@jknott Never mind. I found the fix. Apparently, the DNS server doesn't like ULA addresses, so I had to create an Access list, to allow my ULA prefix. Any idea why the resolver won't accept a ULA prefix that it's on?

@wepee I switched over to cloudflare and noticed i when proxy is enabled = No Joy, if proxy is disable everything is normal. Is this still an on going bug/problem on pfsense?

I managed to resolve this by replacing what I originally had under "host" with *

@trumee said in Rogue machine using gateway ip as the static ip: Hello, Is there a way to block any machine which sets up such a static ip? One thing folks new to networking often fail to remember is that the firewall has zero control over local network traffic in a segment. So on your LAN, for example, if device A wants to talk with device B on the same subnet, the firewall is completely out of the picture and powerless to control the behavior of either device A or device B. Same thing applies in your case with a device "stealing" the IP of the firewall. Nothing the firewall can do but complain in its logs (which it did). It is then up to the human to find the offender and cut him off (using the suggestions from @bingo600).

@bloodfilledwater thank you!!

See solution: https://forum.netgate.com/topic/141362/dhcp-client-unable-to-get-lease-from-cable-provider-solved/4?_=1614433865506

@nicholsnt What are you 'looking up' ? Not every time a host name is used (to be resolved), a complete DNS lookup is performed. The application can cache the DNS answer. Your local OS can and will cache the answer. unbound will cache the answer. How long ? This is determined by the so called the 'TTL' or Time to Live' or the time it should stay valid in the (a) cache. Something like 2 hours is normal. So, no problem if you try to resolve 1 million times per second a host name like microsoft.com : it will 'resolve' in less time, as it is cached (locally). @nicholsnt said in Unbound Resolver not working with Nextiva desktop App or Ring Central app: just something with the many lookups You'll be needing thousands of devices (PC's) to do that. Or only using domains that have a 1 second TTL. @nicholsnt said in Unbound Resolver not working with Nextiva desktop App or Ring Central app: Can I create a static entry in the pfsense for each of those aliases to perhaps negate the lookups? [image: 1615359021637-7c81cb2b-694f-4a9f-88e8-fcac488a978d-image.png] On the Unbound settings page. As many as you like.

@jimp This is why we love you. Thanks for your insight and guidance!

@nogbadthebad Thanks. I really love that pfSense has an implement to pull this off. The trouble with this is I need to train "non command line" folks on how to make changes too. If it's not a web browser, they'll get all sweaty. Having them make line edits containing quotes and colons is just not going to go well. I appreciate you taking the time to noodle this out though. My pfSense knowledge isn't exactly guru level.

@suudoxr said in DNS Unbound errors - No route to host --IPv6: do I need to be looking at why something on my LAN is trying to go out to IPv6? Something on your LAN - a device that is IPv6 capable - would try to use pfSense if pfSense would announce on your LAN that it is a IPv6 gateway. Which isn't the case, because you do not have a IPv6 connection to the net. This doesn't mean that many devices on your LAN use IPv6 among themselves, as any modern OS prefers IPv6 over IPv4.

Is it this? https://forum.netgate.com/topic/160969/upgrade-to-21-02-release-borked-on-sg-3100/46

Seems like some other users of DNS-based filtering have already found this problem in Unbound. It looks like they might do something about it for DoT queries at some point, but there hasn't been much activity on that issue.

Agreed, don't use a /16 for your subnet mask. That subnet size allows for 65,500+ machines (hosts) on a single network. That's a lot!