@thatguy thank you for detailed response and helping me to understand more about this beautiful software. I'm happy to report that I found the error to be that of my ISP's Fibre Modem/Router device. They confimed that here was a faulty firmware update that caused bugs. The bug I was experiencing in particular was that for some reason that I do not know, certain addresses were not resolving DNS as I mentioned above, 116 being one of them which was the 'WAN' address of my pfsense. Even when I changed that IP address, and altered that port mapping rule, the firewall logging of my Fibre modem/router is showing attempts to pass that VPN client connection to that 116 address still. I was able to speak to the ISP about the issue and I was able to reset their device. From there, I was able to Renter the port mapping rule (I actually use Port Control Protocol (PCP) instead and this resolved the issue. Thank you for your response and for furthering my knowledge.

I also had to change General setup: DNS Resolution Behavior: Use remote DNS servers, ignore local DNS I cleared all entered DNS server-Gateway assignments and reenabled "Allow DNS server list to be overridden by DHCP/PPP on WAN" I limited DNS Resolver only to LAN and my OpenVPN gateway and disabled DNS forwarding According to DNS leak tests there's no leakage, neither on WAN nor on VPN.

@andyrh Thanks for that idea. I did a packet capture on my pfSense HW for just DNS queries on the LAN, and it's not showing hundreds per second. I guess it just shows cumulative totals, rather than totals per my one minute output. Interpreting the data that way results in a much smaller amount of queries per minute. Thanks for your thoughts.

Then that traffic should be NATted to device that is a Wordpress web server. Right now, your pfSense GUI is exposed to the Internet. That's a major security issue. Edit : The nginx log line tells you that.

Apparently, another corporate router CISCO ASA connected to DMZ was the troublemaker. After physical disconnect and reboot of that device, everything started to work fine again :-)

Things changed. As things do, over time. www.cnn.com is using DNSSEC now. See it for yourself :https://dnsviz.net/d/www.cnn.com/dnssec/ Although, not with issues, as there are warnings. I tend to say : call them to have it fixed ?!

@comprev Thanks for the follow-up. I will redo the rules again and make sure the order is correct (Maybe that was the issue). I will report back once I have this completed. Thanks again, Truckin

@gsemet In Interfaces > Bridges you can define a new bridge and add interfaces to it. The go to Interface Assignments, assing an interface to the new bridge and enable it. No further settings are needed on the bridge interface. But befor you have to ensure that there is no configuration on the vlan 10 interface. It has only to be enabled. However, with this setting results in the vlan 10 going down, when WAN goes down. To avoid that you can move the IP settings from the WAN interface to the bridge.

@striker-pl One last thing, maybe it helps you, didn't helped me though, but it is the same topic: 2.5 connecting via hostname not working across interfaces But notice that I changed topic after the gap of "24 Days later", where an ACL in Unbound was the problem, not related to the original problem anymore.

Same problem here. I need to toggle the option in the GUI twice, after that in works properly. Removing the ACL afterwards doesnt change anything. [image: 1619950799399-91865051-b24b-4f72-9502-d412e4ffca91-image.png] It looks like, there is a glitch in the GUI. It works for some time, but afterwards it needs the ACL again. So no great news here.

@latency0ms said in Name resolution issue with static IP, DHCP Static Mapping works: (even though there are quite a few posts on this) Ok, a quicky : The DHCP server maintains a file on disk with outstanding an outdated leases. See it here : /var/dhcpd/var/db/dhcpd6.leases : a small file with an extremely readable content. When you check this box : [image: 1619763997119-a13f3a6c-d832-4f4a-9a3c-f7daaca2ee5b-image.png] It does not interact with unbound, the Resolver. Neither with the" dhcpd" daemon, the dhpc server for one or more LAN's. Checking this box launches another program that keeps on running - another daemon. I'll check the box or a minute so I can show it to you : [2.5.1-RELEASE][admin@pfsense.my-networkl.net]/root: ps ax | grep leases .... 89854 - Ss 0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d my-network.net -p /var/run/unbound.pid -u /var/unbound/dhcpleases_entries.conf -h /etc/hosts .... And to see what it does, well ..... here it is https://github.com/pfsense/FreeBSD-ports/blob/devel/sysutils/dhcpleases/files/dhcpleases.c Look at the program - it's open source so a click opens the source and you can read it. I'll recap : It puts a 'watch' on the /var/dhcpd/var/db/dhcpd.leases file. When it changes (because a new lease came in, and the dhcpd server updates the file), the daemon dhcpleases reads it, reads the host file, and writes it to /var/unbound/dhcpleases_entries.conf. unbound reads this file when it starts. Open it to see what's in it ^^ Finally, the process dhcpleases restart unbound. Cool, right ? Depends. It restarts unbound on every new or renewed DHCP lease. You have one PC ? => No big deal. You have 8 LAN's and 6000 devices ? => unbound gets chain gunned. Example : you bought this nice home automation thingy device on AliExpress - let's say : your new your door bell with web cam . It asks a new lease every 60 seconds (because it looses its wifi radio signal, reconnects, launches a DHCP request and again and again). And unbound gets restart every 60 seconds. People wind up posting here to ask "why".

While we're at it, there is always a visual problem for me, that the AAAA is shown in red, even if it is working just fine. [image: 1619766721388-capture22.png] Maybe @viragomann has an idea? When I nslookup the address with google, the answer is also correct. Is this a glitch with dynv6.com or within pfSense?

@violetdragon Update, When the problem with resolving websites occurs restarting DNS Resolver fixes the issue but then it acts up again, have to keep restarting it in order for it to work.

@jknott "Message: requested address not available". Thank you!

I am not sure I am clear on what your asking? Is this what you mean? Example - I have a bunch of smart lightbulbs.. They all report a name of wlan0 Its not very helpful I agree.. Which one is which is the question. So I set them all to have reservation in dhcp.. And give them a hostname in the reservation, now I can access them via their fqdn, I can resolve this IP to their name.. etc. etc. So I know exactly which device is what [image: 1619521138239-names.png] It was a bit of a pain to setup, matching which mac was which device. But it was a 1 time thing.. Is this what your asking about? While I don't have all that many so just did by hand - looking in app for which light was which based on mac, I then edited the reservations to set the hostname.. $ dig d1.local.lan +short 192.168.4.51 $ dig -x 192.168.4.51 +short D1.local.lan. If you had a lot of them - and had some listing of which is which, you could manipulate the xml and then restore it vs having to manual edit each one via the gui. And sure you could set a description on your reservation if you wanted, but the actual hostname I think is more useful..

There has been, and may still be issues with registering dhcp in unbound.. It can be problematic for sure. So you may have turned it off there for some reason - you notice mine is off, have never in the 10 some years using pfsense had a need for that. Devices I want to resolve, have a reservation in dhcp. This is why you see register static checked in my screenshot.