DHCP Request: 4.7305
DHCP ACK: 4.7312

Assuming perfect linear scaling, my box could handle 500/sec. It is a beefy quad core 3.2ghz CPU, but it's down clocked to 200mhz nearly all the time. Not a good test, I know, but I don't see DHCP being that intensive.

Sorry, my mistake! Once I select WAN, pfSense intelligently finds the external IP address (not directly the WAN address). Excellent!

Sorry it took so long to respond. Then next round in trying to get this implemented I tried it from my laptop again. This time the dns queries from there were also slow. To fix this issue, I took a backup of the config, did a factory reset on the pfsense machine and then imported back in only the aliases, firewall rules and nat rules. This time, everything went as planned an expected. Realistically, I still don't know what the issue was, but it is obvious that some place there was a configuration issue…

Still though, thank you very much for your help. :) I have it in place and it took the companies internet speed up from the 65Mb/s up/down up the the 98Mb/s up/down that they should have been getting. Beyond that, it has been stable as I expected it to be.

The checkbox to use sequentially enables dnsmasq's –strict-order. Their man page describes that as:

By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

The order in resolv.conf should match what you have configured under System>General Setup, at least assuming you also have no dynamic WANs or have disabled DNS server updates from DHCP/PPP.

If resolv.conf has the order as desired, then I suspect either your internal DNS servers aren't responding for some things, or maybe dnsmasq's –strict-order doesn't do what you're expecting and stopping at the first server that replies (I would think it does, but not entirely sure off the top of my head).

Getting a packet capture of all UDP 53 traffic on LAN and seeing what that looks like might be telling. Maybe your internal servers are failing to respond at times.

Wooops!

Yes, the ovpns1 interface should in general just be left alone as OpenVPN manages that one for you.  The only thing I usually need that interface for is to create a Firewall Rule allowing all traffic on ovpns1.

Glad it's working  :)

For future reference, if you need to track down who is making a specific query, you need only put "log-queries" into the DNS Forwarder advanced options. Then the resolver log will contain all DNS queries along with the IP addresses which made the requests, for example:

@johnpoz:

And are you appending what they suggest?  Say something like?

something like
regexi ^(http://www.google../search?.) \1&safe=active
regexi ^(http://www.google../images?.) \1&safe=active

to do the rewrite of the url?

I used the above mentioned regular expression in rewrite option available in Services->Proxy Filter, but the result is same. Safe search was not enabled in google.

@johnpoz:

Are you blocking https searches?

I have enabled SSL filtering option in Proxy server and due to which every HTTPS website gets blocked. So I added www.google.com to the whitelist and tried to redirect it using rewrite option as well as DNS forwarder and the result is still the same i.e No redirection and No safesearch enabling.

No problem, I'm happy to say I learn a little more every day I check through the forums  :)