@keyser Ok. But if I disable pfblockerNG (not uninstalling it), it's not significantly faster? I also don't have many subscriptions. Only the basic/default Blacklist is enabled.

@m9x3mos Remember to add the OpenVPN "Client network" to the "unbound resolver ACL's" , else unbound will reject the lookup. And i assume you have permitted TCP/UDP 53 from OpenVPN clients to the pfSense interface you announce as openVPN dns server ip. Edit: I think there's a "feature" in unbound , where it would reject RFC1918 dns answers (from the asus) unless being told to accept them. @johnpoz Could you share a hint here ? /Bingo

@marama You are saying all your local name resolving is based on host overrides ? That could be done with unbound (resolver) too. I have no experience with the DNS forwarder. Sorry /Bingo

@steveits Very helpful thank you. This got me going!

@jimp Thanks. That makes sense. Just seems that it was a change for versions after 2.5. Now I know it's expected behavior going forward and will get sorted when the device is configured.

Solved by watching a video from Christian McDonald. The change was to the settings in the peer (client) app. I set the DNS address to the tunnel address (192.168.85.1) rather than my pfSense address.

@sbwcws Unclear - it's not supported as far as I can tell. I'd open a new topic in what you think might be the most appropriate spot or search the forums for other's past inquiries or attempts.

@toluun Seems to be an issue with my linux installation. If I specify the dns server it responds as expected. dig @192.168.20.1 notthere.local.lan

Anyone that has insight to share about Bind DNS PTR record troubleshooting?

@wildfrog What is listed as the router in the DHCP server on LAN? If you really, really want to see what is going on, packet capture the DHCP traffic on the LAN and post it. Particularly interested in the DHCPOFFER from the server.

For future reference, problem was caused by a misconfigured setting in General Setup -> DNS Server Settings - DNS Resolution Behaviour. Setting changed to Use Local DNS, Fall back to remote DNS Servers

bump

Okay. I'll reply to myself: it was super easy: https://japtaincack.blogspot.com/2018/02/pfsense-dhcp-dynamic-dns-updates-to.html But I think I found a bug in pfSense, because I configured this for the DHCP on only ONE specific interface, but now it registers ALL clients from all LAN subnets in the remote DNS. Do somebody know how to prevent this? I also don't know why it creates a TXT record for every client, would also be nice not to have this.

@johnpoz --- Right but unbound actually runs - the settings just wouldn't save. In any event, I hadn't see this so appreicate you pointing it out...

@offstageroller said in The maximum lease time must be at least 60 seconds and higher than the default lease time - Why?: @jimp said in The maximum lease time must be at least 60 seconds and higher than the default lease time - Why?: It's probably a limitation from an earlier version of ISC DHCPD or perhaps even older than that. The current man page for dhcpd.conf has an example where max == default so it's probably OK now. From the EXAMPLES section on https://www.freebsd.org/cgi/man.cgi?query=dhcpd.conf&apropos=0&sektion=0&manpath=FreeBSD+12.3-RELEASE+and+Ports&arch=default&format=html max-lease-time 120; default-lease-time 120; Git blame shows the input validation check going all the way back to the very first initial pfSense commit in 2004, so it's very old. Make a Redmine entry as a feature request to relax the input validation and we'll get that adjusted. Will do. I'll go ahead and submit a PR/MR to help make that change after creating the ticket. Redmine ticket: https://redmine.pfsense.org/issues/13118 Pull Request: https://github.com/pfsense/pfsense/pull/4581