@nocling Thanks for this, much appreciated. Seem to have this now working stable. So far so good. The WebGui still times out when saving any Dynamic DNS configuration changes, but the changes do save correctly and updates are happening for the DNS.

@scubanarc yup that would be a directed query specific to pfsense.. You should hope to glean something from that - timeout, nx, refused - something ;)

@johnpoz Thanks my Brother - I will be on my best behavior - and use my best polite mannerable demeanor. God Bless You and Yours - and Stay Safe

@gertjan I did end up removing the 1.1.1.1 and 8.8.8.8 dns servers.. and no im not on the latest im on 2.5.1

@user3124 We've all been there but it is what it is.

@steveits said in Using pfSense as firewall and Windows Server as DHCP and DNS server: The "private-domain" setting is to allow public DNS servers to return private IPv4 addresses What it allows for any upstream or forwarded to NS to return rfc1918 space and not be considered a rebind. But when you create a domain override entry - it is now automatically added as private domain.. There is no "need" to add it to the advanced option section of unbound gui

@jawz101 well you could create blocks for all non public tlds that you would like to block - but what on your network would be looking for those, if wasn't in your search suffix.. The possibilities are pretty infinite for non actual tlds ;) But only those in your search suffix would be added by clients.

@linuxgae said in Unbound frequently restarting and occasionally crashing: and unckecking Register DHCP static mappings in the DNS Resolver. That one isn't needed as they are loaded on system start, and only change when the admin adds a static lease, which is not very often. @linuxgae said in Unbound frequently restarting and occasionally crashing: Of course you will have to come up with an alternatives to resolve hosts that are local Give your known local device, the ones you need to talk to, like NASes, printers and other file servers a static MAC lease and you'll be fine.

@kilburnflyer Solved: subscriptions/[YOURSUBSCRIPTIONID/resourceGroups/north-europe-default/providers/Microsoft.Network/dnsZones/[YOURDOMAIN] do not put api version in there. in hostname only put value before i.e. RECORD i.e. RECORD.[YOURDOMAIN] Relevant link in source code helped debug

@gertjan hmm i gues using 2 network cards makes sense, but it's just a small office with 50 hosts and i saw alot of videos out there using laptops with usb to Ethernet port

Sorry for bringing back a 4 year old thread, but I think I got this working for me in OPNSense using Unbound and I wanted to update the thread with a solution in case anyone else is looking. This is the only useful result that comes up when searching for making Mobility Print work with Unbound. This hint about using typetransparent seems to make it work without doing anything else special. I set that through the GUI in OPNSense but I believe the relevant config line it results in is: local-zone: "mydomain" typetransparent I think these are the other relevant parts of the config files - in OPNSense I created a custom config file to add the entries as they removed the "advanced" box on the current release. (the OPNSense config file has a include: /var/unbound/etc/*.conf where custom entries go) root@OPNsense:/var/unbound/etc # cat mobilityprint.conf server: local-data: "b._dns-sd._udp.mydomain IN PTR pc-printer-discovery.mydomain" local-data: "lb._dns-sd._udp.mydomain IN PTR pc-printer-discovery.mydomain" local-data: "pc-printer-discovery.mydomain IN NS lxc-print.mydomain" I didn't add the A record here, since I have a static DHCP lease for my Mobility Print server called lxc-print, but that record is just: local-data: "lxc-print.mydomain IN A 10.10.5.17" Everything passes in the Mobility Print DNS setup page and I get the correct results from nslookup: lvm-debian-1:~> nslookup -query=ptr b._dns-sd._udp.mydomain Server: 10.10.0.2 Address: 10.10.0.2#53 b._dns-sd._udp.mydomain name = pc-printer-discovery.mydomain. lvm-debian-1:~> nslookup -query=ptr lb._dns-sd._udp.mydomain Server: 10.10.0.2 Address: 10.10.0.2#53 lb._dns-sd._udp.mydomain name = pc-printer-discovery.mydomain. lvm-debian-1:~> nslookup -query=ns pc-printer-discovery.mydomain Server: 10.10.0.2 Address: 10.10.0.2#53 pc-printer-discovery.mydomain nameserver = lxc-print.mydomain. lvm-debian-1:~> nslookup lxc-print.mydomain Server: 10.10.0.2 Address: 10.10.0.2#53 Non-authoritative answer: Name: lxc-print.mydomain Address: 10.10.5.17

@johnpoz said in DNS Resolver domain override issue for just one client in the same network: @kevindd992002 ha - they seemed to have changed it to help users doing local forwarding. I just added a couple of test domain forwards for testing to a local ns.. And look what gets added to the conf ;) [image: 1633543042040-overrides.jpg] I do not recall seeing this in the release notes? But there it is.. look in your [21.05.1-RELEASE][admin@sg4860.local.lan]/: cat /var/unbound/unbound.conf [image: 1633543158060-conf.jpg] I wonder when that got added - I am pretty freaking sure it didn't use to do that.. edit: Well F me - looks like that was added sometime back in 2017 from looking through the github code for unbound.inc.. Lol, that makes total sense th!en. Thanks for the help!

@nicolas-pissard if your having problems with dhcp you need to make sure pfsense is actually seeing the dhcp discover or request.. And then it should offer, or provide some info to why it can not.. Maybe dhcpd has stop running? Maybe client is asking for IP it can't use on this network, and won't accept offer? There are many things that could cause problems sure - but an expired lease should not prevent it from being offered up if there are no other free IPs from the pool to hand out. dhcpd should use up all of its IPs first, and then once it has handed them all out. It will use those leases that have expired.. Where you run into problem is no expired leases, and no free IPs - then yeah nothing to hand out. Maybe you have a client asking for specific IP back, and some other client has active lease for that IP.. And the client will not accept different offer of different IP?

@cri glad to hear.. Thanks for followup.

@daddygo said in PS4 ip problem with failover: Just to clarify, are we talking about pfS HA? Yes

@cnliberal Check the domain name with https://www.zonemaster.net/domain_check. The next time you 'rent' a domain name, check the quality of the registrar's services. Issues like "ns1.carle.com" and "ns2.carle.com" are using the same AS, and are even in the same network. That's not ok. You can correct this, by adding a third one (or remove the second and replace it for another, elsewhere). Slave DNS name services can be found for free on the Internet. Issues like : [image: 1632900433032-809b9573-0312-489f-839e-d28d568095ef-image.png] is also something that had to be dealt with, many years ago. Who is this registrar, the local hobby club ? ;) You're aware now that there are 13 'main root servers'. These know where to find all the top name severs, the ones know all about 'com', 'org', 'net', etc. These top level name servers have many 'clones'. The bottleneck are the (minimum) two domain name servers, your "ns1.carle.com" and "ns2.carle.com". These two have, of course, firewall rules that to filter out 'abuse'. And guess what, what is the third reason why people use VPN's ? Right : to abuse a max. ( the third reason : just to loose some money, and the second : hiding their public WAN IP ) Which means : when you connect to your VPN, and you get an IP that was 'used' for some abusive activity, the IP will get blacklisted for a while. At that moment, you, withthat VPN WAN IP, will have issues when resolving domain name that are registered (known to) "ns1.carle.com" and "ns2.carle.com".

@1ntr0v3rt3ch said in Add DNS in DHCP Server Settings: Required?: I am using unbound and it is running well. no issues in services. Just because the service is running - doesn't mean its working. It needs to be able to resolve. If it can not - then no it can not answer queries from clients. You need to validate that unbound can actually resolve what your wanting query for - say www.google.com example: [image: 1632826628338-dns.jpg] See where only loopback 127.0.0.1 was used (unbound) and it returned an answer. Do such a test.. And post the results. If no then no clients asking pfsense IP to look up something is not going to work.