@provels yeah many of the iot devices these days are hard coding doh servers.. Like I said they are harder to block - and they way they can look up who they want to pull ads from or send telemetry, etc.. The prices of these products are so low quite often because the device itself is not really the product, they just want some device to get your info that they sell. But yeah you start blocking stuff they want to look up, and you can find your NS getting hammered..

Went back to ISC, no such problem. Edit1: Same problem exists. Why, what has happened here. Edit2: Ok, I disabled the DNS config for IPv6 a few days ago. Unchecking this box disables the dhcp6.name-servers option. Use with caution, as the resulting behavior may violate RFCs and lead to unintended client behavior. So it is a known fact, I will mark this as solved. There doesn't seem to be the possibility to give "none" as a IPv6-address for DNS. For now, I disabled DHCPv6 in LAN.

@hypnosis4u2nv said in Unbound Resolver Crash: I have pfblocker also, does daily updates. Something like this : [image: 1739434337176-07c5fcb6-6b2d-4a66-aeed-99f6a94730ff-image.png] So, no surprise : [image: 1739434436473-fbc1afad-3020-4b48-9987-d2c8a8955675-image.png] and now you've set everything up for "more problems". Because : @hypnosis4u2nv said in Unbound Resolver Crash: For now I turned on a watchdog service for unbound. The service watch dog is stupid, doesn't have brains, doesn't use AI. It execute every minute, checks if tasks listed don't run, and if not start them. What if .... right at that moment pfBlocker did it's daily thing, and restarts unbound ? Change are pretty great (No need for a 4 years Havard licence here, its 1/30 or 3,33 % chance for me as my restart took 2 seconds and the dog runs every minute = 60 seconds) that the watch dog finds unboiund not running, and start it. But it was already in the restart process..... You just created more problems. My advise : you'll get to the bottom of this, don't worry. Just don't use "service watch dog". @hypnosis4u2nv said in Unbound Resolver Crash: Memory usage: 9% of 16234 MiB Ok, probably not a OOM event. That said, pfBlockerng uses PHP to do the loading, filtering and formating. PHP is very slow in doing this. Do you have many DNSBL lists ?

@Gertjan Thanks. No high security requirements here either. But I have worked on PKI for much of my career, and I feel there should be a way to implement this cleanly with pfSense. I have played with the third party pfSense API package. Wrote some code to export all the DHCP reservations to Smokeping. It's been read-only, so far. I have not figured out how to do something read-write. Being able to edit all the reservations in a spreadsheet, rather than through the GUI would be useful. Same for editing the host overrides for CNAMEs. A good script may be able to synchronize things, if additional metadata is included in the spreadsheet. I have got a shit ton of IoT IP devices - over 300 of them. Most Wifi, some wired too. Went to a /22 for my LAN a couple weeks ago. It's on my to-do list to explore VLANs and block as many devices from Internet access as possible. About 250 of them can function with local API without Internet using Home Assistant. I don't believe any of them needs CNAMEs. They don't even need a hostname, but I still assigned hostnames to every single one in the DHCP server table. Can't remember all the names any more than I can the IP addresses, though. I'd love to be able to synchronize data between the pfSense DHCP table and Unifi controller device table. But Unifi has no official API. Only 3rd party, which I have not explored. Synchronizing with Home Assistant as well would be the holy grail. But I don't think their REST API is up to the job either.

@manjotsc said in Domain Override (DNS Resolver) Not Working: need to set Outgoing Network Interfaces to ALL, I had it set to WAN Oh ... cool ... tel unbound to use (only) WAN as an outgoing interface, while it should have been to using the Wireguard tunnel (which also goes over WAN) to do its job. edit : I'm actually echoing what @SteveITS said @manjotsc said in Domain Override (DNS Resolver) Not Working: Is there a reason why it needs to be to ALL? You've already got my point : because someone decides that that settings is perfect for us ^^ As the fireguard connection is a second type of WAN interface : a network that goes "somewhere" outside the local LANs, and not reachable by classic WAN, you have to inform unbound about it. Set it to [image: 1739367816362-c743ced4-d244-49d5-b205-b66c86a160e6-image.png] (it was set by default on All - which proofs Netgate's default settings are perfect - who are we to make them any better ) but yeah, WAN is fine, but check-select also your wireguard interface. I don't quiet understand what danger or harm there is if it also uses my local LAN connections (no DNS devices will reply from there ) so I don't bother : All is fine for me. Their might be cases where All is not good - I just didn't discover them yet. @manjotsc said in Domain Override (DNS Resolver) Not Working: server: private-domain: "example.xyz" There is another part worth look at - same file : # Domain overrides include: /var/unbound/domainoverrides.conf Look at what "/var/unbound/domainoverrides.conf" contains.

@tedquade Thank you!

@aGeekhere this question gets asked all the time - what your asking is problematic without a separate cache for the views or different clients, etc.. If client ask for something that would be blocked by filter dns, but they are set to ask non filtered dns - now that is cached. If client that should be filtered then asked they would get back what is in the cache. Bind can run multiple caches - but not sure something you can configure from the gui. You could prob get what your wanting out of running both unbound and dnsmasq (forwarder) with them listening on different ports, and then have your clients point to say 1.1.1.3 or whatever that gets redirected to the new port unbound or forwarder is listening on to resolve your local resources, and then just forwards on to 1.1.1.3 Simpler solution to be honest would just run say pihole or something that pointed your clients you want to filter to that.. Then setup a conditional forward on it to forward to pfsense to resolve your local domain.tld resources, and if not in that domain just forward to 1.1.1.3. Thats would I would do.

@patient0 said in Dot gets added to hostname, why?: Maybe client related I don't think so because the "act" of making a static mapping from the DHCP Leases triggers this.

@kuchenmann said in Register Client-names in DNS KEA-DHCP?: It seems that KEA-DHCP on pfSense does not register dynamic assigned DHCP-leases in DNS. Only static-mapped DHCP-clients. Because in the leases I see also hostnames for dynamic assigned DHCP-clients, but I can not resolve this hostnames in DNS. It only works for static-mapped clients. It depends on the version of pfSense you are running. If running pfSense CE 2.7.2, then you are correct in your assessment. But if you are running pfSense Plus 24.11, then Kea does in fact perform dynamic DNS updates of the DNS Resolver in pfSense each time it issues a DHCP lease. I am running that version and now the dynamic DNS updates for DHCP leases works just fine.

@bmeeks I agree, due to budget we are going with PFsense and that's why checking the best to do with it, I got it working for now. with my above rule list and extra, I added to block the traffic to DNS IP 1.1.1.1 for port 853, from what I see Safari is using DNS over TLS port 853, with that blocked safari is blocked

@tedquade Thanks! I wish it would just get an IP, but delaying boot is the best option for now. I would thumbs up you, but don't have enough rep.

@SteveITS yeah I would highly doubt there has been much work on the forwarder (dnsmasq) in quite some time to be honest. I am surprised that anyone would still be using it to be honest.. I mean it can do some things unbound can't like forward to multiple NS as the same time, etc. But if you can't figure out that the custom options box is what they were talking about - not sure what to tell you ;) Now if there was 2 boxes, one labeled advanced, and the other custom - and putting it in advanced didn't work because they called out the wrong box - yeah that could be problematic.. But there is only one possible place such commands could be put into that gui form.

@imark77 Thanks. As it stands, you have to do lots of digging around to see if feature parity matches your needs. Would give you an upvote if I could.

@Nimda_2025 I meant to add more info a couple of hours after I made my initial post. Sorry for the delay. I tried PIA VPN from my desktop pc, laptop on my LAN, and cell phone on my LAN and all worked fine while on VPN but wouldn't again as soon as I got off of PIA. Cellular data on my phone and laptop gave me no issues accessing QB. It's definitely something on my pfsense. I also checked my first static and gateway IP against the most common blacklists and it's fine. I don't know where to go from here.

@propeto13 said in KEA service stopping through the day: this is the way. Its 'a' way. If the /tmp/kea4-ctrl-socket.lock exist, or, as seen here on the forum about kea related posts, the pid file exists when kea starts, it will not core dump, but simply refuse to start. And it's normal that these files exist, as 'core-dumping' isn't a clean process exist, so these files remain in place = not good. And you can't start the process kea anymore without manually deleting them. I think there is a Netgate pfSense System patches (you have this package, right ?) patch that handles this issue. Ones thse files are gone, you can start kea. And then, suddenly, it core dumps .... and it's rinse-and-repaet time.

@jmedin1965 Thank so much this has solved my issue!!

@johnpoz said in Logging DNS queries: @Octopuss if your using unbound as resolver - doesn't matter how many IPs you setup in general for dns.. It isn't going to ask those, unless you setup forwarding in unbound. [image: 1738251724221-forward.jpg] Unless you set that, then the only thing that could ever use the ones you put in general would be pfsense own dns lookups. And if you left loopback in there 127.0.0.1 it should normally ask it, which would then resolve from roots and your dns servers listed in there would never be asked anything.. Unless your unbound was down and pfsense itself moved to one of the others listed. @johnpoz Can I use the same setting like you have in your image when i'm using "Enable Forwarding Mode" I have been running like this for years: Disable: "Enable DNSSEC Support" Disable "Strict Outgoing Network Interface Binding" System Domain Local Zone Type: "Transparent" Outgoing Network Interface: WAN and localhost

@johnpoz said in Using one interface for Domain Overrides only?: it wouldn't send traffic to some internal IP for google.com - unless that internal IP was also a gateway in your routing Interesting. Right now it is set up as a WAN-type interface. I guess I did it for NAT etc. but I can have that without being a WAN-type interface... Thanks John! Makes sense if I think about it.

@johnpoz Ahhhhhhhh. Gotcha. great point. Will have a re-think. Thanks for sticking with me. Not sure what I'm doing is pointless, but hadn't really considered that, had tunnel vision.

@bmeeks Exact. [image: 1738307180807-a6b0b7c8-83da-4505-833b-f1f56f899c66-image.png]