ok. I have done it with the following broad steps on pfSense

create letsencrypt certificate for *.home.mydomain.com create a virtual ip, e.g. 10.255.0.1 (Firewall-->Virtual IP) HAProxy:
3.1 add listening ip:port 10.255.0.1:443 below the WAN Address:443 (where all front-end acl/actions are defined for public subdomains)
3.2 add listening ip:port 10.255.0.1:80 with action http redirect to https below the WAN Address:80 http redirect to https
3.3 add additional certificate created in step 1 for *.home.mydomain.com Services--->DNS resolver:
4.1 Hosts Override: add the first host with hostname the same as one of the public subdomain + home.mydomain.com --->10.255.0.1
4.2 edit the first host above-->additional name for this host-->add more hosts below the first host + home.mydomain.com

How this setup works:

if enter url: ebook.mydomain.com (public url) look up pfsense dns resolver, no matching domain, then use upstream dns (e.g., quad9 or cloudflare dns or your isp dns servers) quad9 found my wan ip from cloudflare dns (or any authoritive dns server) cloudflare ---> my Wan IP (pfSense) ----> HAproxy --> redirect from http to https ---> front-end --->backend--->local servers enter url: ebook.home.mydomain.com (local url) look up pfsense dns resolver, found hosts override entry ebook.home.chotechai.com --->10.255.0.1 go direct to HAproxy listening ip 10.255.0.1 -->redirect from http to https--->front-end--->backend--->local servers

I am not an expert and do not claim this is the right way, but it works for me. Any recommendations are welcome.
Update: I found that by using Virtual IP, my tailscale clients can't reach hosts on home.mydomain.com. Instead, using Lan Address on Haproxy front-end, and LAN interface IP, e.g. 192.168.1.1 for host override have solved the problem.

Services --> Acme
c2d5adeb-9eeb-4e1b-820f-cbb698406cac-image.png

Firewall --> Virtural IPs
a2730963-4f6f-4c1c-ae67-d79f17f27b4e-image.png

Services --> HAProxy --> Front-ends
8efbc8df-f334-485d-853b-75704e91f8fa-image.png

DNS Resolver --> Hosts Override
6864a9b1-22bd-490d-aa35-afb46feb18a0-image.png

@johnpoz said in pfSense using DNS Servers Not Listed in Config:

@mdt your more than likely looking in the wrong place - look to your browser.. That your running your dns leak test from..

Sniff the lan interface of pfsense when you go doing this dns leak test.. Browsers love to do doh on their own to circumvent your local dns.. So you can see exactly what your client is asking for and who they are talking too..

That was it. Thank you!

@r2the3rd said in Pinging local computer name resolves to WAN IP.:

I am using my purchased domain name in general setup.

That is going to be problematic out of the gate with caveats that have to be taken into account.. Registering dhcp clients has always been problematic since it requires a restart of unbound on every dhcp event.

if you want host.domain.tld to resolve to a local IP, create a local entry is the most sure fire way to make sure the fqdn resolves to the IP you want.

If you switched over to the kea then registration isn't a thing yet..

@reberhar So the problem with DNS was the FO modem. It was a really weird problem. Both the primary server and the secondary server were connected to the FO modem via a switch. They both came in through one port from the switch. The primary was getting DNS fine. The secondary was not although connected with the ability to ping numbers. Moving the secondary to the second port on the modem gave DNS.

Of course this should not be. Perhaps there is a bug in the software of the modem.

I moved between ports and saw DNS go away on the secondary and come back when I moved the ethernet cable connection. DNS was lost and regained accordingly, but I never lost Internet connection.

It sounds like a firewall problem on the modem, but there doesn't seem to be any way to access the modem firewall.

You also cannot really redirect DoT requests. Normally the client require an SSL certificate, which match the servers host name.

@louis2 said in URL's for local devices how, given the need for a local 'bypassed' DNS :) :(:

But in more recent days DNS querys tend to be hided in HTTPS and QUIC and ... bypassing the local DNS

That's called DNS over HTTTPS.
Since you cannot distinguish it from normal HTTPS traffic, you can only block the destination addresses. You can do this with pfBlockerNG. There are lists of DoH servers available in the net.

If the application cannot connect to it's favorite DoH server it should try to use the systems DNS resolver.

@Gertjan ah ok, now that makes sense. In this case i will leave it the way it is. Thanks

@johnpoz same

@viragomann I figured out the problem. The URL entered in the DDNS configuration page had a leading blank due to being copy-pasted from the Dynu web page.

Enhancement suggestions:

Remove leading/trailing spaces from the URL before building the curl command. Provide better error messages, and an option to enable verbose logging from the curl command

@Yariel hey there,
just put (as mentioned above) your client with the IP you want for it in the Client Specific Override Tab:
Screenshot-5.png

@gherrmann-pwd you can put in a feature request for such a note.. Not sure how much it will help, many of the common mistakes made after being here for years and years is users don't read the notes that are already in place ;)

What I can tell you have seen over the years multiple threads why dhcp is not available on an interface, and the /32 mask is always the cause ;)

Thank you for the feedback! If we don't find another solution, we can indeed try this. Let's also include branch 23 directly in that case.

@Anatairus ah, ok that makes sense you were just wanting to test that your vlan worked, before you went forward with connecting to switch and add the rest of your vlans..

Yeah when doing such a "test' the device you plug in has to be set to understand and send the tag you setup..

If you have any questions going forward, just ask.

@Spyderturbo007 said in Lease Active but Can't Ping or Access Device:

My brain got stuck on the pfsense because it was the only thing new.

Yeah that happens a lot to be honest.. Its easy to think that hey I only switched this out, this has to be the problem. So don't feel so bad, but providing the info you did allows others to see what your not seeing and point out other things that could be the problem.

Glad you got it sorted.

@mikemod said in DNS Resolver cant find ip of one domain:

cycle the router before to see if I could pick up a different IP but it always got the old 147.xxx.xxx.xxx one.

Well if your dhcp, just a power cycle wouldn't normally do it, since you would normally just get the same lease. If you were down for extended period that your lease expired then yeah you could get a new one.

its possible the cable modem (if that is what your on) got a firmware update or a change to its config when it rebooted with the power outage and got new dhcp servers, etc.

Glad to hear your back in business without having to need the domain override..

Yes, a wildcard DNS entry overrides all others.

@bingo600 said in PFSense Query refused:

@grantcurell

Are you using unbound ?

I had to add my openvpn ranges to the access-lists section as allow , in order to be able to resolve DNS from those.

Seems like unbound default allows known nets (assigned to interfaces) , and refuses qureries from all other nets.

Add "unknown nets here" (Unbound settings)

e25c09a1-2795-48fb-970c-21def0b7224a-image.png

/Bingo

Worth noting this occured with a VLAN interface srced traffic... It might be because I need to bounce the unbound daemon, or whatever... adding the ACL allowed me to src traffic from a macvlan hosted docker container bound to a subint on a synology NAS. The tagged traffic was arriving, and I was seeing refused responses from pfsense at the LAN interface of the pfsense. Adding the subnet for the VLAN interface resolved the issue. Thank you!