Assuming it's dhcpd taking up 100% of the CPU, that would be an ISC DHCPD issue, not something we have anything to do with or any control over. If it's replicable I'd suggest reporting it to ISC.

@asura:

thanks a lot and i really appreciate ur reply ..

mayb i can try put host, domain and ip as below
HOST       DOMAIN                   IP
www       .movie-server.com     192.168.1.11

I am pretty sure for domain you would put "movie-server.com" without the leading "."

Worked like a charm once i set up a virtual host in apache with the new server name.

Thanks walaby!

What your saying makes no sense if you don't have rule on lan interface to block access.  I have plenty of boxes outside my dhcp scope.  So example my lan network is 192.168.1.0/24, pfsense lan interface is on 192.168.1.253

dhcp scope is 192.168.1.210 to .219

So for example my linux box at 192.168.1.7 can query pfsense for dns.

dig i5-w7.local.lan ; <<>> DiG 9.8.1-P1 <<>> i5-w7.local.lan ;; QUESTION SECTION: ;i5-w7.local.lan.               IN      A ;; ANSWER SECTION: i5-w7.local.lan.        1       IN      A       192.168.1.100 ;; Query time: 2 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Fri Sep 21 11:11:19 2012

And here is windows box on .100 also outside the scope

C:\Windows\System32>nslookup Default Server:  pfsense.local.lan Address:  192.168.1.253 > www.google.com Server:  pfsense.local.lan Address:  192.168.1.253 Non-authoritative answer: Name:    www.google.com Addresses:  2607:f8b0:400f:801::1012          74.125.225.177          74.125.225.179          74.125.225.178          74.125.225.180          74.125.225.176

So I would verify that you did not typo the dns server?  Do you have more than 1 dns server listed on the clients on your lan?

I have more boxes outside my scope than inside to be honest, and have no issues - are these boxes on a different interface/vlan connected to pfsense, so different firewall rules than lan?  Is there anything between them and the pfsense lan interface, another firewall, local firewalls on the clients?

Are you running say unbound, where you could of set ACLs on which IPs can query it?

@techmed:

Thanks a lot.

I've been looking at wildcards as well.

I don't need granularity per se, I just want to have those rules in place to ensure that google isn't over ssl.

I'll look into URL rewriting with squid

The dnsmasq override solution works fine with the caveat that your overrides will quit working if the address of nosslsearch.google.com ever changes. With that in mind, I wrote a little hack to keep it up to date. The attached php code will udpate the ip address in the override to the nslookup ip address of a domain specified in the overrides description field. For the override rules for www.google.com, google.com, etc, you can set the description field to "ip=nosslsearch.google.com" and every time this script is executed it will lookup the ip address of 'nosslsearch.com" and update it in the override (if it has changed). I'm planning to just run the script from cron every half hour or so…

Apologize up front if this isn't the most elegant php code. I don't claim to know php - I just hacked this together looking at the gui code for services_dnsmasq.php.

/*         update_hosts.php Process the config settings of the dnsmasq service and set the host override IP addresses to values that we lookup using nslookup. If the description in the host override contains the string ip=domain (such as ip=nosslsearch.google.com) then lookup the domain value and put it into the ip address field */ require("config.inc"); require_once("functions.inc"); require_once("filter.inc"); require_once("shaper.inc"); if (!is_array($config['dnsmasq']['hosts']))         $config['dnsmasq']['hosts'] = array(); if (!is_array($config['dnsmasq']['domainoverrides']))         $config['dnsmasq']['domainoverrides'] = array(); $a_hosts = &$config['dnsmasq']['hosts']; $a_domainOverrides = &$config['dnsmasq']['domainoverrides']; $write_it = 0; $i = 0; foreach ($a_hosts as $hostent) {         /* If the description starts with "ip=", then we want to lookup the           domain specified         */         $descr=ltrim(strtolower($hostent['descr']));         $str_part=explode("=",$descr);         if ( $str_part[0] == "ip" ) {                 /* Pull the domain out (second part of 'ip=domain')                 */                 $ret_val=0;                 $out_array=array();                 $check_domain=$str_part[1];                 echo "Checking override address for {$hostent['domain']}\n";                 echo "should be set to resolution of {$check_domain}\n";                 /* Try to lookup the domain and get an address back for it                 */                 $tmp=exec("nslookup -timeout=2 " . $check_domain, $out_array, $ret_val);                 $str_part=explode(" ", $out_array[4]);                 if ($str_part[0] == "Address:") {                         $lookup_addr=$str_part[1];                         echo "nslookup of {$check_domain} returned {$lookup_addr}\n";                         /* If the address is different than the IP alread stored for this                           override record, then update it                         */                         if ($lookup_addr != $hostent['ip']) {                                 echo "{$hostent[ip]} != {$lookup_addr}\n";                                 echo "updating address {$hostent['ip']} ---> {$lookup_addr}\n\n";                                 $hostent['ip']=$lookup_addr;                                 $a_hosts[$i]=$hostent;                                 $write_it=1;                         }                         else {                                 echo "{$hostent[ip]} == {$lookup_addr}\n";                                 echo "skipping address update...\n\n";                         }                 }                 else {                         echo "unable to resolve {$check_domain}\n";                         echo "skipping address update...\n\n";                 }         }         $i++; } /* Only rewrite things if something actually changed */ if ($write_it > 0) {         echo "writing config\n";         write_config();         $retval = services_dnsmasq_configure();         /* Relaod filter (we might need to sync to CARP hosts)           don't know if this is really necessary or not         */         filter_configure(); }

@cmb:

Don't disable it entirely, just add the additional hostname under System>Advanced.

YES - YOU DA MAN!

Thanks :)

Those are resolved using a little daemon that checks DNS every few minutes for updates. If DNS is down, the IPs don't get put in the alias/table in pf. When DNS comes back, the IPs will be put into the table once they have been resolved.

hi!

if you are familiar with coding, check my thread, if you can help me overcome my problem ı think ay can help you

my:thread:http://forum.pfsense.org/index.php/topic,53655.0.html

I'd rather not add in host overrides, since there will be many servers eventually used and I don't want to have to manually add overrides each time a new one is brought up.

This should be possible with dnsmasq - in fact I know it is since I have previously used it, but something in the pfSense distribution is preventing it :(

Your ISP is handing some options to you in the DHCP lease it seems, nothing to be worried about, usually stuff for their own equipment.

http://forum.pfsense.org/index.php/topic,36066.msg186013.html#msg186013
http://redmine.pfsense.org/issues/1682

That is right. DNS forwarder worked. Thank you very much for providing me the instructions!

Thanks for the reply
Please if you want
Emergence login interface on the network
Unregistered users in the server and request password
Login

In other words, shows the server without service works

And how to create an entry page
If you create an accessible page where fabricators in pfsense files
Using software such as ssh

Also required password Root

I want to change the password Root where in pfsense list

Sounds like I should just leave things well enough alone if everything is working.  ;D

I was using nslookup, (without the dot at the end). I thought I first noticed it using a browser but maybe not. I'll double check, Thanks!

@johnpoz:

Just because the response from opendns is signed/encrypted does not mean what opendns is giving me is good info.

I think we are now into the academic area. At some point you have to trust someone. Yes, OpenDNS can serve bad data sometimes as bad data can propagate through the system.

A couple of questions: What exactly does DNSSEC do? Does it encrypt the traffic between the DNS and yourself? Or is it merely a way to say "OpenDNS is actually OpenDNS"? If is the latter, then I actually would prefer BOTH - a verification that the DNS actually is the real one, and encrypted traffic so no others can tamper with the data between the DNS and me.

But in both these scenarios are there any way to secure that the data OpenDNS has received is actually good. That is something that will have to rely on the communication they receive. What is important to me, and the only thing I can do anything about, is to ensure that the data gets from OpenDNS to me without going through a man in the middle or in any other way gets tampered with.

The DNS I use will have to take the necessary steps to ensure the data they receive is good. I can only trust that they do it, not do anything about it.