@deanfourie hey there, the "downside" is exactly what you mentioned: cannot see what's being queried, so no dns-based filtering of let's say advertisement, porn, known malicious sites...no pihole, no pfblocker dns-filtering... And that's a bummer for many users (including me). :)

@johnpoz said in Cloudflare "reserved IP" records not resolving on pfSense DNS server: are you using the opaque app as well for spice console access No, I'm just using the normal vnc via the proxmox app. @johnpoz said in Cloudflare "reserved IP" records not resolving on pfSense DNS server: using just a full browser on my PC Connecting to a console via a browser on a PC works fine with or without a certificate. The app requires that you turn on SSL validation to connect to a console via the app itself. I've resolved this issue by using a DNS override.

@johnpoz Thanks for the information. I'll use resolver, I mostly get what you're getting at. I'll have to do more studying on networking perhaps to understand some of these things better. The help is appreciated!

@coyote1abe said in DNS over TLS Not Working?: could you please be a little more specific about the change you made to system Somewhere in the past, he changed the IP settings of his device ( a Windows PC ) from the default DHCP settings to a static setting. Like this : [image: 1659682406226-d3577074-a66d-4dc6-9d2a-47fe70abc2e1-image.png] which means this windows device doesn't use pfSense at all for DNS .... because he asked 1.2.3.4 to be used. He has undone that, and now all is well.

@jrather said in Unable to resolve kali.download: it referred enabling DNSSEC when using the root servers directly If your are forwarding to anywhere on pfsense, then yeah dnssec shouldn't be enabled - where you forward either does dnssec or it doesn't. That setting really only has any real use if your actually resolving, ie talking to roots. If your forwarding then that setting is more likely to cause issues than anything else. Both those records are not dnssec signed anyway, and I use dnssec since I resolve.. And not having any issues resolving it.

@falassion j'ai aussi le même problème, est ce normal que le service DHCP s'arrête à chaque fois?

@tyler-0 said in DNS is sporadic: DNS seems to get funky. I haven't put any DNS options within PFSense, Good ! Oh ... wait : @tyler-0 said in DNS is sporadic: On the Interface itself, I left the DNS Options blank. I've also tried 8.8.8.8, 8.8.4.4 and the Open DNS Ips. Still seem to have the same issue. What about : Do not change any Unbound resolver settings - like None. And keep this list empty : [image: 1659335396688-b2ea5076-d10e-4e7c-b5d7-e3b842c8d9ac-image.png] Now you have a default working setup. Keep in mind : Netgate wouldn't chose a default installation that doesn't work. Also check on your LAN devices what DNS is actually used. Like : C:\Users\A-PC>ipconfig /all .... Serveurs DNS. . . . . . . . . . . . . : 192.168.1.1 2001:470:1faa:5c0:2::1 .... Now I know that 192.168.1.1 and 2001:470:1faa:5c0:2::1 are the LAN IP of my pfSense. On pfSEnse, unbound listens on that LAN interface, and handles everything from teher. Works great for me for the last 10 years. It would stop working if Internet's DNS system goes down. That never happened as up to 2022. You will only see issues if your uplink (ISP) is 'bad'. Mine isn't - or very rarely.

I have a very strange update to this, which I cannot explain. I decided to create a test custom DynDNS entry and pointed its URL to my local web server. First I served just a text file with my IP and in the Result Match field I put %IP%. It worked and I got phpDynDNS (): (Success) IP Address Updated Successfully! Then I started to add some text, kept the hard-typed IP and placed the same text and %IP% instead of the IP into the Result Match field. It all worked. I came to the point where I put the exact Namecheap string into the file served by the web server, the one that never matched. But it matched this time. Then I went to the real DynDNS entry that never worked, put the same string into the Result Match field and it matched the Namecheap response this time. It's weird. I compared the response to the old one that was still sitting in my opened browser and they were exactly the same including headers. I usually don't type what I can copy/paste, so I don't think it was typing error.

@bmeeks No problem, I hope my changes will help all users to have access to those new features asap. In France we must use raw-options to get IPv6 and some people prefer to use OpnSense instead of pfSense because of that. At least, developpers should consider to update this package if its not my PR. https://github.com/pfsense/FreeBSD-ports/pull/1181

I suppose a workaround would be to make a DHCP pool with one IP address and limit that pool's use to MSI's mac address? In this way, MSI wouldn't have a static DHCP mapping, but it would always get the same address, correct?

Basically, if I'm on my Tailscale VPN network, I want to be able to talk to my local Unbound DNS resolver so I can do proper DNS lookups of my internal network, as I route my IPv4 private and IPv6 ULA subnets. To do so, I want to be able to talk to Unbound via the Tailscale-assigned internal IPv4 address (100.72.216.87) and its Tailscale-assigned internal IPv6 ULA address (fd7a:115c:a1e0:ab12:4843:cd96:6248:d857) Tailscale has its own internal ACLs, so someone else on their IP range can't talk to my VPN network without permission; hence it should be reasonable safe to allow the Tailscale subnet ranges 100.64.0.0/10 and fd7a:115c:a1e0:ab12::/64 to talk to Unbound.

@rcoleman-netgate said in WAN DHCP briefly assigns IP in the same subnet as LAN: @pfpv Try setting it to 100.2 Yes, thank you. Once you wrote it, it suddenly became very logical. It works now. I have always had a virtual IP on WAN 192.168.100.5/24 and it seemed to let me access 192.168.100.1. Only now I read in the instructions that "a typical IP Alias VIP cannot be used with DHCP".

@gertjan said in DHCP static mappings that don’t specify hostnames: @bp81 said in DHCP static mappings that don’t specify hostnames: I am observing that any client that has a static mapping set but has the hostname field blank in the mapping does not get registered in dns. Non static clients will get registered as expected. Ask pfSense what it is doing, and it will tell us : /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid interface1 interface2 ..... The DHCP server config file /var/dhcpd/etc/dhcpd.conf shows me how known static leases are setup for the dhcpd process. I guess, when creating a static based MAC lease, the info is used to create a /var/dhcpd/etc/dhcpd.conf so dhcpd knows about it, and at the same time a line is added to /etc/hosts. /etc/hosts is read by unbound when it starts executing. Take a look at the /var/dhcpd/var/db/dhcpd.leases file. You will find some leases like : lease 192.168.1.71 { starts 4 2022/07/21 09:10:02; ends 5 2022/07/22 09:10:02; cltt 4 2022/07/21 11:47:01; binding state active; next binding state free; rewind binding state free; hardware ethernet 18:e7:b0:cc:bc:d9; uid "\001\030\345\260\039\005\341"; client-hostname "iPhone-12-Jullien"; } and other leases do not have a client-hostname at all. Or worse, do have a client-hostname, but this name is not DNS-hostname format compatible. Understand that the client-hostname is given to the dhcpd server by the device, using it's dhcp client. The client-hostname can be setup by the person who admins the device. If the device even has this capability. Many device have a client-hostname hard coded, or omit it. My /var/dhcpd/var/db/dhcpd.leases file contains 276 leases, and only 12 have a client-hostname given by a device. So : using the client-hostname given by the client is ..... not a safe solution. @bp81 said in DHCP static mappings that don’t specify hostnames: I am observing that any client that has a static mapping set but has the hostname field blank There was a forum thread a while ago about this question. Or was it : give MAC and hostname but no IPv4 in a static .... ? Don't recall. Consider the "DNS" as a phone book. One rule, no exception. Planet earth goes down ? Still no exceptions. The rule is : Phone number <=> Name. If one of the two is missing the system goes belly up. DNS down is bad for business (but a very popular amusement, see the forum, it''s an on going occupation for many) So, I guess pfSense want you (forces you) to give a host name. That's the name that can be checked against DNS name compliance. That's the one being used in for DNS. You can change this behaviour of course, no need to inform the dhcpd process with a setting. It's all 'pfSense GUI' scripted somewhere in the PHP files. But take note : if you decide to add some script logic that uses the "client-hostname" (the name given by the client) then you need some other process that parses the /var/dhcpd/var/db/dhcpd.leases and now you have opened a can of worms. Just read the several thouands of forum post about this process : [/usr/local/sbin/dhcpleases -c /usr/local/bin/php-cgi -f /usr/local/sbin/prefixes.php -l /var/dhcpd/var/db/dhcpd.leases This process is activated when you select this option : [image: 1658408825583-cd729aba-4fc9-4b9c-af35-d7bc5b3c9d92-image.png] This process stops and unbound (your local DNS !) every time a DHCP lease comes in, or gets renewed. Now you know why I strongly advice to disable this option : [image: 1658409032530-7db176b8-31f7-4071-9d1b-529db9fa7fd7-image.png] for every device that you have to know by hostname, pick an easy DNS hostname, and make a static MAC lease. I know this isn't the perfect solution, but it's the one that works, is easy to maintain, and unbound will restart far less often, so DNS keeps on working, and the cache gets build and stays valid. This one : [image: 1658409222813-a26ab38c-7ba1-4263-8bb0-5a5f9e192d9a-image.png] is 'harmless' as /etc/hosts only gets read when unbound starts. In short, it appears it is not possible to create the behavior I'm looking for. It's not terribly important to us, it just would've been nice. The background on our infrastructure is that we have a mixed environment administered by Active Directory and Windows DNS. We have Windows workstations, laptops, and servers, but we also have some Linux and FreeBSD systems, as well as some IoT devices. Hostname resolution of Windows machines in Windows DNS is easy; Active Directory joined workstations have a group policy set to register their hostnames in Windows DNS. To get non-Windows systems registered in DNS, we are using some scripting to read the dhcp leases file and dhcp config file from dhcpd, then doing some filtering to determine which leases belong to non-Windows devices and dynamically register those in Windows DNS. This is being done with a powershell script. The end result being that we now have resolution by hostname for every single device provisioned by DHCP in our network (and that is ALL devices at this point. We don't do manual IP address assignment on any system at this point). The scripting based solution works very nicely, it just would've been nice if we had the option to assign an IP address via DHCP static reservation without having to assign a hostname in the static reservation. That creates a condition where, when I create static reservations, I have to remember to leave the hostname field blank for Windows machines (which will register their DNS hostnames directly with AD DNS) but specify hostnames in the reservations for non-Windows systems. It's not really that big of a deal, it would just be more convenient to be able to write my DHCP reservations in a consistent manner for all entries rather than having one kind of entry for Windows systems and a different kind of entry for non-Windows systems.

@falassion Re-enable the gateway monitoring and set an external IP for monitoring in case you've changed that in the meantime. Then try enabling System > Advanced > Miscellaneous > State Killing on Gateway Failure.