Check if interface is Enable on PFSENSE > INTERFACES > vlan_interface > Enabla interface

@netgateuser39384 It depends, for some interfaces I use the external approach. For others I use unbound because of DNSBL with pfBlocker and other local DNS stuff. But even those I finally route them with DoT via a VPN to a privacy focused DNS provider. 😉

@theuken said in DHCP Server running, but not doing anything:

interface while running Wireshark

Wireshark on the client is pretty useless in such a situation - client could be sending it all day long, doesn't mean pfsense ever saw it.

You need to do a packet capture on pfsense under the diag menu as @Gertjan shows in his post, feel free to run wireshark on the client at the same time to validate the client actually sent it.. But if pfsense interface where dhcpd is listening never sees a discover, then its never going to send an offer..

By the way you don't need both ports.. 67 or 68 is going to be involved in any dhcp - so you just need 1 of those ports.

I just learned. . .
Squid can be forced to lock down to a specified dns

dns_nameservers "PI-hole dns ip address"

http://www.squid-cache.org/Doc/config/dns_nameservers/

@netboy wouldn't bookmark just be easier???

if you goal is typing it out in your address bar, just set a tag or keyword.

@ASGR71 putting a block rule to 53 just below the rule you allow 53 to pfsense IP would be a valid solution if you want to block clients on that network from talking to any normal dns on the internet.

If you are having issues with clients using dns other than pfsense. While that rule would block normal dns, it doesn't prevent clients from using doh (dns over https) or dot (dns over tls).. while dot should be easy to prevent since the standard part is 853.. And clients don't normally use dot. A forwarder would use dot to forward to some other resolver via tls.

Blocking clients from using their own dns to circumvent local dns has become an uphill battle.. Browsers deciding to use doh on their own without explicit opt-in by the user is a problem.

Blocking doh is becoming a challenge. Since it uses standard 443 port of https traffic - which is pretty much everything on the internet these days. Blocking this has come down to using lists of known doh servers and blocking the IPs.. Which can turn into a wack-a-mole game..

But if you just want to prevent some client talking to say 8.8.8.8 or quad9 or 1.1.1.1 on 53, etc.. then yeah that 2nd rule accomplishes that.

@left4apple

1:
I already had the setup running, with Bind & ISC-DHCPD

2:
I had a fully working DDNS (Dynamic DNS) setup , where DHCP clients are realtime registering with the DNS part (Bind).
And i liked to be able to resolve my DHCP clients. - Unbound and DDNS sucks.

So DNS & DHCP runs on my linux server(s) , and pfSense (Unbound) uses my linuxes as DNS servers.
Since t have set my clients to ask pfSense for DNS, and pfSense asks linux for DNS records, I "get the best from both worlds" ... (Ie. i can still do dns overrides in pfSense)

/Bingo

@johnpoz I did and I noticed it was already set, ty.

@nrg is dns restarting on pfsense? Is the dhcp server?

If your registering dhcp into dns that can restart unbound on every dhcp action. But dhcp even being down wouldn't cause a client that already has a lease to stop working..

Dhcp leases are renewed at the 50% mark and will continue to run until the lease expires, the client would then do a discover.. Look at your dns and dhcp logs.. are you being flooded with dns renews that are not being renewed? As the client gets closer and closer to expire - it will ask more and more often, faster and faster desperately trying to renew, until it finally expires.

While dns restarting could be problematic for internet access and could see that blipping on you if its restarting a lot.. But dhcp could be off for days and would not have a problem - unless your lease is something insanely short. Default is like 2 hours I believe, I have mine set to like 4 days..

@darrenavid said in Can I add manual entries to pfSense's DNS resolver that include specific ports?:

FWIW, I'm using NGINX to handle this already to applications

While I agree split dns is normally the best solution. I take it your using some internal nginx as a proxy.. Have you looked at the haproxy package?

If you want to send to different ports, or have ssl offload done the haproxy can be used to get to your internal services. I host a couple of services to the public via haproxy. But my internal hosts can use the same fqdn to access, which resolves to the public IP.

So for example https://host.mypublicdomain.tld resolves to pfsense wan IP. But this gets sent to a backend that is not doing ssl, that is handled by haproxy and goes to a odd ball port that the actual service is listening on.

My latest version of pfSense now natively supports Gandi LiveDNS (with the use of the API key).

@trumee said in [Solved] Gandi DNS in pfSense 2.4.5 not working:

I had to put TTL as well. Now the dns updates fine. Solved!

Seems to be working fine without the TTL now.

Although pfSense still only supports API key (which Gandi states is "deprecated) and not Personal Access Token (PAT).

@matsan said in DHCP Server outbound interface for DDNS updates?:

Actually yes I am surprised since the DHCP Server is configured for the LAN interface.

The DHCP server 'serves' leases on the LAN.
That's one part of the job.

You are also using :

@matsan said in DHCP Server outbound interface for DDNS updates?:

DHCP Server is configured with the address in HQ for Dynamic DNS registration.

and that's another job, using the interface that lead to the upstream ( ? ) DDNS service, your HQ.
That traffic won't go over LAN .... HQ isn't on LAN.

@Gertjan
That's great information. I'll follow your guidance.
That also make perfect sense as I have cloned a container that has been allocated the same IP address as the predecessor. Obviously a new Mac would have been created by the hypervisor.
Thanks again for fantastic information

@timtrace I am in a very "slow" process of moving too it - but I have quite a few local certs that I have issued via my CA, and as they come up on expire (I had set then for 10 years) before the browsers started balking at such long certs..

And I have just not yet got motivated enough to change them all at once ;)

My unifi controller now uses the new home.arpa, and so does my nas, etc. But at some point here I will be fully home.arpa - but for now using a mixed bag ;)

$ dig nas.home.arpa +short 192.168.9.10 $ dig newuc.home.arpa +short 192.168.2.12

@swansense said in ISP change and now pfsense unable to resolve DNS names:

Was not aware that pfsense had root servers

Not pfSense.
Any of these ( Having a Yes in the Recursive column ) https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software are resolvers.
For most OSs these are just application of packages you include / install and use.
The most known is 'bind'.
The better ones do also DNSSEC.

@johnpoz sure, thanks a lot

@PabloAbonia said in Unbound, VLAN, and setting up pfsense for IPV6 on each VLAN:

I was wondering if it was possible to setup unbound with it's IPV6 address on each interface so that pFSense's IPV6 address is added to DNS.

This is kinda the default, like with IPv4.

Now testing the SG-2100 with 23.05.1 for the similar setup but with multiple Wireguards instead of multiple OpenVPNs.
Unbound starts correctly.
I am guessing that Wireguard is faster than OpenVPN starting at boot.
Thanks again.