We have seen the same issue after upgrading from 2.5.2 to 2.6.0. The first VLAN in the configuration file doesn't have the problem, all the VLAN after have the extra filename options. It is odd that the filename is different. I haven't found where it is getting that option from. subnet 192.168.240.0 netmask 255.255.252.0 { pool { option domain-name-servers 192.168.243.254; deny dynamic bootp clients; failover peer "dhcp_lan"; filename "legacy.donotuse"; range 192.168.240.80 192.168.243.249; }

Hello! I have the same problem on several 2.6 installs. The dyndns Save & Force Update works but will appear to hang. Sometimes it results in an nginx timeout. The rc.dyndns.update script has the same issue. The problem appears to be in the curl system. The curl_close call at the end of the _update in dyndns.class will hang for 60 seconds before returning. I am not a curl expert, but this smells like a curl connection cache/pool issue. The dyndns _update creates several nested/overlapping curl sessions. The curl_close in updatedns:_update might be waiting until the shared/pooled/cached connection closes (60sec). This could also be causing problems with ACB, which also uses curl and can overlap the dyndns update when it is enabled and kicked off by a Save & Force Update. The easiest workaround might be to tell curl not to share connections, with something like... if ($this->_dnsService != 'ods') { curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_FORBID_REUSE, 1); //ADD THIS LINE if ($this->_curlProxy == true) { ...at the end of the _update function in dyndns.class. This CURLOPT might also help for other curl users (acb, front page widgets, etc...). Of course, this might break something else and I could be completely off base...:) John

@gertjan Thanks for your response. I will have a close look to your suggestion and get back to you. Regards

@akuma1x Thank you!

@gertjan said in [solved] Dynamic DNSRFC 2136 Clients not showing IPv6: I wrote a small 'whatismyip.php' file I used your service this morning, working great but I then switched to the aws one (with no reason). As we all have a web server some where I don't know anything about web servers, if I would, I could host one too on my vps...

@4rt said in Use Pihole as sole DNS to resolve website internally: the server responding is pfsense and not pihole. Well then you didn't point your client to pihole like you said you did. is there a way for pfsense to forward DNS requests to pihole? Couple different ways - you could just setup domain override for pfsense to ask your pihole for the domain your using for your internal stuff. Or you could setup redirection, or you could use forwarding mode in unbound, or yeah the forwarder. But if your blocking external dns - how would pihole ask another server 8.8.8.8 or resolve itself? Also are you registering dhcp on unbound in pfsense - if so it could be restarting a lot, etc. I use pihole, point my clients to pihole via dhcp - setting static IPs on devices is not a very good way to give them an IP. If you want them to always have the same IP - then just setup a dhcp reservation for them - this way going forward if you want to change something like what dns they point to, or your whole IP range, or etc.. you can just change dhcp and they will get the new info when they renew or you reboot them, etc.. https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

@jabacrack said in DNS resolver Stop Working after upgrade from 2.5.2 to 2.6.0: Sorry, I don't understand how it help me. When you see : [image: 1648022158473-ff103c6d-7e5a-40c2-a65e-537ccda5be0b-image.png] you know DNS, the resolver, isn't answering. But that's just a GUI message. The GUI is very nice when everything goes well. When you have to look for issues, forget about the GUI. Unbound should listen on most if not all interfaces, and the most important one is 127.0.0.1 That's why I propose : dig @127.0.0.1 a.b.c +short Run this in a console / SSH and leave it there for a while : tail -f /var/log/resolver.log | grep 'start\|stop' Only stop and start events will be shown. Every logged 'stop' event should be followed by a start. I'll post here a small shell script that compares the content of the /var/run/unbound.pid file with the process ID of the running unbound instance. They should be the same. And if there is no pid file, then unbound isn't running. This can happens, but just for a short while. I'll work on that. @jabacrack said in DNS resolver Stop Working after upgrade from 2.5.2 to 2.6.0: add corresponded issue to bug tracker. And, maybe, in future it will be fixed. No need. Unbound runs on all pfSense systems just fine. Tens of thousands, maybe hundreds of thousands. If it gets restarted, it restarts = it stops and then starts. Most of us won't never notice this. These is only one thing to do : fin why yours stops doing it's work. Because was stopped and resonating failed ? The running instance freezes ? It could be interface related (yep, they can die, drivers can fail, etc) but normally, it should stay 'up' on 127.0.0.1 as this is not a physical interface. The GUI won't help you here to discover the issue. It's a command line task. And most of it is looking at the resolver log, and other logs like the system log to determine what event provokes your issue.

@beermount - Good catch. Thank you!

@gertjan I am running ntopng, but I haven't noticed any significant hit to my performance overall. At least not from viewing the processor and memory usage. When turning on python mode, are there any prerequisites? I simply checked the box to enable python mode, ensuring that DHCP Registration was not enabled. I do not use the DNS Resolver OpenVPN Client Registration. Should I have unchecked the "enable pfblockerng" before making the change?

@kom My laptop is using pfsense as my local DNS server. So my laptop gets the (cached) authoritative response from pfsense. And pfsense gets the authoritative response from one of the DNS servers under General setup, right? If I remove the DNS servers of pfsense and replace it by 127.0.0.1, how will pfsense ever query any DNS server on the internet? But you triggered me by hinting to remove the current DNS server addresses and adding 127.0.0.1 to it. Under System - General setup 'DNS Resolution Behavior' was not set to the default value. Was set to 'Use remote DNS Servers, ignore local DNS'. Not sure why I have done this. I have changed it to the default value 'Use local DNS (127.0.0.1), fall back to remote DNS Servers (Default)'. Now it seems to return correct IP addresses for obo-prod.oesp.ziggogo.tv. So fingers crossed if this fixes my issue. However I do not understand why this should fix my issue.

@johnpoz said in DNS Resolver - Prefer A records: NAME something? There isn't any! I believe Comcast is or has moved to dual stack with CGNAT for IPv4. The only way for a customer to reach their home network is via IPv6. Another example would be someone who gets their Internet connection via the cell network, where NAT is almost(?) always used. For example, my cell carrier (Rogers) uses 464XLAT for IPv4, but provides a public /64 to connected devices on IPv6. BTW, IPv6 support is mandatory on 4G and later.

I have reproduced this on 2.6.0 CE as well. I only very recently cutover to using resolver instead of forwarder because the forwarder no longer worked for me in 2.6.0. I log and inspect DNS queries, so I hit this bug right away. Losing your DNS logs from your SIEM on reboots isn't a good security situation. This deserves some escalated attention.

@sport78 If you add them one at a time does one work? I don't use DNSBL but do use pfBlocker. Are you using the -devel version? If not, and that's the offending line, try that.

@bob-dig Yes. Will do.

@johnpoz I could partially fix the problem on my end. I have created my own thread for my issue: https://forum.netgate.com/topic/170709/haproxy-502-bad-gateway-with-cloudflare-proxy/3 So let not bump this topic any longer. Thank you for the swift reply @johnpoz !

@viragomann said in How to send DNS Resolver queries over VPN?: @jackyaz Not sure. But the NAT rule might be necessary to allow pfSense to communicate with the public world over the VPN. Maybe setting the VPN as default gateway let pfSense generate it automatically. NAT rule didn't help. I have found that more generally, I'm unable to ping anything via the VPN interface in Diagnostics -> Ping. So I'm obviously missing something somewhere.

@jvwjgames Do a packet capture. Shut down pfsense Disconnect the WAN cable Restart pfsense Run Packet Capture, filtering on DHCP Reconnect the WAN cable Let Packet Capture run for a couple of minutes and post the capture file here.