@peter_apiit said in Encrypt DNS unable to resolve: ISP seeing my browse website history so I want to completely hide it. Which your not with encrypted dns.. because while they don't see the dns query - they still see where you go via IP when or the actual sni included in the https handshake that is in the clear.. It is trivial for a company that was sniff your dns traffic, to just sniff https and get the sni, etc. The only way to hide where you actually go from your isp is a vpn.. Then all they see is the amount of traffic between you and the vpn service IP. But that is just handing off trust from your isp to the vpn service, etc. And then paying them too boot ;)

@stompro said in Insanely weird issue with DNS resolution to www.cdc.gov: seems like a fad, like fidget spinners Not sure if I would say that - but the overall adoption is disappointing to be sure.. Here is the thing that site is all kinds of messed up when it comes to dnssec... I don't have any problem resolving it, using dnssec - but with some of the errors I see, it could for sure be hit or miss. If your forwarding, and also have dnssec enabled that can cause issues. So are you saying when you uncheck dnssec in unbound, and forward to cisco it fails? Is that something you have to enable do disable in your subscription.. Cisco Umbrella is a subscription service is in not? $ dig @192.168.9.253 www.cdc.gov ; <<>> DiG 9.16.27 <<>> @192.168.9.253 www.cdc.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15485 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.cdc.gov. IN A ;; ANSWER SECTION: www.cdc.gov. 3600 IN CNAME www.akam.cdc.gov. www.akam.cdc.gov. 3600 IN A 104.98.82.250 ;; Query time: 185 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Fri Apr 22 09:45:15 Central Daylight Time 2022 ;; MSG SIZE rcvd: 79

@viragomann I have the same result if I ping using the 'Default' source address or the 'vlan6test' source. The vlan was created using my lan parent interface. I have everything working on the computer. I just don't see why the firewall cannot ping it. # /sbin/ping -S '192.168.50.1' -c '3' '192.168.50.100' PING 192.168.50.100 (192.168.50.100) from 192.168.50.1: 56 data bytes --- 192.168.50.100 ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss

@jimp No problem. I just wonder what that client ID column is for, when the contents of option 12, which is supposedly client ID, is placed in the host name column. Maybe some info could be provided on that page to clarify. The pfSense docs are a bit thin on that. BTW, I'm the kind of person who likes to really dig into something, to understand it fully.

The Failover peer IP on both FWs is configured correctly. But they refuse to sync. Both are on recover and peer status unknown or partner-down and recover-wait. But both partners are up.

@johnpoz said in Back to static addressing I guess...: If I had setup a reservation, and client didn't get it - step 1, validate that actually set the reservation ;) heehhe I do realize how this sounds, and am not amused, but was my own fault. I did see the line saved on the bottom of the dchp server page but yeah, thought it was peculiar no ip was shown there. I now know better. Thanks a lot for your patience! :)

Same issue here, tried reinstalling because I thought it shat itself during update (again) but it seems it's not just me. I'm running pfsense in kvm if that's relevant to someone

@gertjan I also have a running session tracking memory. It grew at first by 3-5M and then has been stable for 2 days now. We'll see over the next week or two.

Created new topic, was unable to reply to previous thread due to permission error. The current behavior is to send DNS queries to every configured gateway at once in forwarding mode, regardless if sequential or if already reply was received

@xraydoc88 Yes, I am quite happy with the Qotom. I had previously used a HP compact desktop computer, but it died.

@johnpoz Thanks man.

The way MS describes it: Windows will ask the primary DNS, if a response is not seen in a short time it asks the 2nd and so on. The DNS that responds first becomes the primary. If you are looking a packet capture you should see some amount of time, my guess is 10's of ms, between the queries. MS never defined a "short time" when I asked about it. However it is said to work, it seems most OSs do what you describe, hit several before the first DNS responds. The packets are small enough I don't think the developers care and are more worried about response time.

Actual page load time (PerformanceTiming.domComplete - PerformanceTiming.navigationStart) of www.bbc.com: Forward [1st run || 2nd run] || Resolve [1st run || 2nd run] 0.87 s || 0.89 s || 1.65 s || 0.84 s @gertjan said in DNS Resolver Root Server Question: On the other side : cnn.com isn't doing DNSSEC 97 % of all .com domains are unsigned as of now: https://rick.eng.br/dnssecstat/ @gertjan said in DNS Resolver Root Server Question: If the did, you could see a triple the number of queries ftp.isc.org supports all bells and whistles related to DNSSEC: Resolve [1st run || 2nd run] || Resolve +DNSSEC [1st run || 2nd run] 1.05 s || 0.95 s || 1.28 s || 0.96 s

@woggy Makes no sense to have a proxy doing your ssl offload if you have zero want to even talk to them.. Just talk to your server, setup a ssl offload for it, etc. I have zero understanding of why you would setup proxy to allow clients to talk to your cameras - if your goal is to not let your lan talk to your cameras..

@rcfa pfBlockerNG can be installed and work with dnsmasq. The first 'IP' based part isn't DNS related at all, it's just pfBlockerNG, after all 'Blocker' says "it blocks" using 'pf' and 'pf' is the pfSense firewall. DNS has nothing to do with this. People wanted more (as usual) so the local DNS handling had to be intercepted so more sophisticated host name (DNS) filtering could be applied. dnsmasq can't do that. Unbound can. The DNS part, shows : [image: 1649790778481-9876f1db-f9be-4f31-b098-329cfbb0177a-image.png] which means what it means. dnsmasq is still an option present in pfSense for historical reasons. There will be a day that there isn't a choice anymore. It will be 'unbound' the resolver, and that's it. As far as I know, unbound can do what dnsmasq does, that's why it was chosen. All this is "IMHO" of course. If it was me, I had thrown in the super bloat ware called 'bind' but bind can't really be mastered with a GUI as it is (to) big - and complex as it it masters 99,x % of all DNS interactions. bind would solve the question of this thread, as it it wouldn't exist anymore. Everybody would know the answer already as everybody would know 'enough' about DNS to answer for themselves ;) pfSense needed a resolver (which is neutral and doesn't feed external companies with user's private info) and a local DNS cache. zone handling etc isn't the role of a firewall anyway. unbound has a rather small footprint, and can be 'extended' using scripting (Python). The choice was easy.

@gertjan i applied the patch, let's see what happens next. ;) a big thank you @Gertjan for your help!

@thiasaef said in DHCP only working in one physical interface: een these ports) and then a Thank you for the response, indeed I will have a manage switch in the final setup but the response from @johnpoz was on spot, forgot to configure vlan tag on my laptop that I am using for testing.