^ I would say that is a really bad idea even when you know what your doing ;) But sure that is another way to skin the cat..

^ exactly!!! I agree if you have a domain name, you need at min 2 servers that will respond authoritatively for your domain..  What does that have to do with running it on your own? Unless your a dns provider – or you serving up dns to your users for your local domain.. Leave public dns to the companies that do it for a living.  If the FREE ones don't suit your fancy or provide you what you need/want..  Then for like $30 a year you can do it a enterprise class service with 5 9's uptime. Shit your time alone in having to even look at why its not working has most likely cost more than 3x the cost of hosting dns with an actual dns company for a whole year ;) I can tell you if I charged my normal billing rate - the time in me reading your question and responding would of cost more than hosting your dns for a whole year!!

I fixed that in master a while ago: https://github.com/pfsense/pfsense/commit/31300a95f71b14dcb98c139388205223a36e8c8b I looked on 2.1 branch, and can't see where the fix was back-ported, so I guess the fix is not in 2.1.1  :'( Anyway, look at the changes and you should be able to make it happen in 2.1.* - I believe that once you get the gateway group selected, the code that actually does the work underneath will use the selected GWG and do its thing.

If you have your own domain, you can use https://dns.he.net/ for free. If you don't mind a lame domain name, this one is definitely also free - https://duckdns.org/install.jsp (pfsense instructions included). For $25/yr., dyn.com can lick my swamp…  ::) :o

"but I was wondering if there's a reason to use Unbound instead." Do you have need of some feature of unbound vs the feature set of dnsmasq (built in dns forwarder)? If not then NO there is no reason to use it..  For home setup I would think that pretty anything you would want your local dns to do can be done with dnsmasq - there would be no reason to complicate your setup by using unbound. Might as well ask the questions - should I run bind, or should I run ms dns or should I run xyz..  Unless there is some feature that dnsmasq does not provide that you need/want why are needing to run something else when you have been running and I would guess happy with the pfsense default dns forwarder for years?

I've changed my dynamic DNS service provider. Now I'm using No-IP which works fine. The Problem with DynDNS.org still occurs.

To reduce the complexity of your network setup, I would just add your current DNS servers to the DHCP options so that pfSense will hand out DHCP leases with those DNS servers. On the other hand, since your already have pfSense, why not remove those DNS servers and simply have pfSense act as the DNS server?

well host would be a dns query, ping would use your cache or host file.. Did you flush your machines dns cache or do you have something in its host file. So lets see this query showing the public IP? What your saying is vs dnsmasq returning what it has in its records  (pfsense host file) its returning what the forwarder has for it.  I really find that unlikely - but if it is the case it has nothing to do with pfsense and would be the underlaying dnsmasq issue.  I have never ever seen this behavior ever in dnsmasq So lets see this happen..  from a dig – query this fqdn, just keep doing the query - show us when it returns the public vs the local IP. example so I created a record for www.cnn.com to point to 1.2.3.4, clearly that is not the right answer..  So if I query pfsense (dnsmasq) it returns 1.2.3.4, if I query a public dns it returns the public records.  So what your saying is happening is just keep doing the query to pfsense and at some point it returns the public IP vs the local. Well do a 100 querys -- how many return local how many return public.. I am betting on 100 out 100 return local and your issue is somewhere on your clients doing query to something else to be honest. C:>dig www.cnn.com ; <<>> DiG 9.9.5-W1 <<>> www.cnn.com                                          ;; global options: +cmd                                                      ;; Got answer:                                                                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31386                    ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:                                                          ;www.cnn.com.                  IN      A ;; ANSWER SECTION:                                                            www.cnn.com.            86400  IN      A      1.2.3.4 ;; Query time: 4 msec                                                        ;; SERVER: 192.168.1.253#53(192.168.1.253)                                    ;; WHEN: Sat Apr 05 06:32:27 Central Daylight Time 2014                      ;; MSG SIZE  rcvd: 45 C:>dig @4.2.2.2 www.cnn.com ; <<>> DiG 9.9.5-W1 <<>> @4.2.2.2 www.cnn.com                                ; (1 server found)                                                            ;; global options: +cmd                                                      ;; Got answer:                                                                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11444                    ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION:                                                        ; EDNS: version: 0, flags:; udp: 4096                                        ;; QUESTION SECTION:                                                          ;www.cnn.com.                  IN      A ;; ANSWER SECTION:                                                            www.cnn.com.            439    IN      CNAME  www.cnn.com.vgtf.net.        www.cnn.com.vgtf.net.  37      IN      CNAME  cnn-56m.gslb.vgtf.net.        cnn-56m.gslb.vgtf.net.  253    IN      A      157.166.248.11                cnn-56m.gslb.vgtf.net.  253    IN      A      157.166.249.10                cnn-56m.gslb.vgtf.net.  253    IN      A      157.166.249.11                cnn-56m.gslb.vgtf.net.  253    IN      A      157.166.248.10 ;; Query time: 43 msec                                                        ;; SERVER: 4.2.2.2#53(4.2.2.2)                                                ;; WHEN: Sat Apr 05 06:32:36 Central Daylight Time 2014                      ;; MSG SIZE  rcvd: 165 C:> edit:  So what I would do as simple test, grap namebench -- run it with simple test for this local record against pfsense and have it query a few times.  So here I queried a 1000 times for tha www.cnn.com that I pointed to 1.2.34 ubuntu:~$ namebench -i /tmp/test.dns -S -r 4 namebench 1.3.1 - /tmp/test.dns (automatic) on 2014-04-05 07:56:06.333039 threads=40/2 queries=250 runs=4 timeout=3.5 health_timeout=3.75 servers=11 Reading /tmp/test.dns: /tmp/test.dns (0.0MB) Generating tests from /tmp/test.dns (1 records, selecting 250 automatic) in my test.dns file I had only www.cnn.com..  So this reports what your dns server responds with in nice easy to read csv file showing every query and response. IP Name Test_Num Record Record_Type Duration TTL Answer_Count Response 192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.610994339 86400 1 1.2.3.4 192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.846075058 86400 1 1.2.3.4 192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.757144928 86400 1 1.2.3.4 192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.523017883 86400 1 1.2.3.4 192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.521110535 86400 1 1.2.3.4 192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 2.447128296 86400 1 1.2.3.4 192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.616001129 86400 1 1.2.3.4 192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 2.111911774 86400 1 1.2.3.4 192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.528978348 86400 1 1.2.3.4 192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 5.592107773 86400 1 1.2.3.4 So 1000 queries - every single one responded with my local record of 1.2.3.4..  I would love to see a test like this from your showing where it responds with the public vs the host over ride you created.  So lets run it 10k times..  Man that really beat the shit out of dnsmasq -- but every one still 1.2.3.4..  Dude it is way more likely your just doing a query to something else, or have multiple entries maybe, a host file, etc.  then dnsmasq returning public IP when it has a host over ride.

Love to help - but have not played with squid in a really long time.. Would have to install it on my pfsense box to see what to edit. What I would suggest is you create a new thread, with the right subject and info.  You are not doing a port forward or dns forward.  Your using a reverse proxy to send the traffic into your internal box. Your question would prob be best suited in packages section under squid, etc. Or are you needing to forward to different IPs based upon host header?  If not you could just do a normal port forward of http/https to your web server and not use the reverse proxy.

I swapped boxes and the problem still exists.  We are a church; toward the end of the first service and start of 2nd, things stopped working like they normally do –> users can't connect to the portal ... they choose the guest network and things spin.  All of the public WAPs timeout on a ping.  To date, I've replaced the cabling, the switch and now the actual server box with new cards.  The only way I can avoid this intermittent non-response situation is to disable the captive portal.  Once I do that and the firewall is synced the public waps all become accessible.  I didn't have to power them or the server/switches down. So, I believe it is a configuration/software (captive portal) bug.    Any tips on what debugging to turn on in order to nail this?  I really don't need the captive portal except for limited the up/download bandwidth the pubic interface gets. Rob

@doktornotor: No problem with that at all here.  Definitely requires more information. I'll give more detailed information next week. But it looks like it is somehow related to the Apple AirPort access point (configured in bridging mode) which is connected to our LAN.

Phil, Doktornotor, Thanks so much for your help and advice. Great stuff!

It cannot be solved in any way.

host-record is exactly what I was after. I missed that the first time I read bryan.paradis's post, thanks johnpoz for pointing it out again. This is great, it lets me ditch unbound (which hasn't been the most stable in production) Thanks again, -Zandr

Any update on this? I have the exact same problem on pfsense 2.1 on bsd.

Update: I decided to install pfsense to another computer this time a DEL poweredge server, again just a basic install with just the default settings and my PPPoe settings and IP addresses When I first tried it it worked fine windows update worked outlook emails pictures downloaded and other programmes were allowed to check for updates and update, Fine Great….. Two hours later I noticed that outlook emails were not downloading pictures.... I checked windows update and now that fails again with a message "unable to search for updates" ahhh I cannot figure this out and the reason why this is happening. I called my ISP and they checked and said that there's nothing wrong with their network and it must be pfsense causing the problem..... As anyone got any ideas why this is happening or uncounted a similar problem?

Can you reach them from another system on the same subnet, connected to the same switch? Hopefully yes- they have a working IP address and netmask. To reach them from another subnet across pfSense, they need to have a default gateway specified in their settings. If the device does not have anywhere to put a default gateway, then you have to use NAT on pfSense to NAT the computer/s you are coming FROM onto a local IP in the subnet of the device. Then the device will think it is getting a connection from a machine on the local subnet, and can reply to that.