Nothing to add right now, other than: count me in as someone who hopes this gets addressed. The closest we've come appears to still be this draft PR from 2+ years ago. I personally don't use the "register DHCP leases" option but most customers expect stuff like "a device named LAPTOP_3f7ea4 connects to the network, then try to connect to smb://LAPTOP_3f7ea4 should work"...

@droidus said in DNS not responding to client queries: It is set to listen on Localhost As @SteveITS mentions if you only have it listening on localhost then it couldn't respond to anything but itself asking, unless you had a forward setup to localhost.

Thanks! That worked. Awesome!

@gertjan -After Wan is active, DNS resolver does not start automatically. We will review your suggestions. thank you

related: https://www.reddit.com/r/PFSENSE/comments/vdrxkp/what_exactly_is_supposed_to_happen_when_pfsense/ and https://forum.netgate.com/topic/172849/rtsold-not-running-ipv6-wan-dhcp-keeps-losing-connectivity

@wblanton while that might be what you would expect. Hoping clients use a different NS to resolve something is problematic for sure. Clients will normally not go ask another NS unless they get back no answer.. Not 100% sure on recursion requested but not available. While that might solve your issue with this specific fqdn.. Where the problem can show up, is if the client looking for some resource host.localdomain.tld and they ask some public ns and get back a NX.. In such a response the client will say oh ok thanks, no need to go ask my other listed NS for that. It is problematic to setup multiple ns on a client that can not actually resolve all the same stuff.. For just this reason - clients if get a NX will not go ask their other listed NSers..

@eazyxl yes same issue in order to avoid this issue i use to restrict some code Change host code by comment line on /etc/inc/system.inc $hostname finding ctrl+f on code 2

@hris Thank you so much bingo600 for your answer. Probably the issue is on my side only. I have the vlans as well on my environment, but my ?DHCP is under Windows 2012R2. And the Relay doesnt want to relayed. I make a couple of tests last week and found that the all in my network settings is correct only the relay. I will try to make a DHCP under windows 2016 and i will did it wok for me. @ one additional thing when i put my test VM win10 into the same vlan as DCHP server all is wok, when i change the port group on vCenter to the vlan on which will put my working stations and set the static IP the network is OK. But when change the ip settings to DHCP win10 vm can`t take the ip from the pull and this show that the DHCP relay is not wok. Unfortunately i will stop to use PF Sense and will try to find different solution for software router. I don`t find the solution. Please advice the will be appreciated all future advices.

@jknott It appears someone needs a refresher on DHCP. In addition to a server and client address, it also uses 0.0.0.0 for the client before it learns it's own address and the broadcast address. By my count, that's 4 addresses, which are hard to squeeze into a /31.

My dynamic dns update does not work either. I use google domains. I switch temporarily to FreeDns and it does not update either. All I get is cached ip 0.0.0.0. . Logs show rc.dyndns.update: phpDynDNS (sense.beasz.com): (Unknown Response)

@johnpoz Thanks again for your help. I configured all of my "interesting" hosts to static IPs and unchecked "register DHCP hosts" and pulled power to my cable modem to test. DNS worked in that circumstance so unless there's some other condition (combined with WAN going down) that causes the DNS hang, I think this is fixed. best,

@lukasz-s here is the thing - back in the day, you should of really never messed with changing somethings ttl.. But that was back when they used realistic ttls, the only time you would lower them to very short was you were getting ready for a change.. You would lower the ttl the closer you got to the change, you would then change the IP of the record. After you were sure everything was working, and new IP was good you would then raise the ttl back up to something normal. These days they love to set them to shit like 30 freaking seconds.. Or 5 minutes - why, they like to drive of number of queries and doing something with tracking if you ask me.. I set my min to 1 hour, and I also serve 0.. Have not run into anything there that has caused me any issues in accessing anything.. In a sane world no I wouldn't suggest messing with the ttl - but these places are insane - 30 second freaking ttl..

I tried this approach for duckduckgo.com => safe.duckduckgo.com (which has a dynamic IP, or at least has been observed to change). However, this does not seem to result in a proper DNS response. Normally, you'd get a CNAME response along with the A record for the target of the CNAME. However, this only returns the CNAME by itself, which results in failure to resolve for all the clients I tried (browser, ping, nslookup, dig, curl). I wonder if there's a way to force bind to resolve the CNAME target and serve it up as an A record.

@w_colony Normally you would point your clients to pihole, and then have pihole forward to pfsense. Pfsense can then either forward or resolve. If you have some local domain that pihole is going to resolve local resources that you want pfsense to be able to resolve, then setup a domain override for that domain to point to pihole. If you point your clients to pfsense, and then have it forward to pihole - you won't have any info in pihole on which client requested what - which is one of the nice things about pihole. You know what client is asking for whatever.. I currently use such a setup, clients point to pihole. Pihole forwards to pfsense (unbound in resolver mode)..

@derelict Correct—Nothing would change at all until the user actually goes in to edit an entry and either creates a new duplicate (or tries to save an existing one). At that point, the warning would be shown. All they have to do is check the box and re-save.

@joe_papa Hey Joe, found this explanation in this Cisco documentation. I hope this helps. This feature is beneficial when there is a mix of BOOTP and DHCP clients in a network segment, and there is a BOOTP server and a Cisco IOS DHCP server servicing the network segment. The BOOTP server is configured with static bindings for the BOOTP clients and the BOOTP clients are intended to obtain their addresses from the BOOTP server. However, because a DHCP server can also respond to a BOOTP request, an address offer may be made by the DHCP server causing the BOOTP clients to boot with the address from the DHCP server, instead of the address from the BOOTP server. Configuring the DHCP server to ignore BOOTP

@johnpoz Just I have never yet run into unbound on Linux, that is all. (Maybe I am noob on Linux as well? ) Thank you for the linked reference! Very useful!

@minoe So, to solve my own problem, the solution was to temporarily change the IP address of existing static mapping. Once that was done, the errant entry was visible and thus editable. How do I submit a bug report?

I think I have it working - but if I did something dumb that will create problems, please let me know. I checked under the DNS Resolver. I thought the DHCP handled both DHCP and DNS all in one swell foop. It apparently does not. So under DNS Resolver, which was active, I needed to check the boxes for: DHCP Registration (Register DHCP leases in the DNS Resolver) Static DHCP (Register DHCP static mappings in the DNS Resolver) Also, in General Setup, I unchecked: DNS Server Override (Allow DNS server list to be overridden by DHCP/PPP on WAN) Then I powered down and moved it back down into my tech zone and swapped it into place where the old emergency firewall was.