As soon as you post you work it out - turns out you need the record to exist first, before pfSense can then update it. Shouldn't need to be that way but it's working now.

@Unscathed7897 if you have been using example.com a long time internally.. From a users point of view, might be better to get a new domain example.net for external use - for your vpn connections or any other stuff you might host externally or need to resolve public for.. This might be less of a learning curve for users, and for sure less to change on your network if you have been using example.com for any length of time ;)

@johnpoz Thanks for your help that worked!

@Gertjan @johnpoz

Here is my working config using the Forwarder. Please let me know if a better outcome can be achieved using the Resolver.

27.03.2024_07.32.00_REC.png

27.03.2024_08.21.59_REC.png

Unless a better outcome can be suggested my original setup is optimal.

@Antibiotic Looks like Domain Overrides option in DNS resolver did this trick))))

Hello, anyone?

@hspindel I reviewed my configuration, and discovered that I actually do have DNS forwarding enabled but not in the way I was looking.

DNS forwarding service is NOT enabled.

But DNS Resolver service is enabled, and the checkbox for "Enable Forwarding Mode" is checked. Description says if this is checked, then DNS queries are forwarded to the servers set in System/General Setup.

So that explains why my current setup is working.

I still do not have a solution that chooses one or the other of the DNS services in System/General Setup dependent on whether the Wireguard VPN is enabled or not.

@johnpoz
Agreed on the ISC not going anywhere. I want them to perfect Kea as much as possible.

@McMurphy I use dnsleaktest.com to check what DNS servers are being used. I believe if you see anything other than your IP and you have more than one server on your results, your DNS records are being sent elsewhere.

My pfSense is under a VPN, I only see 1 server and the VPN is the only IP I see. I have no DNS servers on my list other than my pfSense and have set to use only 127.0.0.1 and ignore other DNS servers:

91527ea0-0d4c-45de-8ecd-9be167ba4828-image.png

60c2479c-afde-4245-86f8-808c4c977c7b-image.png

7d1b75b1-0e20-4530-8c85-b006756e231c-image.png

29ea1666-f434-4f80-9558-c7188a0253d4-image.png

@sentein Huh? So you have dhcp running on pfsense.. Thought you said you had a different dhcp server?

Also Unless you put unbound into forwarding mode, setting those dns servers is pointless..

@johnpoz It's true that it is not possible to redirect a dns request from a network to a device belonging to that network ?

@johnpoz Hi,
Thank for your help, but today, I can confirm that the problem is from the TENDA I29 AP... This AP is so weird.
The web interface has few options. I don't know what's going on, but the access point refuses to connect to the LAN...

Today, I received a second TENDA I29 access point, and the problem is the same.

I also received a NETGEAR WAX615 hotspot today. And guess what?!

Miracle ! Everything works on the first try...
I performed the same operations:

Set a static IP Set mask Define the gateway and DNS1 to my pfsense...

Everything works the first time.
I even configured my VLANs for my different SSIDs, all in less than 15 minutes!!

I have no explanation regarding the TENDA access points... I performed the Firmware updates, but it didn't change anything...

I will send them back to Amazon...

@Tommyboy Please don't forget to mark the post as solved, happy networking!

@johnpoz dns was up i think it was the netgate router there was an update pending so not sure if that had a role but everything is fine now. I rebooted the router and upgraded and things are fine now even when I unplug the wan interface. thnaks

@johnpoz said in disabling DNSSEC stops local hostname resolution?:

Clearly stated in the release notes.. Clearly stated in the blog they wrote about it.. Multiple Multiple threads here on the forum about it.

If only it had been clearly stated where it really matters.

Oh well. ¯_(ツ)_/¯

As there was no option covering all my use cases I decided a full redesign of my DNS setup. (but it is quite komplicated if you want to use all features like I do)

I am now running a BIND on top of PFSENSE as primary server for my internal DNS Zones. The MS DNS gets a copy of it using Zone Transfers.
All MS AD Zones like "_msdcs" or "_tcp" are deligated to the MS DNS server to be the primary and the BIND gets a copy of them using Zone Transfers.
The DHCP is configured to update Subdomain(s) primary hosted by BIND - works well.

As I wanted to use DNS Filtering using PFBlocker I also needed to have Unbound in place.
Unbound is configured to be the primary DNS for all DHCP clients. (this allows per client logging and blocking/unblocking)
It gets a copy of the Internal Zones using Zone transfers (from MS DNS and from BIND.
MS DNS and BIND DNS are forwarding all requests for non-local domains to the unbound. (so they are getting filtered, too)

This setup is running stable since some time.

@azmtnbike

Hello,

I am having similar issues with option 150. do you have instruction on how you did it? I am kinda new to pfsense. Thank you!

thinking along the same lines as @jarhead over here. consistenly power cycling all devices after making any reconnections is going to be important here.

spoofing L2 addresses is a bad idea and inevitably a bad time. i would avoid it entirely.

it also might not be a bad idea to confirm that ISP doesn't need to whitelist MAC of your pfSense WAN NIC. it's possible that their whitelist is only 'enforced' when it detecs a router at the other end (to put it crudely)—so it'd stand to reason that you can successfully directly-connect to ONT with your PC but not with the pf host, a router. worth a quick call to avoid chasing your tail.