You also cannot really redirect DoT requests. Normally the client require an SSL certificate, which match the servers host name. @louis2 said in URL's for local devices how, given the need for a local 'bypassed' DNS :) :(: But in more recent days DNS querys tend to be hided in HTTPS and QUIC and ... bypassing the local DNS That's called DNS over HTTTPS. Since you cannot distinguish it from normal HTTPS traffic, you can only block the destination addresses. You can do this with pfBlockerNG. There are lists of DoH servers available in the net. If the application cannot connect to it's favorite DoH server it should try to use the systems DNS resolver.

@Gertjan ah ok, now that makes sense. In this case i will leave it the way it is. Thanks

@johnpoz same

@viragomann I figured out the problem. The URL entered in the DDNS configuration page had a leading blank due to being copy-pasted from the Dynu web page. Enhancement suggestions: Remove leading/trailing spaces from the URL before building the curl command. Provide better error messages, and an option to enable verbose logging from the curl command

@Yariel hey there, just put (as mentioned above) your client with the IP you want for it in the Client Specific Override Tab: [image: 1706273283724-screenshot-5.png]

@gherrmann-pwd you can put in a feature request for such a note.. Not sure how much it will help, many of the common mistakes made after being here for years and years is users don't read the notes that are already in place ;) What I can tell you have seen over the years multiple threads why dhcp is not available on an interface, and the /32 mask is always the cause ;)

Thank you for the feedback! If we don't find another solution, we can indeed try this. Let's also include branch 23 directly in that case.

@Anatairus ah, ok that makes sense you were just wanting to test that your vlan worked, before you went forward with connecting to switch and add the rest of your vlans.. Yeah when doing such a "test' the device you plug in has to be set to understand and send the tag you setup.. If you have any questions going forward, just ask.

@Spyderturbo007 said in Lease Active but Can't Ping or Access Device: My brain got stuck on the pfsense because it was the only thing new. Yeah that happens a lot to be honest.. Its easy to think that hey I only switched this out, this has to be the problem. So don't feel so bad, but providing the info you did allows others to see what your not seeing and point out other things that could be the problem. Glad you got it sorted.

@mikemod said in DNS Resolver cant find ip of one domain: cycle the router before to see if I could pick up a different IP but it always got the old 147.xxx.xxx.xxx one. Well if your dhcp, just a power cycle wouldn't normally do it, since you would normally just get the same lease. If you were down for extended period that your lease expired then yeah you could get a new one. its possible the cable modem (if that is what your on) got a firmware update or a change to its config when it rebooted with the power outage and got new dhcp servers, etc. Glad to hear your back in business without having to need the domain override..

Yes, a wildcard DNS entry overrides all others.

@bingo600 said in PFSense Query refused: @grantcurell Are you using unbound ? I had to add my openvpn ranges to the access-lists section as allow , in order to be able to resolve DNS from those. Seems like unbound default allows known nets (assigned to interfaces) , and refuses qureries from all other nets. Add "unknown nets here" (Unbound settings) [image: 1607576274961-e25c09a1-2795-48fb-970c-21def0b7224a-image.png] /Bingo Worth noting this occured with a VLAN interface srced traffic... It might be because I need to bounce the unbound daemon, or whatever... adding the ACL allowed me to src traffic from a macvlan hosted docker container bound to a subint on a synology NAS. The tagged traffic was arriving, and I was seeing refused responses from pfsense at the LAN interface of the pfsense. Adding the subnet for the VLAN interface resolved the issue. Thank you!

Never mind. If I had just kept reading I found my answer. https://forum.netgate.com/topic/184226/psa-kea-dhcp-does-not-like-dns-names-breaks-isc-to-kea-migration/10 [image: 1705640163266-6477cac2-d01f-4e3c-86a5-2856f900845e-image.png]

@nuovapentecoste I think I solved it.... In the Gateway Group, I modified the "interface Address" entry of the tier in question with the IP that interests me.

@johnpoz thanks for the confirmation. I'll wait!

@slim2016 thank You