Make sure all the tunnels you want are included in Unbound outgoing interfaces. Assign higher priority to vpn tunnels in your gateway group but include your default wan at a lower priority. Create a firewall rule on your LAN interface filtering DNS and under advanced options select your VPN group (which also includes default WAN at a lower priority). If you want add a tag like "dns" and in your default_out_WAN rule (which should be below your dns rule) under advance options select the !dns tag. I think that should work, you will send your dns traffic over vpn tunnels but if they ALL go down you won't lose dns.

@thebear said in Unbound not using IPv6 DNS upstream servers: ISP KPN (I think we live in the same country) No KPN where I live. I moved in the eighties to France. Its called Orange here. I've edited my post to put in some beef.

Problem solved. Netgear switches have a bug. If you add a new VLAN they block (maybe broadcast traffic??) DHCP on the VLAN until a reboot. Rebooted both switched and it immediately worked. I remember running into this 2 years ago now on another VLAN setup. This is a long running bug (or undocumented safety feature???).

@johnpoz I can reach those fqdn with traceroute on pfsense. My specific issue is when using tailscale as an exit node (on the pfsense router), when accessing the internet with my laptop i get 0Mbps download speed and a weird 5-7Mbps upload speed. Everytime i am unable to load a website tailscale is using a direct connection over ipv6. I have tried to block ipv6 to force tailscale to go over ipv4 but this just breaks the connection over the tailscale interface. I have tested using tailscale on a ubuntu VM that is under the pfsense router as an exit node and got better results while blocking the ipv6 protocol. My main confusion is why the tailscale package on pfsense doesn't seem to utilize ipv4 connectivity or DERP servers in the event ipv6 direct connections do not go through.

@Bob-Dig right, what I mean is I didn't really create a new VLAN now. I just happen to have other VLANs when you had me test that idea earlier. But yes, I will be revamping my home lab setup pretty soon anyway. I will create a separate server and client VLANs and put the AGH server in the server VLAN. I won't need to create a redirect for the server VLAN anyway since servers don't really use "any other DNS" and respect what's configured in their settings. I guess this is the best solution overall.

@lemonsieur said in Enable EDNS Client Subnet (ECS) module for Unbound: Is it possible to have the ECS module built within Unbound? I'm asking because I have Pi-hole as an upstream DNS server, and I saw that is now able to take advantage of ECS to show the IP address of clients behind NAT. This is needed [still]. Specifically for Netflix now it seems. It's always been an issue but it made me waste several hours of my life discovering why I couldn't connect to Netflix. And even more specifically...only on Android devices. It is absolutely because of ECS.

@GrumpyDave unbound only does that when you register dhcp, not with static reservations. if your setting reservations for your devices, your fine - don't register dhcp.. Same thing I do.. If I add a device to my network, I let it get an IP - then set a reservation with an IP I want it to have and then I can resolve its name.

@Summer You may also want to block DoH, where (many) browsers bypass DNS to connect out to their DNS over HTTPS service. This page has a pfSense PDF that is very detailed but thorough. https://github.com/jpgpi250/piholemanual#doh

I can see the IAID shown on the LAN DHCPv6 lease status page, but when assigning static lease in the DHCPv6 server there is only DUID no IAID so both interfaces on the PC gets the same IPv6 assigned. See this post for full description

@Summer said in Improve documentation DNS Forwarder: pfBlocker-NG and DNS Resolver are both unbound: Resolver No. Unbound is a resolver. See, for example : NLnet Labs - Unbound - About or Unbound (DNS server). pfBlockerng uses the local 'resolver' (unbound, in this case), add acts like a 'plugin' : it intercepts all DNS request received by unboud, typically from the LAN connected devices, and before unbound executes a 'resolve' for every request, pfBlockerng (the plugin) gets its hands on the request first. This permits pfBlockerng to compare the request with a big list (the DNSBL feeds) to see if it concerns a 'blocked' domain. If it finds one, it instructs unbound to 'stop the actual resolbing' and say to the client : the IP requested is "0.0.0.0." (so the client can't connect to this IP => the requested domain is blocked).

@kiokoman sorry took so long to spot it.. I was thinking that 192.168.8.x you were asking was just the pfsense IP.. Doh! if would of dawned on me that is was some other NS on your network rebind would been right away.. Sorry took a few posts for me to notice that, glad you got it sorted.

@the-other yeah they like to start at one end and move through, have seen both ways - just never really paid attention to which direction pfsense likes to go. But if his clients had IPs in the 7.x and he deleted the leases, they would still like getting their old IPs back.. The way to check if new Ips are being handed out would be to change the range so 7 is no longer available and then delete the old leases.. Then client would have to get something in the range.

Another benefit is that you can set your smtp servers so systems only can use approved mail servers. This way no device can try to start using non approved email smtp servers. What I do with this is I made an alias [image: 1692676143248-screenshot-2023-08-21-at-8.48.44-pm-resized.png] (SMTP US SERVERS) [image: 1692676178371-screenshot-2023-08-21-at-8.49.09-pm-resized.png] (IMAP US SERVERS) [image: 1692676363276-screenshot-2023-08-21-at-8.52.30-pm-resized.png] (Alias for ports) After I create a server specific mail ACL (access control list) [image: 1692676269523-screenshot-2023-08-21-at-8.50.58-pm-resized.png] (now my hosts can only access the approved smtp and imap servers) The ports I have for mail can only be used for mail and for specific approved servers. Once and a while google takes a min to resolve and send only issue. [image: 1692676552493-screenshot-2023-08-21-at-8.55.39-pm.png] (resolved automatically when they change every 5 or so mins) Your system now will only use the approved USA servers. A couple years ago this was a big issue for some offices as the email being sent out was going to non approved servers. You can also use "DNS over SSL" with port 853 and get some extra security. [image: 1692676700695-screenshot-2023-08-21-at-8.58.08-pm-resized.png] (DNS OVER 853) Everything for my system uses DNS over SSL/TLS. The firewall does the SSL/TLS DNS requests for me. You can also create access control lists on who can send DNS requests to the firewall. [image: 1692676800314-screenshot-2023-08-21-at-8.59.32-pm-resized.png] Keep in mind devices will try to use DoH and all sorts of other ways to quarry an IP address if pfSense does it you have some more control over just opening up port 53 with a any any * * rule. Of course you need a good NAT rule. [image: 1692677021059-screenshot-2023-08-21-at-9.03.11-pm-resized.png] And you need a good DoH block list to really get good control [image: 1692677095742-screenshot-2023-08-21-at-9.04.24-pm-resized.png] combineddohlist.txt The firewall can make better use of IPS/IDS if it knows what it is resolving to.

@j-koopmann i would concur, 30 minutes for one is a low lease time.. And per dhcp specs unicast for renew is what should be used. A rebind would be broadcast.

Thanks for sharing this. The trick was to put dhcp-lease-time 86400 in the option field instead of option dhcp-lease-time 86400 [image: 1692378146269-64168062-9ae6-4e5a-a4b6-558a9e02a890-image-resized.png] This worked and I can see the 51 request now in my DHCP request which of course is being ignored. So next round with the ISP. Regards JP