@hspindel I reviewed my configuration, and discovered that I actually do have DNS forwarding enabled but not in the way I was looking. DNS forwarding service is NOT enabled. But DNS Resolver service is enabled, and the checkbox for "Enable Forwarding Mode" is checked. Description says if this is checked, then DNS queries are forwarded to the servers set in System/General Setup. So that explains why my current setup is working. I still do not have a solution that chooses one or the other of the DNS services in System/General Setup dependent on whether the Wireguard VPN is enabled or not.

@johnpoz Agreed on the ISC not going anywhere. I want them to perfect Kea as much as possible.

@McMurphy I use dnsleaktest.com to check what DNS servers are being used. I believe if you see anything other than your IP and you have more than one server on your results, your DNS records are being sent elsewhere. My pfSense is under a VPN, I only see 1 server and the VPN is the only IP I see. I have no DNS servers on my list other than my pfSense and have set to use only 127.0.0.1 and ignore other DNS servers: [image: 1711317818453-91527ea0-0d4c-45de-8ecd-9be167ba4828-image.png] [image: 1711317851887-60c2479c-afde-4245-86f8-808c4c977c7b-image.png] [image: 1711317890219-7d1b75b1-0e20-4530-8c85-b006756e231c-image.png] [image: 1711317718486-29ea1666-f434-4f80-9558-c7188a0253d4-image.png]

@sentein Huh? So you have dhcp running on pfsense.. Thought you said you had a different dhcp server? Also Unless you put unbound into forwarding mode, setting those dns servers is pointless..

@johnpoz It's true that it is not possible to redirect a dns request from a network to a device belonging to that network ?

@johnpoz Hi, Thank for your help, but today, I can confirm that the problem is from the TENDA I29 AP... This AP is so weird. The web interface has few options. I don't know what's going on, but the access point refuses to connect to the LAN... Today, I received a second TENDA I29 access point, and the problem is the same. I also received a NETGEAR WAX615 hotspot today. And guess what?! Miracle ! Everything works on the first try... I performed the same operations: Set a static IP Set mask Define the gateway and DNS1 to my pfsense... Everything works the first time. I even configured my VLANs for my different SSIDs, all in less than 15 minutes!! I have no explanation regarding the TENDA access points... I performed the Firmware updates, but it didn't change anything... I will send them back to Amazon...

@Tommyboy Please don't forget to mark the post as solved, happy networking!

@johnpoz dns was up i think it was the netgate router there was an update pending so not sure if that had a role but everything is fine now. I rebooted the router and upgraded and things are fine now even when I unplug the wan interface. thnaks

@johnpoz said in disabling DNSSEC stops local hostname resolution?: Clearly stated in the release notes.. Clearly stated in the blog they wrote about it.. Multiple Multiple threads here on the forum about it. If only it had been clearly stated where it really matters. Oh well. ¯_(ツ)_/¯

As there was no option covering all my use cases I decided a full redesign of my DNS setup. (but it is quite komplicated if you want to use all features like I do) I am now running a BIND on top of PFSENSE as primary server for my internal DNS Zones. The MS DNS gets a copy of it using Zone Transfers. All MS AD Zones like "_msdcs" or "_tcp" are deligated to the MS DNS server to be the primary and the BIND gets a copy of them using Zone Transfers. The DHCP is configured to update Subdomain(s) primary hosted by BIND - works well. As I wanted to use DNS Filtering using PFBlocker I also needed to have Unbound in place. Unbound is configured to be the primary DNS for all DHCP clients. (this allows per client logging and blocking/unblocking) It gets a copy of the Internal Zones using Zone transfers (from MS DNS and from BIND. MS DNS and BIND DNS are forwarding all requests for non-local domains to the unbound. (so they are getting filtered, too) This setup is running stable since some time.

@azmtnbike Hello, I am having similar issues with option 150. do you have instruction on how you did it? I am kinda new to pfsense. Thank you!

thinking along the same lines as @jarhead over here. consistenly power cycling all devices after making any reconnections is going to be important here. spoofing L2 addresses is a bad idea and inevitably a bad time. i would avoid it entirely. it also might not be a bad idea to confirm that ISP doesn't need to whitelist MAC of your pfSense WAN NIC. it's possible that their whitelist is only 'enforced' when it detecs a router at the other end (to put it crudely)—so it'd stand to reason that you can successfully directly-connect to ONT with your PC but not with the pf host, a router. worth a quick call to avoid chasing your tail.

@jordanet ah that is fine - not sure why it seemed like you were pointing to rfc1918, my bad.. But resvoing a 185.x. wouldn't be a rebind.

@TheNarc said in Intermittent DNS Issue: @Gertjan Not sure what VPN @DaveP-0 is using, but it seems that Nord just started (without announcing to anyone) redirecting all DNS queries. Related post It may not surprise you to note that I am using Nord VPN. I've read the other thread and realised I missed it because it was talking about VLANs. Never mind. I have the same issue. @johnpoz Thanks for that. It makes sense and now I know. You would think PfSense had a warning even if they don't want to automagically unset it. Which I understand. I like that policy. I'm online to Nord Support now and my subscription expires in a few months so new VPN may be on the menu. Pity I like Nord. Lets see what they say to me. I'd like to thank you all for the support it is appreciated and I'll close this thread and move to the already set Related post

@McMurphy said in DNS Settings For Active Directory at a remote site: @bmeeks p.s. And just when I thought understood what a resolver was I found this... [image: 1710410659456-14.03.2024_21.03.02_rec.png] I created a rather long post above this one to explain this screenshot. The short version is the parameter highlighted in the red rectangle changes the mode of operation for the DNS Resolver over to forwarding mode instead of the default resolving mode. There are not many good reasons for doing that in the opinion of many of us seasoned admins. If you enable Forwarding Mode, then you must provide the DNS servers to forward the queries to under the DNS Servers section of GENERAL under the SYSTEM menu. Also note that if you enable this DNS Resolver option to switch it to forwarding mode, you should NOT enable DNSSEC. The server you forward to either does DNSSEC or it does not, but it will not do it just because you check that box. In fact, some external DNS servers will not work correctly if you enable DNSSEC when forwarding (Quad9 being an example, see this: https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-dnssec-validation). That checkbox really only applies to resolver mode operation.

@johnpoz I connected two switches and pfsense so that's all I use. I took a look at these switches you are talking about, these cisco office switches, which one do you recommend?

@pftdm007 I have 2 sites, one site cannot use Quad9 i TLS mode anymore. Works fine i normal forwarding mode, so I’m starting to think it’s my ISP doing something fishy with TLS to that site.