@tikiyetti for starters you should really update pfsense, that version is quite dated.

If you want to do your own dnssec, then yes you should just resolve which is what unbound does out of the box. Or if your wanting to forward then just pick a dns that does it already and uncheck dnssec in unbound.

I am not aware of any of the major dns providers that do not do dnssec out of the box - some of them have special IPs you can point to that don't do it - like the 9.9.9.10 IP for quad9, etc.. But pretty much any of the major players are doing it out of the box. So there is little point to having unbound try and do it if your forwarding - more likely than not just going to cause you possible issues at some point or another. Its just extra work for something that is already being done.

If you order a cheeseburger, do you scrape off the cheese when you get it an put your own cheese on?

If you want to control putting cheese on your burger, just order it plain (resolve) and then do your own thing for the cheese ;)

A quickie python script to help anyone (hint: need to paste lowercase characters into the pfsense dialog)

#!/usr/bin/env python3 import sys for arg in sys.argv[1:]: print(f"{int(arg):02x}:", end="")

An example use for route 192.168.55.0/24 using gateway 192.168.3.2.

$ ./hex.py 24 192 168 55 192 168 3 2 18:c0:a8:37:c0:a8:03:02:

In pfsense Admin UI, at DHCP Server / LAN section Additional BOOTP/DHCP Options, add a line Option entry with field values

121 (Number) String (Type) 18:c0:a8:7c:c0:a8:08:7c (Value - no quotes)

then Save

I recommend packet capturing a response from the DHCP Server then review in Wireshark. Find the response packet with Protocol value DHCP. The Wireshark protocol parser will identify errors for you (with detailed error messages).

Thanks both for posting this info. You saved me much time. Thought I add a few suggestions in case it helps anyone.

@bmeeks
@johnpoz
Yes, I know that DNSSEC is not for encrypting queries. Thank you for the link. I'll read it anyway.
I disabled it, and I also unchecked Prefetch DNS Key Support and Harden DNSSEC Data in the Advanced Settings; I guess they are not of any use since DNSSEC is disabled now, aren't they?

I enabled Unbound because I want to use DoT and pfblocker as well.
As I already said above, I started using pfSense again after quite a long time. For the record, I had a bad experience with OPNsense and I switched back to pfSense as my main alternative to my Mikrotik device as a firewall/router
Anyway, I remember that I had some issues with pfSense's Unbound long time ago. It just didn't work with one ISP as upstream gateway, while it worked flawlessy if I switched to another ISP (via LTE). It seemed the the first ISP blocked access to the root dns servers..maybe. Never figured it out for sure.
Thanks again

@johnpoz said in Different DNS forward based on subnet/VLAN?:

While forwarding per view might not be documented in unbound, the subject has come up multiple times and you might be able to put forward in your view, etc.

Found it as an Enhancement Issue. They understand the caching implications and have no plans to implement. First raised in 2020; someone asked for an update in Nov 2022 but no reply yet ;)

@thondwe yeah clouldflare does dnssec - no need to enable it in unbound

$ dig www.dnssec-failed.org @1.1.1.1 ; <<>> DiG 9.16.34 <<>> www.dnssec-failed.org @1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25889 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for dnssec-failed.org.) ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; Query time: 99 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Sat Jan 07 06:20:31 Central Standard Time 2023 ;; MSG SIZE rcvd: 107

all the major players do dnssec - unless they have a specific IP to use that doesn't - but all of the main IPs of the major players are doing dnssec out of the box - if your going to forward to them, no need to have it checked in unbound.

@bmeeks Got it. I've made the update and it still works. Thanks again for all the help and detailed answers to help me understand how the system works.

@a1aba You're gonna have to show some pics.
Are you sure you're plugging into the correct interface?
If you assign a static address on the same subnet, does it connect?

The issue turned out to be an invisible leading space in the hostname (copy/paste must have grabbed an extra leading space).

Shouldn't the code be smart enough to trim() the input?

@gertjan
I appreciate your response and willingness to help. Unfortunately, I'm not a coder. I looked at both of your URL links. They are above my pay grade. I do remember that when I got dynamic DNS working in pfSense, I created an "A" type with the help of a friend. I'm not knowledgeable enough to write my own script or how to make the script execute. I'm not even sure if "host name" means "xxx" or "xxx.domain". 😞

I guess I was hoping that I could copy and paste a script into the "request" field and just change my details. Likewise, copy and paste the appropriate "dynamic DNS server".

I agreed as I sent screen shot of I have define pool to auto leased only 172.16.159.252 to 172.16.159.253 ip and then reset based on mac I entered in dhcp list then it will assign that ip to entered mac .

I noticed that when I made changes into orignal entry intensionally then dhcp not suppose to assigned same old IP address unless and until it is listed. Although I have flushed arp recycled leased.

@benam

They stick all for me :

c05bd838-2560-4197-b019-3312a91724c7-image.png

@benam said in DNS hostname disappears after input:

Version 2.5.2-RELEASE

That's 5 or 6 versions in the past .... The issue was fixed.

@viragomann
What a straight-forward solution! Thanks!
It works as expected now.

@bob-dig @johnpoz I tried starting in Firefox Safe Mode with all add-ons disabled... same problem

However, creating an entirely new profile restored the correct behavior. So it's something in my default profile, but I can't imagine what would cause FF to remove the value= attribute from an input tag.

Thanks for the help.

@swami_ you can setup haproxy to use your wan or you lan interface. Comes down to where the traffic is going to hit.

Even if you ha proxy listens on you wan IP, unless you open a firewall rule on the wan that would not be available to internet IPs. But your wan IP is still going to be able to be hit via your lan devices.

Comes down to where you want to point the fqdn you want to use to point to - if all your going to want it for is lan, then just use your lan IP and point all your fqdn you want to use to your pfsense lan IP.

@provels Thanks!! Happy Holidays I created two text files from the above URLs to use with Squidguard without the # and the text

DNS over HTTPS "DoH" server text files for use with Squid Guard:

Smaller Lists made from URLS above: dnsdoh.txt

Large List from bulk URL list: DoH DNS List.txt

Combined Lists: CombinedDOHlist.txt

@bingo600
A quick fix. It is working now.

Thank you!