• 0 Votes
    1 Posts
    642 Views
    No one has replied
  • DHCP Troubleshoot - 3 questions in Wireshark

    7
    0 Votes
    7 Posts
    687 Views
    T

    @jknott "Message: requested address not available". Thank you!

  • Setting custom descriptions in the dhcp lease list

    4
    0 Votes
    4 Posts
    411 Views
    johnpozJ

    I am not sure I am clear on what your asking? Is this what you mean?

    Example - I have a bunch of smart lightbulbs.. They all report a name of wlan0

    Its not very helpful I agree.. Which one is which is the question.

    So I set them all to have reservation in dhcp.. And give them a hostname in the reservation, now I can access them via their fqdn, I can resolve this IP to their name.. etc. etc. So I know exactly which device is what

    names.png

    It was a bit of a pain to setup, matching which mac was which device. But it was a 1 time thing.. Is this what your asking about? While I don't have all that many so just did by hand - looking in app for which light was which based on mac, I then edited the reservations to set the hostname..

    $ dig d1.local.lan +short 192.168.4.51 $ dig -x 192.168.4.51 +short D1.local.lan.

    If you had a lot of them - and had some listing of which is which, you could manipulate the xml and then restore it vs having to manual edit each one via the gui.

    And sure you could set a description on your reservation if you wanted, but the actual hostname I think is more useful..

  • Errors when updating DHCP scope

    6
    0 Votes
    6 Posts
    900 Views
    johnpozJ

    There has been, and may still be issues with registering dhcp in unbound.. It can be problematic for sure.

    So you may have turned it off there for some reason - you notice mine is off, have never in the 10 some years using pfsense had a need for that.

    Devices I want to resolve, have a reservation in dhcp. This is why you see register static checked in my screenshot.

  • DNS Resolver and queries

    11
    0 Votes
    11 Posts
    2k Views
    F

    @gertjan Yesterday, I could change that, now it seems it's working how it should be. Thank you so much for your help.

  • Recommended DHCP and DNS Settings for Unifi Cloud Key integration

    2
    0 Votes
    2 Posts
    3k Views
    bmeeksB

    @boojum said in Recommended DHCP and DNS Settings for Unifi Cloud Key integration:

    Guys
    I got a new SG-3100 and want to replace my slow USG firewall, but keep the several Unifi APs with the Cloud Key.
    I know there should be no problem, but there are a few issues:

    What is the recommended DHCP setup? Should the Cloud Key be the DHCP server and just set the gateway address manually or should the SG-3100 be the DHCP server?

    DIsable the DHCP Server in the Cloud Key and let your pfSense box be the DHCP server for both your wired and wireless networks.

    Concerning DNS: The Cloud Key advertises the gateway to be the home network DNS server, which is what I want. How can I make sure my SG-3100 remains the DNS server for the LAN at home, while itself getting DNS service from some public service (8.8.8.8, etc...)?

    Do NOT change anything relative to DNS with a pfSense default installation. It is ready to go right out of the box. It contains a DNS resolver (unbound) that will ask the DNS Roots for IP information. Again, DO NOT make any DNS changes in pfSense! Do not change its defaults. Many do that and wind up totally breaking DNS and have to come back here for help.

    When you enable the DHCP server in pfSense, it will assign your pfSense box as the DNS server for all wired and wireless clients using DHCP. If you have any static IP assigned clients, you will want to point them to the pfSense box for DNS.

    To understand what I mean about not changing the DNS settings in pfSense, go to Google and research what a DNS resolver is and how it works. pfSense now comes with a fully configured DNS resolver right out of the box. No need to change a single thing for successful DNS lookups.

  • DNS randomly stops working

    39
    0 Votes
    39 Posts
    10k Views
    J

    @gertjan said in DNS randomly stops working:

    It all boils down to : check the logs. Learn how to read them. Check why unbound get restarted : what event triggered the restart.
    Now, you can ask yourself : can I influence this event. Do I need it ? Can I change it ?

    Very Very true, Some time ago I found that the cron job for PBlocker was running just before each DNS drop, I'll keep an eye on things after the recent change , I have Grafana setup so may even try to setup something to log what's happening around the time of the issues and make it pretty.

    Thanks for taking the time & effort in your replies

  • 0 Votes
    4 Posts
    828 Views
    johnpozJ

    You do understand without esni or ech (esni is dead already really)..

    Just because you hide the dns from your evil isp, they still see where you going via the sni the browser sends to the https server they are talking to via the ip they got from your hidden from the man dns query.

    Without esni or ech, hiding your dns queries from your isp is to be honest exercise in futility. Your isp can really easy see what whatever.domain.tld your going to.. Along with the IP, and if the IP is not on some CDN serving 1000s and 100s of thousands of sites - its not difficult to know exactly where your going. Even if using esni or ech

    But what you do end up doing is handing over everywhere you go to whatever dns service your forwarding to, be it encrypted or not.

    Since going to a website is a specific handshake between the client and the server, support for encryption of what site you actually want via the sni in the https handsake will depend on the server your going to supporting that.. Doesn't matter if you encrypt the dns query or not.

  • DHCP not working

    Moved
    8
    0 Votes
    8 Posts
    791 Views
    B

    I've copied the existing installation to another location and it has managed to start up ok, so DHCP is working again, but the release is quite old so I thought I would try to update it, which I am now doing... So... don't know what caused the original problem, but it looks like it has been sorted.

  • Unbound - dns override - resolves on local box , not remote box

    11
    0 Votes
    11 Posts
    2k Views
    bingo600B

    @johnpoz said in Unbound - dns override - resolves on local box , not remote box:

    I would go the the specific domain route.

    #Me to 😊

    Just dropping those 2 lines in every unbound is no prob.

    On my home setup where i had an existing linux based DHCP + DNS infrastructure.
    I only use unbound to forward to my (existing Bind9 servers) , no pfS 127.0.0.1 resolving. All that hits unbound goes to the Bind9's.

    My Phone + MMedia vlans gets a DHCP DNS pointing to a Debian Pihole , that uses the Bind9's.

    DNS & especially DHCP is a bit more cumbersome on linux , but i have DDNS (DHCP added entries) working like a charm. And that is s super neat feature.

    I have this defined on my home pfS:

    server: private-domain: "mydomain.org" local-zone: "xxx.10.in-addr.arpa." transparent local-zone: "yyy.10.in-addr.arpa." transparent

    I made that when i was a pfSense "super noob" , and could resolve nothing RFC1918 via my bind9 servers.

    I have no idea if the arpa zone should be transaparent or just local.
    Google gave me this suggestion , and it has worked since.

    Sometimes i promise my self to find out why i have transparent ... And then i postpone again ... 😇

    Well i had to now ...

    From:
    https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/

    transparent
    If there is a match from local data, the query is answered.
    Otherwise if the query has a different name, the query is re-
    solved normally. If the query is for a name given in local-
    data but no such type of data is given in localdata, then a
    noerror nodata answer is returned. If no local-zone is given
    local-data causes a transparent zone to be created by de-
    fault.

    nodefault
    Used to turn off default contents for AS112 zones. The other
    types also turn off default contents for the zone. The 'node-
    fault' option has no other effect than turning off default
    contents for the given zone. Use nodefault if you use ex-
    actly that zone, if you want to use a subzone, use transpar-
    ent.

    Seems like transparent is the way to go for me (sub zones)

    /Bingo

  • Use external DHCP Server with PFSense?

    5
    0 Votes
    5 Posts
    2k Views
    GertjanG

    @mikrotikuser45

    As stated in the doc, DHCP server and DHCP relay usage is mutual exclusive.

    c61ec3c8-7b40-45ec-aa2e-92fc669d8d51-image.png

    Not just on 'a' LAN interface, but any LAN interface.

  • FreeDNS with DNSFilter.com

    2
    0 Votes
    2 Posts
    800 Views
    G

    @f34rinc
    Hi f34rinc,

    I want to use DNSFilter.com with an SG-3100 at the high school I work at in San Diego. Are you still using FreeDNS and DNSFilter.com with pfSense? If so, how is it working for you? I need to use it for the CIPA Children’s Internet Protection Act compliance that E-Rate requires.

    Thank you,

    Greg Brown
    Cristo Rey San Diego High School

  • Suggestion: Separate system's resolver from Unbound

    1
    0 Votes
    1 Posts
    145 Views
    No one has replied
  • DNS resolver 2.5.1 syntax error

    7
    0 Votes
    7 Posts
    834 Views
    johnpozJ

    Choose which you want to do - you wouldn't put that in two places.. If your going to use the pfdnsbl feature, then you wouldn't put that in your option box.

    If your not using the dnsbl options, then you could put it in your option box.. But you need the server: line above it, as you see in my screenpic.

  • 0 Votes
    11 Posts
    2k Views
    J

    Hi I just purchased an SG1100 and I'm having this problem too :( .

    I'm running 21.02.2-RELEASE (arm64) with Unbound-1.13.1 and its crashing continuously. I have watchdog restarting it.
    I haven't been able to find a fix on the forum.

  • Unbound forwarder with DoT on Cloudflare for Teams.

    1
    0 Votes
    1 Posts
    294 Views
    No one has replied
  • Question about DHCP Relay on secundary site with site-to-site VPN

    2
    0 Votes
    2 Posts
    178 Views
    SipriusPTS

    So, the way that I have found to solve this the best way, was to keep that DHCP on Network B and a subdomain there as foo.xyz.com, as a stand alone, and forward all xyz.com to my dc.xyz.com DNS server.

    The problem that I am still trying to solve is that forwarding queries from my dc.xyz.com to pfsense.foo.xyz.com, are not being solved or even queried. Even the 10.0.10.1 is not solved and gaves the error message in validaded: the server with the IP address is not authoritative for the required zone.

    I've delegated that subdomain foo.xyz.com to 10.0.10.1 DNS server who is the pfsense.foo.xyz.com. In my dc.xyz.com I have the following:

    Screenshot_622.jpg

    But testing from a stand alone pc in the same network of my dc.xyz.com, I am able to use the pfsense.foo.xyz.com as a DNS server.

    Anyone here knows if I am missing some step or steps to be able to perform this setup?

  • Second lan tab not showing on DHCP Server page

    8
    0 Votes
    8 Posts
    7k Views
    S

    I just stumbled over the same problem and could only solve by googling this post. It would be really helpful to have the /32 by default set to a /24 on a static IP - or to provide a hint message. (At least at a prominent place within the documentation)

    Thanks!

  • Setting a Domain Override in the DNS Resolver stops the service

    14
    0 Votes
    14 Posts
    994 Views
    johnpozJ

    Do you have pfblocker enabled at all - turn it off.. Kill all your unbound instances..

    Do you still have the same problem?

  • Dns Server only work if they support 53 and Dot -Dot only=no

    4
    0 Votes
    4 Posts
    488 Views
    GertjanG

    @docop2 said in Dns Server only work if they support 53 and Dot -Dot only=no:

    With a default install of PF it is using the wan for dns.. so it's straight the Isp dns. Not better.

    What ?
    Not a huge issue, easy to correct, and do this asap : Review some of the aspects of what you think you know about how the Internet DNS system works.

    Be default :
    pfSense does not uses your ISP DNS servers.
    It uses these.

    You do not need some one's DNS server - small or big.
    You have the right to use one of the 13 original ones. pfSense does so, out of the box.
    And true, pfSense uses on (over) the public internet the public resource : these 13 root DNS servers. Because they are the root of everything that is domain name related.

    You want to be sure of a DNS reply ? => Activate DNSSEC. This will enforce the 'quality' of the DNS reply. If the site - domain name- your look for wants to protect itself, and you, against DNS spoofing.
    You want to hide your DNS requests ?
    ( which means you are forwarding - which breaks DNSSEC as you include a MITM in your DNS chain )
    then look for 1.1.1.1 (supports DoH) or OpenDNS etc.
    Why some obscure/unknown ones ? They minute they stop, they will stop your DNS .....

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.