I'd rather not add in host overrides, since there will be many servers eventually used and I don't want to have to manually add overrides each time a new one is brought up. This should be possible with dnsmasq - in fact I know it is since I have previously used it, but something in the pfSense distribution is preventing it :(

Your ISP is handing some options to you in the DHCP lease it seems, nothing to be worried about, usually stuff for their own equipment.

http://forum.pfsense.org/index.php/topic,36066.msg186013.html#msg186013 http://redmine.pfsense.org/issues/1682

That is right. DNS forwarder worked. Thank you very much for providing me the instructions!

Thanks for the reply Please if you want Emergence login interface on the network Unregistered users in the server and request password Login In other words, shows the server without service works And how to create an entry page If you create an accessible page where fabricators in pfsense files Using software such as ssh Also required password Root I want to change the password Root where in pfsense list

Sounds like I should just leave things well enough alone if everything is working.  ;D

I was using nslookup, (without the dot at the end). I thought I first noticed it using a browser but maybe not. I'll double check, Thanks!

@johnpoz: Just because the response from opendns is signed/encrypted does not mean what opendns is giving me is good info. I think we are now into the academic area. At some point you have to trust someone. Yes, OpenDNS can serve bad data sometimes as bad data can propagate through the system. A couple of questions: What exactly does DNSSEC do? Does it encrypt the traffic between the DNS and yourself? Or is it merely a way to say "OpenDNS is actually OpenDNS"? If is the latter, then I actually would prefer BOTH - a verification that the DNS actually is the real one, and encrypted traffic so no others can tamper with the data between the DNS and me. But in both these scenarios are there any way to secure that the data OpenDNS has received is actually good. That is something that will have to rely on the communication they receive. What is important to me, and the only thing I can do anything about, is to ensure that the data gets from OpenDNS to me without going through a man in the middle or in any other way gets tampered with. The DNS I use will have to take the necessary steps to ensure the data they receive is good. I can only trust that they do it, not do anything about it.

ANSWER::::::::: Hi had to create an account to lend a hand here! It's now 00:28 in the UK and after reading your 2 posts "an10bill" and hoping to find the answer when I started at about 13:00 today I thought you might want the solution: Carefull as you ARE going to KICK YOURSELF (I did!). Go to your managed switch, Look at the egress port to your modem/router that is supposed to be delivering your DHCP address, Notice the "T" (tagged packet) and change it to "U" (untagged packet), Now the packet can be understood and travel to all incompatible NICs. Our router, second in line to the satellite modem, packed in so I hadn't realised tagging was on as the old router could handle it. Only after not being able to get DHCP directly to PFSense and yet the Laptop could (like your scenario) did I eventually discover the subtle difference. Hope this helps anyone else so they dont end up on site after midnight! Ralph, Midlands PC Engineers Ltd www.mpce.co.uk

IIRC it needs to do that because in some cases the replies from the upstream server may not be directed back at the IP as expected, so by listening on that interface it can receive broadcast traffic there as well.

Joolee: If your connection isn't trustworthy and slow there are only two things you could do. Upgrade to a better dedicated connection. OR Install a local DNS server that syncs with your master DNS server over the tunnel.  It may sometimes be out of date (if the connection is down for a prolonged amount of time) but it would continue to serve requests to clients (where possible; that is if the tunnel is down the local clients cant route to remote clients, etc).

You can create a ticcket with patchfiles, than it will be implemented in next release.

Thank you, podilarius! You are right! Problem was in the Subner. Correct one is 255.255.255.252. Problem solved.

PROBLEM SOLVED!!! My state table had LOTS of this: tcp 10.10.2.30:53227 -> 10.10.1.100:631 FIN_WAIT_2:FIN_WAIT_2 CUPS was sending LOTS of requests,  I added the 10.10.2. network to CUPS on my server and now everything is back to normal!  :)

Sorry, have been out of town on business. craigduff: They are all individual (no forest). I don't think stub zones are the answer. I don't want dns on the far ends of the VPN tunnels, just on the local side with the pfsense box. I really don't want to replicate the entire zone from BIND or MSDNS to the pfsense box if I can help it. Basically what I think i'm looking for is a conditional forward. jimp: I get the whole . at the end thing (been doing that for years), however, the problem is there is no way a wildcard could be set. An example is abc.local is a domain that i would like to look up. So if i want to connect to desktop-01.abc.local the lookup should go to pfsense and pfsense see the domain then forward it to the dns server at abc.local which in return should supply the ip address of the machine. Correct me if I'm wrong or if I have missed something. I was under the impression that in pfsense the DNS Forwarder (under domain overrides) would forward dns requests for a domain to the dns controller at the ip listed.

Definitely that was the problem, change the network card and enable the DHCP server on it and now works correctly, wallabybob thank you very much your answer helped me a lot.

thanks very much for that.  When I read the notes for that option it kept referring to external sites that could be redirected (I assume this is the dominant use/need for this feature), and totally missed the local-host capability. I just did this last nite, and it works well! :)