Thanx a lot @Gertjan

That was it. It was listening on port 953.

Since I had not seen any configuration option in the UI I thought it was disabled.

@tman222 localhost not really for security - but localhost would always be up, so unbound kind bind to it when starting - it will route out any wan interface you have and be natted to that ip

Not something to worry about really or set, like I said out of the box is fine - but those were things that popped into my head that are different than default.

@marcosm Oh yea, that error is definitely fixed by the patches. Thanks. I posted confirmation on that other thread in case someone else ran into it.

@nobugswanted said in Domain Override works for Debian and Windows but not Ubuntu:

Did you verify if the port forwarding worked?

How can I verify this?

You can sniff the traffic on the localhost with Diagnostic > Packet Capture.
Select the localhost interface and enter 53 at the port filter, start the capture and run a DNS lookup on the concerned machine.

So I've tested from a VPN-computer only. Maybe the solution you proposed will not work on VPN-clients.

Did you push the DNS to the VPN clients or configure the client itself to use your DNS?
Which VPN?

@Gertjan said in Devices Not Getting IP from pfSense DHCP Through TP-Link AX95 Router:

connect the "TP-Link Archer AX95 WiFi Router" to pfSense with one if it's ("TP-Link Archer AX95 WiFi Router") LAN ports, don't use the WAN port anymore.
Disable the DHCP server on the "TP-Link Archer AX95 WiFi Router".
Disable DNS.

I have followed your suggestion. It mostly seems to work. devices appear to be able to get access from the range extenders.

It does really seem to screw up the ability of the AX95 to report on its clients though. Now I can see only between 5 and 12 connected wifi devices when there are 30-35 at any one time. Also, I cannot tell any longer which of them are connected to the Guest network as opposed to the main network.

However, all my devices are now in a single broadcast domain, and OneMesh seems to still be working. these were my goals, so, thank you. :-)

Michael.
@vitorlm

Well, spent the last 15 hours trying to get my SG1100 working again. Ran into trouble at every step of the way. I need an offline installer, since the install program can't connect to the Netgate servers. (I suspect that has to do with the Starlink router using the same address space on the WAN side that pfSense defaults to use on the LAN side.)

So I don't know if I'll ever be able to get back to this. Lost 15 hours of time, plus income, plus wife's income (can't work remotely after a snow storm), and I'm wondering if my device is ever going to work again - or if I have to wait for a paycheck so I can get a new one and then just sit around and wait for it to arrive.

@Gertjan No problem! I'll have another opportunity to look into this on Friday and will report back. For now, everything seems to be working fine since the reboot.

@tknospdr said in Resolver, but in 'forwarding' mode?:

with the 'query forwarding' box checked and

... and given some DNS servers to forward to :

fa6d4a2d-3633-4f85-a751-bfecf0fcbdb9-image.png

Not a lot of difference. The functionality is the same.

dnsmasq, the original (before 2012 ?) forwarder is still there for historical reasons.
pfSense started to include Unbound, the resolver, as there are no more good reasons (advantages) to forward to some given = ISP (or chosen by you) corporate DNS server. It's 2025 now, so you can tap into the original "DNS system" that Internet offers you. In short : you can take the info from the source, and you don't need an intermediate services anymore.
You've seen it yourself how good it is : when you installed pfSense, before you changed anything, 'DNS' worked. So no more need to forwards to some other resolver.

Resolving means it will use DNSSEC if avaible.

Still, you can chose what method you want to use.
Both methods have their advantages.
My point of view is : Netgate has chosen a default setup with a resolver for a reason.

@mb-panketal

Something to read : 21.2.1. GSS-TSIG Overview

That's what I'm using so Kea's DDNS can communicate with a remote DNS like Microsoft AD (if I understand the doc correctly.
Not very surprising, as bind and DC are, imho, the most common ones.

So, don't wait, don't switch, don't relay, but :
4. Setup and start the Kea DDNS (see my other post).

This probably needed "Kerberos 5" stuff and looking at other "pfSense Microsoft DC" forum posts, pfSense has the needed libraries already.
So it issue might be as simple as

You want A to talk to B,
So : Make them talk.

And I get it, this concerns a Microsoft product so finding doc is a bit hard(er) ....

This is what my setup is. Both pfSense firewalls are able to locally resolve DNS using the host override settings.
my goal is to have clients to LAN3 resolve dns from LAN0.
The 2 pfSense firewalls are connected over VPN

a6c08b14-3d30-4096-8fe3-1db116905b95-image.png

The settings i used is domain override on the DNS Resolver service.
Since LAN3 has routing to network 0, i used the remote pfSense address.
623cacba-8fbe-4ea1-a416-dce5c2ff56c4-image.png

Does this going to work ? is that a sufficient setup ?

@johnpoz "If this is a private IP then it’s a little harder. Can’t do a DHCP reservation? Perhaps a “domain” override for that hostname pointing to the remote DNS server?"

sadly not, there isn't a local DNS server on the other network. the network is in effect a black network with very limited and extremely controlled connectivity to other resources.

@provels yeah many of the iot devices these days are hard coding doh servers.. Like I said they are harder to block - and they way they can look up who they want to pull ads from or send telemetry, etc..

The prices of these products are so low quite often because the device itself is not really the product, they just want some device to get your info that they sell.

But yeah you start blocking stuff they want to look up, and you can find your NS getting hammered..

Went back to ISC, no such problem.

Edit1: Same problem exists. Why, what has happened here.

Edit2: Ok, I disabled the DNS config for IPv6 a few days ago.

Unchecking this box disables the dhcp6.name-servers option. Use with caution, as the resulting behavior may violate RFCs and lead to unintended client behavior.

So it is a known fact, I will mark this as solved. There doesn't seem to be the possibility to give "none" as a IPv6-address for DNS. For now, I disabled DHCPv6 in LAN.

@hypnosis4u2nv said in Unbound Resolver Crash:

I have pfblocker also, does daily updates.

Something like this :

07c5fcb6-6b2d-4a66-aeed-99f6a94730ff-image.png

So, no surprise :

fbc1afad-3020-4b48-9987-d2c8a8955675-image.png

and now you've set everything up for "more problems".
Because :

@hypnosis4u2nv said in Unbound Resolver Crash:

For now I turned on a watchdog service for unbound.

The service watch dog is stupid, doesn't have brains, doesn't use AI.
It execute every minute, checks if tasks listed don't run, and if not start them.
What if .... right at that moment pfBlocker did it's daily thing, and restarts unbound ? Change are pretty great (No need for a 4 years Havard licence here, its 1/30 or 3,33 % chance for me as my restart took 2 seconds and the dog runs every minute = 60 seconds) that the watch dog finds unboiund not running, and start it. But it was already in the restart process.....
You just created more problems.
My advise : you'll get to the bottom of this, don't worry. Just don't use "service watch dog".

@hypnosis4u2nv said in Unbound Resolver Crash:

Memory usage:
9% of 16234 MiB

Ok, probably not a OOM event. That said, pfBlockerng uses PHP to do the loading, filtering and formating. PHP is very slow in doing this.
Do you have many DNSBL lists ?

@Gertjan Thanks. No high security requirements here either. But I have worked on PKI for much of my career, and I feel there should be a way to implement this cleanly with pfSense.

I have played with the third party pfSense API package. Wrote some code to export all the DHCP reservations to Smokeping. It's been read-only, so far. I have not figured out how to do something read-write. Being able to edit all the reservations in a spreadsheet, rather than through the GUI would be useful. Same for editing the host overrides for CNAMEs. A good script may be able to synchronize things, if additional metadata is included in the spreadsheet.

I have got a shit ton of IoT IP devices - over 300 of them. Most Wifi, some wired too. Went to a /22 for my LAN a couple weeks ago. It's on my to-do list to explore VLANs and block as many devices from Internet access as possible. About 250 of them can function with local API without Internet using Home Assistant. I don't believe any of them needs CNAMEs. They don't even need a hostname, but I still assigned hostnames to every single one in the DHCP server table. Can't remember all the names any more than I can the IP addresses, though. I'd love to be able to synchronize data between the pfSense DHCP table and Unifi controller device table. But Unifi has no official API. Only 3rd party, which I have not explored. Synchronizing with Home Assistant as well would be the holy grail. But I don't think their REST API is up to the job either.

@manjotsc said in Domain Override (DNS Resolver) Not Working:

need to set Outgoing Network Interfaces to ALL, I had it set to WAN

Oh ... cool ... tel unbound to use (only) WAN as an outgoing interface, while it should have been to using the Wireguard tunnel (which also goes over WAN) to do its job.

edit : I'm actually echoing what @SteveITS said

@manjotsc said in Domain Override (DNS Resolver) Not Working:

Is there a reason why it needs to be to ALL?

You've already got my point : because someone decides that that settings is perfect for us ^^

As the fireguard connection is a second type of WAN interface : a network that goes "somewhere" outside the local LANs, and not reachable by classic WAN, you have to inform unbound about it.
Set it to

c743ced4-d244-49d5-b205-b66c86a160e6-image.png

(it was set by default on All - which proofs Netgate's default settings are perfect - who are we to make them any better 😊)
but yeah, WAN is fine, but check-select also your wireguard interface.
I don't quiet understand what danger or harm there is if it also uses my local LAN connections (no DNS devices will reply from there ) so I don't bother : All is fine for me.
Their might be cases where All is not good - I just didn't discover them yet.

@manjotsc said in Domain Override (DNS Resolver) Not Working:

server:
private-domain: "example.xyz"

There is another part worth look at - same file :

# Domain overrides include: /var/unbound/domainoverrides.conf

Look at what "/var/unbound/domainoverrides.conf" contains.

@tedquade
Thank you!

@aGeekhere this question gets asked all the time - what your asking is problematic without a separate cache for the views or different clients, etc..

If client ask for something that would be blocked by filter dns, but they are set to ask non filtered dns - now that is cached. If client that should be filtered then asked they would get back what is in the cache.

Bind can run multiple caches - but not sure something you can configure from the gui.

You could prob get what your wanting out of running both unbound and dnsmasq (forwarder) with them listening on different ports, and then have your clients point to say 1.1.1.3 or whatever that gets redirected to the new port unbound or forwarder is listening on to resolve your local resources, and then just forwards on to 1.1.1.3

Simpler solution to be honest would just run say pihole or something that pointed your clients you want to filter to that.. Then setup a conditional forward on it to forward to pfsense to resolve your local domain.tld resources, and if not in that domain just forward to 1.1.1.3. Thats would I would do.

@patient0 said in Dot gets added to hostname, why?:

Maybe client related

I don't think so because the "act" of making a static mapping from the DHCP Leases triggers this.

@kuchenmann said in Register Client-names in DNS KEA-DHCP?:

It seems that KEA-DHCP on pfSense does not register dynamic assigned DHCP-leases in DNS. Only static-mapped DHCP-clients.
Because in the leases I see also hostnames for dynamic assigned DHCP-clients, but I can not resolve this hostnames in DNS.
It only works for static-mapped clients.

It depends on the version of pfSense you are running. If running pfSense CE 2.7.2, then you are correct in your assessment. But if you are running pfSense Plus 24.11, then Kea does in fact perform dynamic DNS updates of the DNS Resolver in pfSense each time it issues a DHCP lease. I am running that version and now the dynamic DNS updates for DHCP leases works just fine.