@andy22 If you install the System Patches package you'll see the recommended patch: Fix Google Domains Dynamic DNS response processing (Redmine #12754)

@johnpoz Hi, I agree it is not clear. I reconnected the tablet for now so I will post back more screnshots when the problem will happen again ( 2,3 days I guess..) thanks

@johnpoz static arp works as you say. But sometimes you plug in a computer so it can access the internet quickly. With this method, you will have to go and add the mac address to pfsense every time

FIXED I looked at the config.xml and saw that there were 2 entries for my VLAN 100 and VLAN 200 under the DHCPD section. I removed one of the duplicate sections for each VLAN and restarted DHCPD.... all is fine now...The GUI can manage DHCP leases again....

@peter_apiit said in Encrypt DNS unable to resolve: ISP seeing my browse website history so I want to completely hide it. Which your not with encrypted dns.. because while they don't see the dns query - they still see where you go via IP when or the actual sni included in the https handshake that is in the clear.. It is trivial for a company that was sniff your dns traffic, to just sniff https and get the sni, etc. The only way to hide where you actually go from your isp is a vpn.. Then all they see is the amount of traffic between you and the vpn service IP. But that is just handing off trust from your isp to the vpn service, etc. And then paying them too boot ;)

@stompro said in Insanely weird issue with DNS resolution to www.cdc.gov: seems like a fad, like fidget spinners Not sure if I would say that - but the overall adoption is disappointing to be sure.. Here is the thing that site is all kinds of messed up when it comes to dnssec... I don't have any problem resolving it, using dnssec - but with some of the errors I see, it could for sure be hit or miss. If your forwarding, and also have dnssec enabled that can cause issues. So are you saying when you uncheck dnssec in unbound, and forward to cisco it fails? Is that something you have to enable do disable in your subscription.. Cisco Umbrella is a subscription service is in not? $ dig @192.168.9.253 www.cdc.gov ; <<>> DiG 9.16.27 <<>> @192.168.9.253 www.cdc.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15485 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cdc.gov. IN A ;; ANSWER SECTION: www.cdc.gov. 3600 IN CNAME www.akam.cdc.gov. www.akam.cdc.gov. 3600 IN A 104.98.82.250 ;; Query time: 185 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Fri Apr 22 09:45:15 Central Daylight Time 2022 ;; MSG SIZE rcvd: 79

@viragomann I have the same result if I ping using the 'Default' source address or the 'vlan6test' source. The vlan was created using my lan parent interface. I have everything working on the computer. I just don't see why the firewall cannot ping it. # /sbin/ping -S '192.168.50.1' -c '3' '192.168.50.100' PING 192.168.50.100 (192.168.50.100) from 192.168.50.1: 56 data bytes --- 192.168.50.100 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss

@jimp No problem. I just wonder what that client ID column is for, when the contents of option 12, which is supposedly client ID, is placed in the host name column. Maybe some info could be provided on that page to clarify. The pfSense docs are a bit thin on that. BTW, I'm the kind of person who likes to really dig into something, to understand it fully.

The Failover peer IP on both FWs is configured correctly. But they refuse to sync. Both are on recover and peer status unknown or partner-down and recover-wait. But both partners are up.

@johnpoz said in Back to static addressing I guess...: If I had setup a reservation, and client didn't get it - step 1, validate that actually set the reservation ;) heehhe I do realize how this sounds, and am not amused, but was my own fault. I did see the line saved on the bottom of the dchp server page but yeah, thought it was peculiar no ip was shown there. I now know better. Thanks a lot for your patience! :)

Same issue here, tried reinstalling because I thought it shat itself during update (again) but it seems it's not just me. I'm running pfsense in kvm if that's relevant to someone

@gertjan I also have a running session tracking memory. It grew at first by 3-5M and then has been stable for 2 days now. We'll see over the next week or two.

Created new topic, was unable to reply to previous thread due to permission error. The current behavior is to send DNS queries to every configured gateway at once in forwarding mode, regardless if sequential or if already reply was received

@xraydoc88 Yes, I am quite happy with the Qotom. I had previously used a HP compact desktop computer, but it died.

@johnpoz Thanks man.

The way MS describes it: Windows will ask the primary DNS, if a response is not seen in a short time it asks the 2nd and so on. The DNS that responds first becomes the primary. If you are looking a packet capture you should see some amount of time, my guess is 10's of ms, between the queries. MS never defined a "short time" when I asked about it. However it is said to work, it seems most OSs do what you describe, hit several before the first DNS responds. The packets are small enough I don't think the developers care and are more worried about response time.

Actual page load time (PerformanceTiming.domComplete - PerformanceTiming.navigationStart) of www.bbc.com: Forward [1st run || 2nd run] || Resolve [1st run || 2nd run] 0.87 s || 0.89 s || 1.65 s || 0.84 s @gertjan said in DNS Resolver Root Server Question: On the other side : cnn.com isn't doing DNSSEC 97 % of all .com domains are unsigned as of now: https://rick.eng.br/dnssecstat/ @gertjan said in DNS Resolver Root Server Question: If the did, you could see a triple the number of queries ftp.isc.org supports all bells and whistles related to DNSSEC: Resolve [1st run || 2nd run] || Resolve +DNSSEC [1st run || 2nd run] 1.05 s || 0.95 s || 1.28 s || 0.96 s