@macj72x

Also, this issue could exist with version 2.6.0 ..... which is outdated as 2.7.0 was made available last month.
Hit upgrade and the issue will auto resolve ;)

@luquinhasdainfra said in DNS Resolver security implications:

But why do i have to disable DNSSEC when forwarding?

A clean, short and precise anwer exists already on this forum, here in the DNS forum.

The most smallest answer (more a declarartion) is : When you forward, DNSSEC is not for you.
DNSSEC needs the resolver (the function you out sourced) to resolve from top to bottom.

A bit longer :
Consider a DNSSEC enabled domain : https://dnsviz.net/d/test-domaine.fr/dnssec/ (I 'own' that domain name, as the used domain name servers).

At the top is the current DNSSEC root key. the one with the id=20326.
This root certicate signs the root servers.
The root servers will give you the TLD '.fr.'in this case. The TLD's are signed by the root servers.
The TLD will give you the two (my own) domain name servers. These have records signed by the TLD server.
In parallel with the classic record A (or AAAA) resolving, the DS key info is also resolved. The certificate chain has to match all the way. If it works out, a flag indicates that the DNS answer 'rock solid'.

dig test-domaine.fr +trace +dnssec

Btw : 1.1.1.1 does DNSSEC checking.
You 'only' have to trust that they didn't 'lie' to you when they answered you.
Doing your own DNSSEC tests in parallel yourself (by unbound) removes completely the one and only advantage they offer : an answer a bit faster.

@TampertK Thanks, I'll check them out. I had already googled and found quite a few threads, but they were all a couple years old referencing earlier versions. And the possible fixes in them didn't apply to me other than installing Watchdog.

I thought maybe it could be due to an update, but I installed 2.7.0 because I was having issues with losing internet here and there overnight. I didn't realize it was the Resolver crashing until after the update, so I'm not sure if it was the same culprit prior to 2.7.0.

@larslindnilsson said in Default DNS not sent in DHCP packages to client:

I just did a new install of pfSense and in the Wizard step "DNS Server Override" was checked.

So it's me miss understanding /conf.default/config.xml :

<?xml version="1.0"?> <pfsense> <version>22.2</version> <lastchange/> <system> <optimization>normal</optimization> <hostname>pfSense</hostname> <domain>home.arpa</domain> <dnsserver/> <dnsallowoverride/>

The last line actually means : the option is checked (active)

When I check it myself :

<dnsallowoverride><dnsallowoverride/>

When unchecked, there is no "dnsallowoverride" present in the config.xml file

Not sure if this default config xml actually gets used, as using option 4 "Reset to factory defaults " in the console/SSH downloads a pfSense package that probably also contains a default config.

Anyway : when resolving, the DNS given to pfSense from the upstream ISP router, or ISP itself :=> don't care ^^

@Xorfora-0 Disregard. I recreated my API token, and it resolved the issue. Strange, but it's resolved.

@viragomann Wow that was simple and much appreciated. I have come accustomed to leaving settings as default and not sure what options are available unless I am forced to look deeper. I will have to get more curious in the future and not take the defaults as gospel. Thanks again.

@SteveITS

I may have stumbled on the answer. When I looked at status > Interfaces, my LAN was showing as "Down". This is because during initial setup years ago, I had associated each LAN with an interface port, and over time I had eventually moved to a managed switch. So this interface had been listed as "Down".

Once I removed the interface port, the interface now shows as Up, and I'm getting DNS responses from my gateway.

@ryanrozich said in dhcpd.log file is ~10GB, filling my disk up every couple days and taking my network down:

from wired to wireless networking

That's original, as normally, it's the wireless connection that has a very limited (bad) connection, so it get reconstructed again and again, and that introduces a DHCP sequence on every 'link up'.

If a wired connection does this : I'll bet you have a bad NIC on one side, or a bad cable.

Or the printer has a very bad DHCP client implementation, like : forcing the the DHCP lease duration to 10 seconds or so.

@ryanrozich said in dhcpd.log file is ~10GB, filling my disk up every couple days and taking my network down:

However if this hadn’t taken down my home network I wouldn’t have known about it. Is there any alerting that I could enable in pfsense that would warn me of problems like this?

😊

That is actually the reason why pfSense is not some AI driven device that you power up, hook up and walk away. Like a switch.
pfSense needs the human type of admin, in this case : you. And 99 % of the time you won't be looking at the dashboard, but you're somewhere in the Status menu.
The most favorite one is all the log files.
And no, I'm not kidding 😊

But I have a tip : when you add a 'new' device to your network, you should have a look at your log files (System, DHCP, DNS) a couple of times.
Things can always go bad, cable get cut, wifi gets destroyed by the new AP the neighbor bought (or the new micro wave that "works just fine with the door open").

@SteveITS Thanks, I learned something!

@keyser yes. Captive portal with voucher service is enabled on guest SSID.

@fuckwit_mcbumcrumble I would lean more towards just setting the domains you know are going to return rfc1918 as private vs disabling rebind completely.

@donjcrbaustin The load balancing is probably not relevant but pfSense has to ask Windows for the AD domain info. See my response here:

https://forum.netgate.com/topic/181593/migrate-lan-dns-to-pfsense/2

Notably Windows does not query DNS servers in order, it uses the "last known good" method.

@aagaag If this is Active Directory then I would leave DNS on Windows. PCs can update their own IPs there.

If you want pfSense to handle DNS you can either:

set Windows DNS to forward queries to pfSense configure a DNS domain override in pfSense to forward queries for your .lan domain to your Windows DNS server IP

I am not aware of a way to import records.

@fireodo Got it! Thanks!

@tknospdr nice connection - jealous for sure.. .Love to be able get that here..

@MaxPresi said in Domain Override doesn't work:

I tried DNS Forward too

When ever you forward to ask a question, be it you forward everything or just a domain override - a domain override is a forward. You have to setup your rebind protection. Set the domain to private, if you forward and get back a rfc1918 address it is considered rebind and unbound will not hand that back to the client unless you set the domain as private, or turn off rebind protection.

https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html