@gertjan Everything works now. Thanks for all the help.

^ exactly - I even pointed out private domain. disable rebind for the everything is a bad idea

@john80 You need to put a static IP address on the LAN interface, then configure DHCP server. You should not run DHCP on WAN... That would provide IP addresses to the Internet... How are you connecting to pfSense? On LAN? Your other post said you "added" a LAN interface...

@hubs04 This scenario and failure mode is not good at all. Why would unfiltered results be a valid failure mode? If your concerned with where your running your filtering failing - that make sure if 1 ns fails there is another that does the same filtering If that fails - I would want to know right away - so I can fix it - or just point unbound to different NS or just let it resolve if my filtering is down. Vs a scenario where my filtering is not working and I don't know about it, they you have say a kid looking at porn, or infecting your network with malware.. How exactly does unbound flip to this other NS - 1 query fails, 10, what if one query just takes a long time? When does it fail back - does it not? So no you run into a scenario where again you do not know what is being asked - your filter system, or not filtered. Which is a horrible scenario.. The only time you should switch to non filtered, is your sure - I you actually tested, yup if broke - and I can not fix it in 2 minutes. So flip users over to nonfiltered in 10 seconds. There is no way to do your "only" if scenario that makes any sense - if your worried about your filtering system fail - then make sure it doesnt.. That is where time spent on what happens if fail mode should be concentrated..

@ashkaan said in Improving DNS Cache: Continuing to query for something that no one wants anymore is exactly what I'm looking for. And you get it in your head to do such nonsense and then the next guy as well and the next guy as well.. And next thing you know you have millions of queries a second for stuff nobody is actually wanting to look up. If not 10's of billions.. Prefetch and serve zero will mean your clients get served from cache.. As long as some point in the past that thing was asked for and in the cache.

@gertjan said in Need help with DNS: What IP are they getting as their DNS IP ? [image: mEfcIAt.jpeg] @gertjan said in Need help with DNS: If there is nothing, it will be the IP of the pfSense LAN. ? DNS Server fields are empty in the DNS Server setup. DNS is set to the IP of the Router in these devices. @gertjan said in Need help with DNS: This means the devices on LAN will send their DNS request to pfSEnse, and the forwarder will centralize the DNS request, forward them to 1.1.1.1 or 8.8.8.8 if the answer wasn't cached. This is what I thought, but it's not happening.

@beefer so I think I somewhat solved the issue. My Site A DNS Resolver was configured with selected interfaces as 'Outgoing network interfaces'. When I changed back to 'all' all of the sudden all queries are blazingly fast - even RTO's. The only thing I don't understand is why it helped. First - I'm in forwarder mode for unbound - shouldn't this setting affect only root dns queries? Also why it was slow is still a mystery to me - perhaps it was doing round robin over those interfaces and got stuck on waiting for answers?

@scorpoin said in DNS issue local webserver resolve with public IP: May be but how do I prevent DoH of browser . Any idea There might be better places to ask this. It depends on the browser naturally. For instance Firefox: https://support.mozilla.org/en-US/kb/firefox-dns-over-https

I just posted dhcpcsv2pfsense V1.0 which supports loading static assignments to multiple VLAN DHCP servers. https://github.com/cjnaz/dhcpcsv2pfsense

@rossm said in Unbound not resolving quad9.net nameservers: if I made a firewall rule blocking all outbound port 53 traffic, would that block unbound or would it still be able to resolve addresses using DNS port 53? If you did it on floating and outbound direction, then that blocks all 53 going outbound.. Doesn't matter what processes was creating the traffic.

@jlrith This is solved... Sort of. I left the setup running for about an hour and the problem resolved itself... Pfsense now picks up the proper WAN ip address with no problem. It's weird because I had let it all sit overnight and there was no change. I had previously moved connections and other computers and NICs had no problem picking up the ip address through DHCP. Pfsense never could. Go figure.

UPDATE: This is a fundamental problem on this NGFW , since, if I keep the port alive with say WOL , I don't have this Unbound stop problem of course, it's not mind-blowing, but it's damn confusing when only one device is directly connected to a pfS port (eth) solution on Ubuntu Focal Fossa (in short): sudo apt install ethtool sudo ethtool enp4s0 sudo ethtool --change enp4s0 wol g sudo systemctl daemon-reload sudo systemctl enable wol.service +++edit: this was an unpleasant discovery (on pfSense) :(

Could you provide client log also? It's better to create a bugreport: https://docs.netgate.com/pfsense/en/latest/development/bug-reports.html

@lumens said in DNS Resolver in forwarding mode slow replies: But since i have configured my DNS Resolver in "Forwardind Mode", i would expect that the query to localhost would be comparable to the query to the dns server configured in the "General Setup" section (quad9 nameservers in my case). and unbound, using forwarder mode, is using port 853 and encrypts the traffic (TLS). Probably normal ( ? ), but unbound (forwarder) also asks for the AAAA, the NS, and CNAME, and also requests for dell.com.lum1.lan. I couldn't find the "A" request .... Btw : Why 9.9.9.10 as its for experts only ? What about 9.9.9.9 or maybe 9.9.9.11. edit : what happens when you ask for "www.micosoft.com." instead of "www.micosoft.com" ?

@johnpoz Thanks John, That works for me. The static reservations are all there. I don't use dynamic DHCP registrations into DNS (due to using DNSBL in Python mode)

@bearhntr Yes, sorry I missed that you weren't sure where to add the static entry in DNS. And as long as the DHCP scope options are giving out your DNS server IP as the DNS server- you don't have to add it on the general tab in PFSense, or set forwarding on the DNS tab. I have nothing set on the General tab for DNS, and it works fine. In DNS Resolver, General Settings, if you scroll all the way down to the bottom, there is a Domain Override section, where you can add your domain name and point it to your server's IP. As for RADVD, that's the Router Advertisement service. I know it is used when you setup IPV6, on the Services/DHCPv6 Server & RA/LAN/Router Advertisements.

@madtrick The IP variable is the same, but you have to set up a special IPv6 update client so that pfSense takes the IPv6 interface address. https://dyndns.inwx.com/nic/update?myipv6=%IP%