I just realized that I have no idea what I'm taking about... I am using policy routing on the vpn

I had this issue as well with DNS Domain Overrides to MS DNS over OpenVPN. To fix I had to: Disable DNSSEC Select outbound Interfaces as ALL. I originally had Outbound Interfaces it as WAN. It appears that OpenVPN interfaces are implicitly included under all. They cannot be explicitly selected.

This tutorial seems like pretty much what you're looking for with an external DNS server being told about DHCP lease IPs + names - https://freeipa-users.redhat.narkive.com/xJVbXRdO/pfsense-dhcp-to-ipa-s-bind-dynamic-updates-success.

@klinger said in DNS resolution for some hosts fails, but nslookup works: the pfSense firewall queried our central firewall for name resolution (via packet capture). Well then you were forwarding - or that NS is authoritative for the domain you were looking up. Out of the box pfsense is a resolver, it talks to the roots down to talk to the actual NS for whatever domain your looking for. So no out of the box pfsense would not query some NS on your network.. Unless the roots and the gltd servers pointed you to them.. Out of the box pfsense is a resolver.. Hey roots, what is the NS for .com Hey gltd servers what is the NS for domain.com Hey NS for domain.com what is the IP address of www.domain.com you can see this with a simple dig and a +trace, this is how a resolver works.. So why would it ask some upstream NS in your network? [23.01-RELEASE][admin@sg4860.local.lan]/root: dig www.netgate.com +trace ; <<>> DiG 9.18.8 <<>> www.netgate.com +trace ;; global options: +cmd . 21987 IN NS d.root-servers.net. . 21987 IN NS e.root-servers.net. . 21987 IN NS f.root-servers.net. . 21987 IN NS g.root-servers.net. . 21987 IN NS h.root-servers.net. . 21987 IN NS i.root-servers.net. . 21987 IN NS j.root-servers.net. . 21987 IN NS k.root-servers.net. . 21987 IN NS l.root-servers.net. . 21987 IN NS m.root-servers.net. . 21987 IN NS a.root-servers.net. . 21987 IN NS b.root-servers.net. . 21987 IN NS c.root-servers.net. . 21987 IN RRSIG NS 8 0 518400 20230322050000 20230309040000 951 . TN/9VuM2Q8uI9vNqRDfX/si09GNyq8dHFQdBJPG7CE935u/HbanonU99 Z/mZRM2xIt9zJd8kuvWDi9t0TTLYdFaoJ4XMcQyOQZeeZM/XfLUNBkX0 YdJqjDZD3joFSHNUpKHRF/aIZhoKwRxuAqQsiK04HXrKt3SyaGnVsUy5 kXQU05Z5HEgP8ZK3ziqLD+0bRX9uYAegL+JgEEDx421apR1xN4FY6ngF VONOKheKbl6LhSp91jfkR5LhiEyAT3PMXwfQEntHAmCyBgfw05rbSZB6 vALXQDZBcWCs/pW9VEpPx4J1DpGYhgKAa7ojk8ZDgnY3kfl/H6LplGFi qme5AQ== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20230323050000 20230310040000 951 . ENL8WPFbxOqXipIZr0gi73LXISv1Oc5VREINA+nwZ4SdXg72++HZvKPt q7Rlv/Zy/z8U0xsV8drSfktoc3L/vOT97I/xvBiqGBKfmcI9fZ+OI+rp aql8fl7ep0KxSsCW2snOapFvf3LeDcPop5OJtCOv0h0g6CYnLugbWdRR qiF6FDg38bx/QwpQZL0BKxD3E6/qjFOrBPuTbHkWk5P+B5SdEF9cWcsK pVy+N3wxKCvKALzxQzQ/zPja/P+8plxGzOYeiaZCFDN4wxa6433zkluG lLSTABiU6mnsmOl+0mVQWzsF0s6QgLemrtyQlGT9HJw/kZhsX8N7WnlJ sPBQ6w== ;; Received 1175 bytes from 198.97.190.53#53(h.root-servers.net) in 33 ms netgate.com. 172800 IN NS ns1.netgate.com. netgate.com. 172800 IN NS ns2.netgate.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20230315042256 20230308041256 36739 com. VHsDr23lP03/xPxRbNUFC+UkSrUZ/Qr3JYHjhz7DYNOLPnzixRL+Hjv/ +kjbNiKVHYy2iGqU38XGJ4sPbvyRx8qygeTX3E7NnS4SdjnN2PKkTMAQ 42Vjxkq928qpoKPOwyn4zgcGSCZffTlNbY5IKVZacivEishoJ1j3BnVJ 1p2/N0gsLcS2GjIob2YGe7j4Lz8Aa5Rrj0s+DwlyP+BlCQ== 2U53SUOKS8OJJV178M90A8BMNI9USDVJ.com. 86400 IN NSEC3 1 1 0 - 2U54DC5VA9HQSV9DBV1IK3JD7KR4L61T NS DS RRSIG 2U53SUOKS8OJJV178M90A8BMNI9USDVJ.com. 86400 IN RRSIG NSEC3 8 2 86400 20230316045937 20230309044937 36739 com. JLAYnUTWdSkzhgKse8Qoyz0cdweJTibB9d0fQmTG1iDubISe0e/HhhBK SAdDEjqsOyV6x6bwtCVi+7HfoawJpsUgDNfYXEcgQfaXRk6TEOofhKnO mK+fVRHYsGbrBkyAfogu6KbQUAgleU65xfCmjKNaeYCDLe1Tq4FBcBLQ GstvOhDuAH5by0b1UBv+5k40jxuut/dlWfd+fxiwaxEO9A== ;; Received 717 bytes from 2001:502:1ca1::30#53(e.gtld-servers.net) in 36 ms www.netgate.com. 60 IN CNAME 1826203.group3.sites.hubspot.net. ;; Received 124 bytes from 208.123.73.90#53(ns2.netgate.com) in 37 ms [23.01-RELEASE][admin@sg4860.local.lan]/root:

@gertjan Set fixed ip => printer gets new ip eventually & forgets old lease Remove fixed ip => printer gets another different IP eventually

@furom said in DNS: Plain Unbound works, Quad9 almost...: Unbound Resolver with quad9 through TLS Unbound Resolver with no forwarder I've been using the resolver as a resolver for .... 10 years or so. Never had an issue. Just for the fun, I'm forwarding to 1.1.1.1 and 2606:4700:4700::1111, as I use IPv6 and IPv4 for the old stuff), and because why not : over TLS using port 853. No issues neither. Btw : 1.1.1.1 (or 8.8.8.8 or 9.9.9.69) are all resolver. What they can do, so can unbound, the pfSense's resolver.

@netboy You can’t forward the same port twice unless using either something like haproxy or an external load balancer.

@steveits I wonder if somehow unchecking that box reset something that was in my config causing it not to work correctly? Not sure...

@jasonau good to see another Brisbane local on the forums. I use Active Directory on my primary LAN for DNS and DHCP to my clients. I have a guest network and a DMZ with some public facing servers which are served by pfSense for DNS Forwarder and DHCP. I also have several internal DNS based aliases for firewall rules. I need pfSense to be able to resolve local addresses for the firewall alias rules, but don't want the guest or DMZ network to be able to query any of the DNS entries for my LAN. I figure if clients of my guest or DMZ networks get pwned I don't want them to be able to start reverse resolving my private IP addresses to potentially map my LAN network. I have specific rules in the DNS Forwarder settings blocking lookup for my internal LAN domains.

@john24634 See https://docs.netgate.com/pfsense/en/latest/services/dhcp/mappings-in-pools.html for the reasoning for this. You can split your pool and create additional pools to use IPs in the middle.

@viragomann Just following up, this works perfectly. I have had no DNS leaks since this was implemented and the VPN is working as intended. Thank you very much sir.

@gblenn I guess this thread should really continue over here... https://forum.netgate.com/topic/178472/will-we-ever-get-upnp-to-work-behind-private-network-ip Google STUN server seems to be working and UPnP accepts requests to open ports. But it still isn't working. In fact it stops working and some games, like MW2 (2009) can't even connect to IW servers. Turning off UPnP gives me better results using manual port forwards... However, the only way I have been able to get Open NAT across the board is faking a public WAN IP...

It seems as if it was the USB adapter. We changed it to Realtek and it seems to be working.

@dominikhoffmann said in Why does pfSense not use BIND by default?: Why does pfSense not use BIND by default? Do you use bind ? bind is ... huge. It's a project that went the same way as OpenVPN : it was 'opensource' and everybody added what he wanted. And worse, everything is split out over dozens of configuration files. It can forward - resolve, be authoritative, does DNSSEC, does dynamic updating, can be a master, hidden master, slave can handle interfaces that "go down" and "come back" without a reload needed. It's the (IMHO) typical program that can not (like no way) be mastered with a GUI. bind works well, but it's a command line only program. You'll be needing a text editor, know how to work with all the testing tools, have a solid knowledge of what DNS is. There is no place for 'presuming' anymore - with bind, it's the real thing. The real reason is : no one integrates bind as a package or system and then offers it to the public for 'free' like pfSense 2.6.0. User going to ask for support. Nobody want to 'support' bind for some one else. If Netgate decides to use bind , they will, for sure, stop giving pfSense for free. bind is like a Boeing 737 MAX : buying one doesn't mean you can fly one. You'll be needing 'some' training. It will be the old fashioned 'learn' thing. The good news is : it's free !! (although, you will need some time). There will be a big advantage at the end : you will know now what DNS is, thus basically understanding what 'Internet' is. Again : this is my opinion. I'm using bind for decades on my own dedicated servers for all my domain names. Played with all the tricks and options. In the beginning, it was 'hard', 'scary' and 'frustrating'. The smallest errors meant : mail down and web sites down (my company). And I went to school to play with system(back then) like a Prime, VAX, and messed around with a PDP11. Looking back now : things were so easy actually back then, and we didn't know shit .... @dominikhoffmann said in Why does pfSense not use BIND by default?: Would there be an advantage to installing the BIND package and running that? It's possible to stop unbound and use another process that does the same job. You can already chose between unbound, the resolver, and the forwarder (dnsmasq). But you can only use one on a system, as the DNS process needs to bind to port '53' and you can't have tow process listing to the same port. The same thing goes for mail processes, web servers etc. Using bind on pfSense makes things harder. You have to deal with bind. And The awkward way how it is totally incomplete "hidden" behind a GUI. It's hard, and painfull, to admin bind like that. I chose for nano. edit : https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software Netgate needed a resolver, as pfSense is a device that does not need host a domain name server, or a mail server, or a public web server. Our ISP's, in the past, forced us to sue their DNS (ISP) servers, so a simple forwarder was great - pfSense used dnsmasq before. It was small, fast, and fitted for the job. These times are over now. The world has been devices in two parts : The ones that uses DNS as it is meant to be used by what Internet actually is : they use the root servers. And the others, who want to hand over their DNS traffic to some third party source. They could have chosen their ISP DNS (they still exist), but no .........

@rmac1813 said in DHCP reservation inside existing pool: the range must stay in tact as it is. there are active client leases, preventing the range from changing. Not sure where you got that idea from to be honest.. This has never been a thing.. Lets say I had a pool of .100 - 200 And clients have say .100, .101, .103, etc.. Then I change the pool to be .150-250.. Clients that try and renew their .100 address will not get a renew, they would either than do a discover and get a new IP, or when their lease actually expires they would do discover and get an IP from the new pool. The advantage of dhcp is this, I can change up the pool, I could even change the whole network from say 192.168.1.0/24 to 192.168.2.0/24 and automagically devices would move to the new range, etc.. I could set a vip on the old 192.168.1. address so that stuff continues to work with the old range until they are all moved over, etc.. You can for sure split your pool into 2 pools, leaving IPs out of the new pools to assign specific devices to those IPs via reservations.

@jonathanlee has anyone ever used served option 252 over https?

@aiden21c Good! I still think that some good came out of this whole situation, though. For one, even if your current setup works well, the ideal setup for your whole company network is still with VLANs The order of the firewall rules needs to be held in mind (PfSense processes firewall packet rules from top to bottom): [image: 1677674630907-1c9cfaf5-771e-4d8c-959e-e798596807bd-image.png] Rule 3 catches all traffic filtered by rules 4, 5, 6. It needs to be last. Rules 5 and 6 have destination address "Any" instead of "LAN Address". A way that helps (me personally) to keep fw rules tidy is to add 4 separators, the top one named "GENERAL BLOCK" (for entire protocols, for example, no need to allow GRE, ESP, AH, OSFP... on a LAN with interconnected servers if there is no explicit need), a second separator named "INCOMING", a third separator named "LOCAL TO FW" and a fourth one named "OUTGOING". I also add separators named "PASS" and "BLOCK", with that order, under each main separator. Even if no further network changes seem necessary, it is best to avoid NAT. In the future, in order to reduce latencies or enable certain UDP services that cannot be NATed, you can check if the Cisco Router can do PPPoE passthrough for PfSense. Because PPPoE is a separate interface in PfSense, you can have both a PfSense-to-Cisco connection (OFFICE - 192.168.20.40/24, not as a Gateway) and a PPPoE adapter as a direct PfSense Gateway (because PPPoE is a Layer 2 protocol, doesn't use IPs, that is why its Point-To-Point, so it doesn't interfere with the 192.168.20.0/24 subnet at all) with a public IPv4 for PfSense. At some point, instead of having separate rules for each gateway and traffic type, you might want to implement Multi-WAN Load Balancing and Traffic Shaping to control which traffic type uses what Gateway. It is best to set static IPs for LAN through the DHCP server (without a dynamic address pool) and set your private IPs as Static Mappings. That way, you can use Host Overrides on Unbound, which would allow you to use hostnames (and no IPs) in your setups, and avoid unnecessary config nightmares in case, say, you want to put everything in Docker. You can just change the IPs in the Static Mappings of PfSense Unbound, add a BIND container to Docker (just to handle the inter-container IPs using the same hostnames) and be done with it.