@brian-smit said in DHCP 169x IP until i reconnect LAN cable or Turn WIFI on or OFF: reuse_lease: lease age 1217 (secs) under 25% threshold, reply with unaltered, existing lease " Those are common - leases normally don't start to renew until 50% done. But as the client gets closer and closer to lease expire, it should start screaming for a renew.. Sending them more and more often. Once a renew fails - it should send a discover.. I would watch your logs the next time it happens and look right away, set your log to keep more in the gu.. I think it defaults to only the last 50 entries. I have mine set at 2000.. This should allow you to see more entries.

@johnpoz No problem, all water under the bridge. Maybe this lengthy thread will be help to someone in the future in regular Resolver mode. I should have been more clear in my post too. I knew the DNS Forwarder was dnsmasq and wanted to make sure someone knew it was unbound instead. Next time I'll state it upfront which mode I'm running in. I learned more abound unbound and some dig queries along the way which is always helpful. Thanks again!

@randombits said in Local IP's resolved from names ?: under host overrides ? yes

@bingo600 said in getting out of IP-addresses: Offcause i meant DHCP lease Yeah, right.

@johnpoz constraint is a solid brick house. i had cat 7 cables run throughout the house to the boiler room. so for the small environment i have, it is easier in this case, to work with s/w configs that to physically run new cables, etc;

One issue you will face if you use the DHCP server on pfSense is that hostnames of local clients will not be registered in DNS in AD. That may or may not be of concern for your setup. And you don't want to turn on DHCP DNS updates within pfSense as that will cause the unbound daemon to be restarted each time a client renews its lease. There are many posts on the forum about that little gotcha. DNS can be dead for many seconds during that restart, and the dead time is greatly expanded when you use tools such as pfBlockerNG-devel and DNSBL. In my opinion, if you have an Active Directory shop, you really should let most of the DNS and DHCP infrastructure be hosted within AD. And in Windows 2016 and up, AD supports DHCP failover if you install the service on multiple hosts.

@brian-smit so they are still on their normal address is some rfc1918 address, not the APIPA 169.254 address. You sure just not an issue with your unbound restarting with dhcp reservations.. Has been a long time issue where when a lease is issued or renewed, etc. that unbound restarts and if your using pfblocker that can cause start up delays, etc. this can present itself as dns not working - but its just dns is restarting. One solution to that is not register dhcp leases in unbound settings.

Hello @viragomann, The problem is DNSSEC. Thanks again.

If you have a Windows AD you need to configure only the IP of the DCs on clients. Windows with domain could have weird behavior if clients use a non DC DNS server. You have to configure the DCs to forward to the other DNS servers. The best approach is having at least 2 DC to have some redundancy, and configure both IPs on clients.

@cool_corona Thank You both ! I indeed going to make sure that nobody can plug things into the switches and i change the 192.168.x.x into something else

@keyser Ok. But if I disable pfblockerNG (not uninstalling it), it's not significantly faster? I also don't have many subscriptions. Only the basic/default Blacklist is enabled.

@m9x3mos Remember to add the OpenVPN "Client network" to the "unbound resolver ACL's" , else unbound will reject the lookup. And i assume you have permitted TCP/UDP 53 from OpenVPN clients to the pfSense interface you announce as openVPN dns server ip. Edit: I think there's a "feature" in unbound , where it would reject RFC1918 dns answers (from the asus) unless being told to accept them. @johnpoz Could you share a hint here ? /Bingo

@marama You are saying all your local name resolving is based on host overrides ? That could be done with unbound (resolver) too. I have no experience with the DNS forwarder. Sorry /Bingo

@steveits Very helpful thank you. This got me going!