@surroundtortilla said in pfSense+ DNS slow (10+ms): DNS is configured as a forwarder to Google DNS atm. If I forward to googledns... I don't see 10 added to my query, directed I get ;; ANSWER SECTION: www.google.com. 250 IN A 142.250.191.100 ;; Query time: 14 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon May 01 21:30:04 Central Daylight Time 2023 If I setup unbound to just forward to 8.8.8.8 and turn off dnssec I get this. This is right after a flush.. ;; ANSWER SECTION: www.google.com. 3600 IN A 142.250.191.100 ;; Query time: 15 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Mon May 01 21:32:35 Central Daylight Time 2023 ;; MSG SIZE rcvd: 59 Doing a bunch of queries direct to 8.8.8.8 I seem get between 11 and 21ms ;; ANSWER SECTION: www.google.com. 182 IN A 142.250.191.100 ;; Query time: 21 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Mon May 01 21:34:04 Central Daylight Time 2023 ;; MSG SIZE rcvd: 59 I wouldn't worry about 10ms or even for that matter 100.. 10 ms is 0.01 of a second. you see the 3600 ttl on my query to unbound, because I have min ttl set to 3600.. maybe your unbound is way busier than you think it is - maybe you have some box pounding asking the same thing over and over again? I had some issues with my internet the other day (cable cut) - and when devices can not resolve either because your blocking or not working, some of these iot devices can just hammer dns.. 2023-04-29 09:38:51 RATE_LIMIT Client 192.168.7.3 has been rate-limited (current config allows up to 1000 queries in 60 seconds) 2023-04-29 14:06:25 RATE_LIMIT Client 192.168.4.80 has been rate-limited (current config allows up to 1000 queries in 60 seconds) 2023-04-29 14:40:29 RATE_LIMIT Client 192.168.4.77 has been rate-limited (current config allows up to 1000 queries in 60 seconds) 2023-04-29 15:22:20 RATE_LIMIT Client 192.168.4.79 has been rate-limited (current config allows up to 1000 queries in 60 seconds) 2023-04-29 17:20:24 RATE_LIMIT Client 192.168.4.76 has been rate-limited (current config allows up to 1000 queries in 60 seconds) My alexa's were going crazy when my internet was down asking for dns.. [image: 1682995397848-24hour.jpg] That is the number of their queries in 24 hour period - little bastards!! ;)

@steveits I was using DHCP lease registration but turned that off as the unbound restarting was problematic. I'm not entirely sure if my pfblocker list would be considered large it does take a bit to reload whenever it does. I turned off DNSSEC after seeing some posts about it causing issues in 23.01. I have not tried disabling DNS over TLS.

@johnpoz said in Adding so-rcvbuf: to Unbound Crashes unbound: @sgc what is this setting on your system? [23.01-RELEASE][admin@sg4860.local.lan]/root: sysctl kern.ipc.maxsockbuf kern.ipc.maxsockbuf: 4262144 I don't think you would be able to set 8, if your limited to 4.. I have update my system to 16777216 and now I can set it thank you for the info

@mebert Consider that you have to state the remote domain if you client uses another search domain, what I assume. So if you want to request the remote host name is "host" and its domain is "local" you need to type "host.local" to access it.

Figured out the button I tweaked. I had an old config file and diff'd it with the current. Change by change I thought about the implications. The winner was that I noticed the old file had "Enable UPnP & NAT-PMP" enabled and "Allow NAT-PMP Port Mapping" enabled, but they weren't on the current configuration. Switched them on and its off to the races. Problem solved.

@steveits Thanks! I'll check them out. I'm in pretty good shape just turning them off, but was extremely curious why it is suddenly an issue lately when it had been working up until now. And it's on 2.6.0 so there have been no changes to the software that would have affected this from when it had been working till now. :)

@highc I'm glad to hear it helped you! Also, thanks for clarifying that a person needs to type the word "none" without quotes—good catch!

@steveits I appreciate the help. DNS FORWARDING was never enabled, only local resolution - with DNSSEC enabled. I have sense disabled DNSSEC on LOCAL resolver and we will see how that fairs.

@gertjan Thank you. Your advice worked for me as well. Stopped dhcpd service cd /var/dhcpd/var/db mv dhcpd.leases dhcpdleases.bak mv dhcpd.leases~ dhcpdleases~.bak Started dhcpd service

@viragomann Hiya. This was caused by the default IPv4 config set it to /32 and not /24 which caused it to be hidden. Thanks for your help.

@mystique_ Maybe not what you need right now, but : [image: 1682088167821-4b2e684f-13bd-4042-9124-81ed85b0f7f6-image.png] I know, this is 'IPv6' so it's 'dhcp6d' doing doing RF2136 thing. I have "Add reverse dynamic DNS entries. checked. Btw : My IPv6 /56 comes from my ISP, and there is no way I can have this info pushed so 'everybody' can reverse request my IPv6. My web/mail/whatever dedicated server uses bind, and also takes care of zone of my pfsense local domain. So now my server knows how to find diskstation.my-domain.tld by its IPv6, so I can backup my server to NAS behind pfSense. I don't do "registration of DHCP client names in DNS" for my IPv4, as these are ... IPv4 and all RFC1819.

@sowqwick said in How to adjust WAN DHCPv6 Solicit Messages?: OK, I am pretty sure now I need this https://redmine.pfsense.org/issues/8173 https://github.com/pfsense/FreeBSD-ports/pull/1181 to include option 20 (Reconf Accept). Don’t get your hopes up for a native fix. pfSense has been missing a proper working DHCPv6 client for many years, but it no longer recieves any love from the devs. I think the general IPv6 support project has been lovered so much in priority that it’s dying now with all the focus on FreeBSD 14, drivers and a new PHP. In favor of the devs it should be mentioned that DHCPv6 is a hornets nest of crap that no-one adheres to, and thus has about zero standardisation in actual practice.

I didn't work with UniFi switches, however I'm planning to later this year. But concept I'm using with other switches that support VLAN is like this: Chromecast will need to receive traffic only from IOT VLAN (if I understand your requirement correctly. But for Chromecast (and other consumer grade appliance) it is important to receive this traffic as untagged, so if it is possible in Unify switch you need to configure ports to which devices are connected directly as belonging to proper VLAN but sending untagged traffic. Also I'm seeing you seem to have solved your issue already, but I'd suggest to consider configuring untagged ports properly (if Unify allows it, maybe it is too smart and guesses proper config on it's own) I'm just thinking if e.g. Chromecast is connected to port which sends tagged traffic, Chromecast will probably be able to receive some packets, but some portion of packets may be dropped, and this will affect quality of the connection.

@juanzelli said in DNSSEC and NextDNS: don't need DNSSEC if you're forwarding queries I'd go a step farther...per Quad9 forwarding with DNSSEC may cause failures. And in pfSense 23.01 it seems way more problematic than older versions where I saw no failures. @Antibiotic If those instructions are generically how to enable forwarding, which it seems, pfSense has a checkbox for that: [image: 1681510981253-452edca0-9101-4092-a66b-5a9e63200f9d-image.png] ref: Quad9 doc saying to uncheck DNSSEC: https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS thread about Quad9 and several others, where DNSSEC and/or DNS over TLS is causing problems in 23.01: https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl/

@iwishitwouldwork pfSense told me : [image: 1681457644647-79276e31-8545-4ca7-b0ac-bb655ab53733-image.png] Remember : the logs always contain 'the answer'

@slo-bo-dan that picture makes no sense - are you hiding the names? And the full IP? domain overrides would be for where you want to resolve a specific domain and all its records from a specific name server.. For host overrides they need to be fully qualified, and point to a specific address - so believe your just not showing what is fully there? Also for clients to get the host override they need to be asking pfsense for dns.. Or the nameserver clients are asking needs to then ask pfsense.. edit: Lets do a specific example, maybe that will help you understand how host override works. you have www.domain.tld out on the public internet that resolves to 1.2.3.4.. This is your pfsense wan IP, when you see traffic to 1.2.3.4 on port 443 you send it to 192.168.1.100 via a port forward.. This is how outside your network gets there to your website on www.domain.tld Now internal you have some client on 192.168.1.90, and he wants to get to www.domain.tld - does his dns resolve that to 1.2.3.4 or if you setup a host override on pfsense to point www.domain.tld to 192.168.1.100 If your client on .90 resolves it to 1.2.3.4 you need to setup nat reflection. If your client is asking pfsense for dns, then a host override would tell this .90 hey just got to 192.168.1.100 But if your client is using say 8.8.8.8 or 9.9.9.9 for dns directly then no yoru host override would never work.

@offstageroller Hello I ran into this issue and what fixed it for me was when I changed unbound to unbound python. I noticed that whenever I made changes and needed to update or reload anything with PFBlocker, it would also do the same thing to me as well as the normal scheduled updates it does via cron job. I believe one of the main reasons is because it restarts/reloads everything a bit quicker than normal but whatever it is, this fixed it for me. No more losing connections whenever I make changes and updates nor have I seen anymore disconnections in the logs.

@mpfrench I ran the test you used, just to see what it did with my setup: [image: 1681301636174-2023-04-12-at-12.52.43.png] So my DNS Resolver is pretty quick. I can make the graph look awful by including the uncached results: [image: 1681301726905-2023-04-12-at-12.52.04.png] But in reality my DNS queries rarely require going outside of the cache thanks primarily to prefetch, expired and the regular cache. When they do I have DNSSEC, DoT and the extra round-robin exchanges that go with them. As a result, these queries are much slower but as they happen <4% of the time the real-world impact is just imperceptible. The average results are just dominated by the cache performance. As for Mr Gibson's test conclusions: [image: 1681302174404-2023-04-12-at-12.50.33.png] Some of it may be a little misleading but it does highlight the performance advantage of the DNS resolver in my system. I could improve the non-cache test speed by removing DoT and undertaking pure port 53 UDP resolutions but outside of this DNS test it would not be noticeable and expose more data than needed. ️

@jknott So I recieved this from the vendor, but I am still not able to get the data to go out. I have set this like recommended here. https://service.snom.com/display/wiki/DHCP+options#DHCPoptions-Option43(vendor-encapsulated-options) You're using DHCP option 132 and 133 using for the VLAN tags in the router, although, to have this working you have to encapsulate in the DHCP 43, encapsulate the content of DHCP option 132 for the VLAN So, You'll need to configure the devices from Network -> Advanced Settings and set these values as follows: Enable DHCP VLAN: Enabled. Enable Manual VLAN Configuration: Disabled. Enable LLDP: Disabled. Then, on a router, you will need to set the DHCP option 43 as described on the following link: ** https://service.snom.com/display/wiki/DHCP+options#DHCPoptions-Option43(vendor-encapsulated-options) According the link , For example, for VLAN 10 should be 84:03:31:30:00; for VLAN 20 should be 84:03:32:30:00;