@wastapi Probably not a noticeable one but it would take a few extra CPU cycles per lookup. Also look into DoH (DNS over HTTPS).

@wheeler While I cannot recommend it, I have at times considered opening for DNS quieries on my Public IP/WAN interface. That way I could hardcode all my mobile clients to use my public IP as DNS, and “always” have the benefit of pfBlockerNG filtering. The browsable internet is borderline unusable under normal circumstances, once you have gotten use to such an effective add blocker :-) But don’t - use VPN instead.

@itpp21 Great!!!, thank you very much!!!!

@yugisop Correct, that's the issue : [image: 1638775327942-994d1e61-5340-4b01-8c79-f35c06fceed4-image.png] The RC (process start stop file) file defines the folder /var/run/dhclient/ without assuring that is exists. And /var.run/... is a rather volatile place.

@gertjan OK, I will upgrade when I can, I have not had much time to do much on my home net due to work, sorry I did not mention my version earlier. Only came to that conclusion when I found that other post after you had me try dig and then searched that error. Now I know what to check and what info to always post. Thanks again.

@vanrhyn First off, it's easy to turn off the DHCP server. Just check the first setting on the DHCP server page. And yes, you can have multiple DHCP servers. On the other hand, unless I'm mistaken, that other DHCP server is on the wrong side of the box. LAN clients will be unable to reach it, unless a relay agent is used. I still don't understand why you want to do this.

@jknott, I have been looking for this for a few hours with little luck. Many, many thanks!

@kn4thx said in Resolver IP/Address?: he resolver should direct to the local IP but send the fqdn which would then line up with the cert. The resolver does not sending any fqdn.. The client would be responsible for that - all it gets from the resolver is the answer to its question, what is the IP (A record) for some fqdn.. It would send back the IP is 1.2.3.4 When the client wants to actually talk to 1.2.3.4 it would send the fqdn, resolver has nothing to do with that.

@wintok said in Ping to www.facebook.com is ok but cannot access from chrome: My question is what really happened that made this. It was very frustrating for me since this is very strange Read this, which is great humour btw. I tested mysef : I visited facebook.com with a browser. I located facebook.com in the pfBlockerNG-devel Unified log.. I added the domain "facebook.com" as a wildcard blokced domain name, by clicking on + etc etc etc.. Now, it shows in red (blocked). See the image : [image: 1638457408453-608bfaef-5b13-4bf8-b2e7-b47ca43673ea-image.png] I flushed my local (on PC) DNS cache, and visited facebook again. There was an issue : [image: 1638457755603-30f4838f-5f48-4c44-bd58-bab9be6a899a-image.png] I could also do what the guy in the reddit post was asking : include a DNSBL feed with facebook.com listed. ( we all know why he did this, of course .... ) Again : check your DNSBL (and IP !!) lists/feeds before you use them in pfBlockerNG-devel. The browser (Edge) indicated that there was a DNS probing issue. Sorry, my browser want to use the French language. Yeah, right, that would be ok, as facebook.com returns 0.0.0.0 ( you can check for yourself with nslookup ) and 0.0.0.0 is not usable as a 'destination' IP address.. But I asked pfBlockerNG-devel to do exactly that !! Adding a domain manually, like I did, or adding it by using a DNSBL feed, its all the same.

@johnpoz said in [SOLVED] Public upstream DNS Resolvers for EXTERNAL FQDN: CloudFlare, Quad9, ...: @sergei_shablovsky none of which has anything to do with your dns taking 30ms to resolve or 60ms or even 200 ms.. Resolve how you want, point to what you want for your dns - but sorry a difference in a 20 or 30 ms, or again even 200ms for resolving of some fqdn isn't going to be even noticeable to a user.. Trying to find the fastest NS to use is pretty pointless endeavor. You are always going to see fluctuations in time to resolve something. Sure some public dns might resolve some fqdn in 10 ms when its 10ms away from you. But then again resolving something else it does not have cached might take 300ms.. Also ping or traceroute times to such NS is not always indicative to time to resolve.. Thank You for reply! Sounds reasonably;)

I've added : [image: 1638446386000-0fa96979-731e-4f2a-8a49-be3969b33b50-image.png] in the cusotm options, and restarted pfSEnse. I use a remote syslogger .....and you're right, after a reboot, no unbound messages. After manually restarting unbound, the syslogger received unbound messages. But : check the local Status System Logs System DNS Resolver log : no unbound messages neither. Something like unbound gets started before syslog start ..... (so unbound can't syslog) as the syslog socket hasn't been created yet.

@gertjan 21.05.1-RELEASE

@johnpoz That's great JP. Yes the dig command certainly returns a good visual of what's going on under the bonnet :) I will never look at DNS requests the same way again! And I am sold on the concept of having pfsense in Resolver Mode rather than Forwarding Mode...

@johnpoz Actually, I have. I checked in yesterday on their sign up page and they came back with a statement that they expect to have coverage in the area of the farm by summer 2022. So I'll likely move to that when the current hughesnet contract is up. The technology looks much better and they're talking up Gb speeds. I'm not holding my breath on this but I'm also keeping my eye on the rural broadband part of the infrastructure bill that passed recently. Come on fiber trench down the road to the farm. Haha.

@bingo600 I am using an Orange Pi R1 for sniffing! After more trial and error I finally figured out the problem. In the VLANs for the switch, VLAN group 1 wasn't tagged for 'member 3'. Once I enabled this, the DHCP Discover came tagged with the VLAN. It's still quite strange imo, since I don't understand how 'member 3' corresponds with the interface etc. Anyways I am happy to finally have figured out how to bypass the SOHO router and start using pfsense. It took me around 4 months in total! Learned a lot about networking. Most of it through the replies you posted in this thread @bingo600 so thanks a lot for that!!

@good4y0u Your problem seems to be that you are not capable of setting up some private network in the first place.

@steveits Well - I think I got it. I am at 19/20 now --- Guessing that COMCAST does not do IPv6 Hostname. I certainly see nothing in pfSense to do this. I am gonna let this run like this for a week or so - and see if I have problems. I am seeing that the pfSense has started issuing IPv6 addresses to the things in the house which will use them. Then I am going to document what I did. Not sure how the ORBI is doing - as it is in AP mode with its Satellite - I see nowhere in its webpage where it has an IPv6 address. But it must be passing things, as many of the items in the house use them as wireless and they are getting an IPv6 address. :-) [image: 1637950026391-b2b6faf9-5c5b-4847-aa32-cd84d5e3f57c-image.png] [image: 1637949992420-7ff35d60-b597-4d46-ac62-459ded0d1e57-image.png]