@tknospdr said in Resolver, but in 'forwarding' mode?:

with the 'query forwarding' box checked and

... and given some DNS servers to forward to :

fa6d4a2d-3633-4f85-a751-bfecf0fcbdb9-image.png

Not a lot of difference. The functionality is the same.

dnsmasq, the original (before 2012 ?) forwarder is still there for historical reasons.
pfSense started to include Unbound, the resolver, as there are no more good reasons (advantages) to forward to some given = ISP (or chosen by you) corporate DNS server. It's 2025 now, so you can tap into the original "DNS system" that Internet offers you. In short : you can take the info from the source, and you don't need an intermediate services anymore.
You've seen it yourself how good it is : when you installed pfSense, before you changed anything, 'DNS' worked. So no more need to forwards to some other resolver.

Resolving means it will use DNSSEC if avaible.

Still, you can chose what method you want to use.
Both methods have their advantages.
My point of view is : Netgate has chosen a default setup with a resolver for a reason.

@mb-panketal

Something to read : 21.2.1. GSS-TSIG Overview

That's what I'm using so Kea's DDNS can communicate with a remote DNS like Microsoft AD (if I understand the doc correctly.
Not very surprising, as bind and DC are, imho, the most common ones.

So, don't wait, don't switch, don't relay, but :
4. Setup and start the Kea DDNS (see my other post).

This probably needed "Kerberos 5" stuff and looking at other "pfSense Microsoft DC" forum posts, pfSense has the needed libraries already.
So it issue might be as simple as

You want A to talk to B,
So : Make them talk.

And I get it, this concerns a Microsoft product so finding doc is a bit hard(er) ....

This is what my setup is. Both pfSense firewalls are able to locally resolve DNS using the host override settings.
my goal is to have clients to LAN3 resolve dns from LAN0.
The 2 pfSense firewalls are connected over VPN

a6c08b14-3d30-4096-8fe3-1db116905b95-image.png

The settings i used is domain override on the DNS Resolver service.
Since LAN3 has routing to network 0, i used the remote pfSense address.
623cacba-8fbe-4ea1-a416-dce5c2ff56c4-image.png

Does this going to work ? is that a sufficient setup ?

@johnpoz "If this is a private IP then it’s a little harder. Can’t do a DHCP reservation? Perhaps a “domain” override for that hostname pointing to the remote DNS server?"

sadly not, there isn't a local DNS server on the other network. the network is in effect a black network with very limited and extremely controlled connectivity to other resources.

@provels yeah many of the iot devices these days are hard coding doh servers.. Like I said they are harder to block - and they way they can look up who they want to pull ads from or send telemetry, etc..

The prices of these products are so low quite often because the device itself is not really the product, they just want some device to get your info that they sell.

But yeah you start blocking stuff they want to look up, and you can find your NS getting hammered..

Went back to ISC, no such problem.

Edit1: Same problem exists. Why, what has happened here.

Edit2: Ok, I disabled the DNS config for IPv6 a few days ago.

Unchecking this box disables the dhcp6.name-servers option. Use with caution, as the resulting behavior may violate RFCs and lead to unintended client behavior.

So it is a known fact, I will mark this as solved. There doesn't seem to be the possibility to give "none" as a IPv6-address for DNS. For now, I disabled DHCPv6 in LAN.

@hypnosis4u2nv said in Unbound Resolver Crash:

I have pfblocker also, does daily updates.

Something like this :

07c5fcb6-6b2d-4a66-aeed-99f6a94730ff-image.png

So, no surprise :

fbc1afad-3020-4b48-9987-d2c8a8955675-image.png

and now you've set everything up for "more problems".
Because :

@hypnosis4u2nv said in Unbound Resolver Crash:

For now I turned on a watchdog service for unbound.

The service watch dog is stupid, doesn't have brains, doesn't use AI.
It execute every minute, checks if tasks listed don't run, and if not start them.
What if .... right at that moment pfBlocker did it's daily thing, and restarts unbound ? Change are pretty great (No need for a 4 years Havard licence here, its 1/30 or 3,33 % chance for me as my restart took 2 seconds and the dog runs every minute = 60 seconds) that the watch dog finds unboiund not running, and start it. But it was already in the restart process.....
You just created more problems.
My advise : you'll get to the bottom of this, don't worry. Just don't use "service watch dog".

@hypnosis4u2nv said in Unbound Resolver Crash:

Memory usage:
9% of 16234 MiB

Ok, probably not a OOM event. That said, pfBlockerng uses PHP to do the loading, filtering and formating. PHP is very slow in doing this.
Do you have many DNSBL lists ?

@Gertjan Thanks. No high security requirements here either. But I have worked on PKI for much of my career, and I feel there should be a way to implement this cleanly with pfSense.

I have played with the third party pfSense API package. Wrote some code to export all the DHCP reservations to Smokeping. It's been read-only, so far. I have not figured out how to do something read-write. Being able to edit all the reservations in a spreadsheet, rather than through the GUI would be useful. Same for editing the host overrides for CNAMEs. A good script may be able to synchronize things, if additional metadata is included in the spreadsheet.

I have got a shit ton of IoT IP devices - over 300 of them. Most Wifi, some wired too. Went to a /22 for my LAN a couple weeks ago. It's on my to-do list to explore VLANs and block as many devices from Internet access as possible. About 250 of them can function with local API without Internet using Home Assistant. I don't believe any of them needs CNAMEs. They don't even need a hostname, but I still assigned hostnames to every single one in the DHCP server table. Can't remember all the names any more than I can the IP addresses, though. I'd love to be able to synchronize data between the pfSense DHCP table and Unifi controller device table. But Unifi has no official API. Only 3rd party, which I have not explored. Synchronizing with Home Assistant as well would be the holy grail. But I don't think their REST API is up to the job either.

@manjotsc said in Domain Override (DNS Resolver) Not Working:

need to set Outgoing Network Interfaces to ALL, I had it set to WAN

Oh ... cool ... tel unbound to use (only) WAN as an outgoing interface, while it should have been to using the Wireguard tunnel (which also goes over WAN) to do its job.

edit : I'm actually echoing what @SteveITS said

@manjotsc said in Domain Override (DNS Resolver) Not Working:

Is there a reason why it needs to be to ALL?

You've already got my point : because someone decides that that settings is perfect for us ^^

As the fireguard connection is a second type of WAN interface : a network that goes "somewhere" outside the local LANs, and not reachable by classic WAN, you have to inform unbound about it.
Set it to

c743ced4-d244-49d5-b205-b66c86a160e6-image.png

(it was set by default on All - which proofs Netgate's default settings are perfect - who are we to make them any better 😊)
but yeah, WAN is fine, but check-select also your wireguard interface.
I don't quiet understand what danger or harm there is if it also uses my local LAN connections (no DNS devices will reply from there ) so I don't bother : All is fine for me.
Their might be cases where All is not good - I just didn't discover them yet.

@manjotsc said in Domain Override (DNS Resolver) Not Working:

server:
private-domain: "example.xyz"

There is another part worth look at - same file :

# Domain overrides include: /var/unbound/domainoverrides.conf

Look at what "/var/unbound/domainoverrides.conf" contains.

@tedquade
Thank you!

@aGeekhere this question gets asked all the time - what your asking is problematic without a separate cache for the views or different clients, etc..

If client ask for something that would be blocked by filter dns, but they are set to ask non filtered dns - now that is cached. If client that should be filtered then asked they would get back what is in the cache.

Bind can run multiple caches - but not sure something you can configure from the gui.

You could prob get what your wanting out of running both unbound and dnsmasq (forwarder) with them listening on different ports, and then have your clients point to say 1.1.1.3 or whatever that gets redirected to the new port unbound or forwarder is listening on to resolve your local resources, and then just forwards on to 1.1.1.3

Simpler solution to be honest would just run say pihole or something that pointed your clients you want to filter to that.. Then setup a conditional forward on it to forward to pfsense to resolve your local domain.tld resources, and if not in that domain just forward to 1.1.1.3. Thats would I would do.

@patient0 said in Dot gets added to hostname, why?:

Maybe client related

I don't think so because the "act" of making a static mapping from the DHCP Leases triggers this.

@kuchenmann said in Register Client-names in DNS KEA-DHCP?:

It seems that KEA-DHCP on pfSense does not register dynamic assigned DHCP-leases in DNS. Only static-mapped DHCP-clients.
Because in the leases I see also hostnames for dynamic assigned DHCP-clients, but I can not resolve this hostnames in DNS.
It only works for static-mapped clients.

It depends on the version of pfSense you are running. If running pfSense CE 2.7.2, then you are correct in your assessment. But if you are running pfSense Plus 24.11, then Kea does in fact perform dynamic DNS updates of the DNS Resolver in pfSense each time it issues a DHCP lease. I am running that version and now the dynamic DNS updates for DHCP leases works just fine.

@bmeeks I agree, due to budget we are going with PFsense and that's why checking the best to do with it, I got it working for now. with my above rule list and extra, I added to block the traffic to DNS IP 1.1.1.1 for port 853, from what I see Safari is using DNS over TLS port 853, with that blocked safari is blocked

@tedquade Thanks! I wish it would just get an IP, but delaying boot is the best option for now. I would thumbs up you, but don't have enough rep.

@SteveITS yeah I would highly doubt there has been much work on the forwarder (dnsmasq) in quite some time to be honest. I am surprised that anyone would still be using it to be honest.. I mean it can do some things unbound can't like forward to multiple NS as the same time, etc.

But if you can't figure out that the custom options box is what they were talking about - not sure what to tell you ;)

Now if there was 2 boxes, one labeled advanced, and the other custom - and putting it in advanced didn't work because they called out the wrong box - yeah that could be problematic.. But there is only one possible place such commands could be put into that gui form.

@Gertjan, thx very much for your awesome reply. I really appreciate it as I learned something new 👍 😎
To be honest, it's the first time I read something about the services.inc-file. Super interesting!!

Of course, I tried it and it works like a charm.

@imark77 Thanks. As it stands, you have to do lots of digging around to see if feature parity matches your needs.

Would give you an upvote if I could.

@Nimda_2025
I meant to add more info a couple of hours after I made my initial post. Sorry for the delay. I tried PIA VPN from my desktop pc, laptop on my LAN, and cell phone on my LAN and all worked fine while on VPN but wouldn't again as soon as I got off of PIA. Cellular data on my phone and laptop gave me no issues accessing QB. It's definitely something on my pfsense. I also checked my first static and gateway IP against the most common blacklists and it's fine. I don't know where to go from here.

@propeto13 said in KEA service stopping through the day:

this is the way.

Its 'a' way.
If the /tmp/kea4-ctrl-socket.lock exist, or, as seen here on the forum about kea related posts, the pid file exists when kea starts, it will not core dump, but simply refuse to start.
And it's normal that these files exist, as 'core-dumping' isn't a clean process exist, so these files remain in place = not good.
And you can't start the process kea anymore without manually deleting them.
I think there is a Netgate pfSense System patches (you have this package, right ?) patch that handles this issue.

Ones thse files are gone, you can start kea.
And then, suddenly, it core dumps .... and it's rinse-and-repaet time.