@webdawg said in DYNDNS Updater Fails - I do not know why?:

The plugin has to be designed to work with multi wan.

I can't test multi WAN, as I have only one WAN, but the updating worked for me.

The update URL is something like

https://freedns.afraid.org/dynamic/update.php?TGx1T2VyZFg3TnVsVE1XZTBUZ2I6MTk1NDQ4Nzc=

Only the Hostname and Password (twice) should be filled in.

7d6dd39e-d257-4de6-bb4b-d5d9fe2303f3-image.png

The password is a token, that you can get from here :

0916e47f-d8be-4a4f-bcf6-dd3b43887eea-image.png

( the update method used is not one of the newer "version 2".

Jan 19 07:45:47 php-fpm 57754 /rc.dyndns.update: Dynamic DNS: updatedns() starting Jan 19 07:45:48 php-fpm 57754 /rc.dyndns.update: Dynamic DNS freedns (subscribertest.chickenkiller.com): 82.127.134.54 extracted from Check IP Service Jan 19 07:45:48 php-fpm 57754 /rc.dyndns.update: Dynamic DNS (subscribertest.chickenkiller.com): running get_failover_interface for wan. found em0 Jan 19 07:45:48 php-fpm 57754 /rc.dyndns.update: Dynamic DNS freedns (subscribertest.chickenkiller.com): 82.127.134.54 extracted from Check IP Service Jan 19 07:45:48 php-fpm 57754 /rc.dyndns.update: Dynamic Dns (subscribertest.chickenkiller.com): Current WAN IP: 82.127.134.54 Cached IP: 0.0.0.0 Jan 19 07:45:48 php-fpm 57754 /rc.dyndns.update: DynDns (subscribertest.chickenkiller.com): Dynamic Dns: cacheIP != wan_ip. Updating. Cached IP: 0.0.0.0 WAN IP: 82.127.134.54 Jan 19 07:45:48 php-fpm 57754 /rc.dyndns.update: Dynamic DNS freedns (subscribertest.chickenkiller.com): _update() starting.

Important is the third line : "running get_failover_interface for wan. found em0" where the the correct interface is shown.
To see this line, make sure to check this one :

b4a0ea87-4722-4660-8797-816537dba6e2-image.png

@johnpoz I've just put the domains on domain override and everything is working fine.

But about how this works if you bare with me for a second, why it doesn't work even considering that domain.org is in split view?
Or by other words...

I want domain abcd.com resolved from the inside, the dns auth server for the domain is inside.

the name servers for abcd.com are ns1.domain.org and ns2.domain.org

domain.org has the following entries on Host Overrides:

Host: domain.org and www.domain.org to internal ip of the web server
host ns1.domain.org to the internal ip of the ns1 server
host ns2 ... likewise.

So... what you mean is unbound gets the public ip for the name servers from the root dns servers themselves, not it that goes resolving along the way. is that it?

@gertjan well strange after moving to latested 3.0.0.8 pfblockerng-devel . Things have chagned .

nslookup facebook.com Server: pfSense.local.landomain Address: 172.16.159.254 Name: facebook.com Addresses: ::10.10.10.1 10.10.10.1

When accessing it via brower Im able to broser facebook , youtube etc. which have been blocked in older version :/ . Do I need any extra cnfig to make it work. I'm using unresolver as DNS should I disable it?

Stopping Unbound Resolver.............................. Additional mounts (DNSBL python): No changes required. Starting Unbound Resolver. DNSBL enabled FAIL *** Fix error(s) and a Force Reload required! *** ==================== [1610791470] unbound[39902:0] error: bind: address already in use [1610791470] unbound[39902:0] fatal error: could not open ports

Now revert back the setting to unbound from python.
Regards

Just to report what we did to re-establish dhcp service functionality with the one remaining working node:

In a maintenance window we first stopped the dhcp daemon on the only remaining working node, removed the /var/dhcpd/var/db/dhcpd.leases file and started the dhcp daemon again. This did not change anything, same error messages as before.

Then we went through the dhcp server settings and removed the "Failover peer ip" entry for every pool. After starting the dhcp server it now acted as single dhcp server and started to issue ip addresses again as expected! Also the error message "peer holds all free leases" went away.

So this is fine for us in the current situation. When the primary pfSense has been repaired and put in production again it will sync the settings and start with the dhcp failover pools again.

This issue can be closed. Thanks.

@viktor_g said in Reducing Unbound restarts with DHCP hostnames?:

That was fixed in 2.5

As I said, the future ^^

@teamits yes a lot of real domain and already opened

Enable NAT Reflection for 1:1 NAT
Enable automatic outbound NAT for Reflection.

this problem happened when cable modem chenged to bridge mode(old router mode)

@leostereo said in Recomended dns block list:

Can you suggest some blocking lists ?

Hi,

use the built-in lists in pfBlockerNG-devel...

you can choose to your liking (IPv4, IPv6, DNSBL, GeoIP) 😉
(I also see you on the Unbound mailing list)

c1155172-a829-4189-a4ee-20aede26596b-image.png

@darlingyow

Wow this old ;)

To use unbound as resolver - this is default out of the box. But if you have changed stuff. you need to make sure you haven't disabled pfsense from using itself for dns (127.0.0.1/localhost)

And you need to make sure that unbound is listening on localhost (127.0.0.1) if you have unchecked the ALL (default)

Here pic
resolver.png

@smokinmojoe

This link from Netgate allowed me to make the rule to block 53/853 just like I was struggling with. Perfect and glad the docs are so good : https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html

Navigate to Firewall > Rules, LAN tab

Create the block rule as the first rule in the list:

Click fa-level-up Add to create a new rule at the top of the list

Fill in the following fields on the rule:

Action: Reject

Interface: LAN

Protocol: TCP/UDP

Destination: Any

Destination Port Range: DNS (53)

Description: Block DNS to Everything Else

Create the pass rule to allow DNS to the firewall, above the block rule:

Click fa-level-up Add to create a new rule at the top of the list

Fill in the following fields on the rule:

Action: Pass

Interface: LAN

Protocol: TCP/UDP

Destination: LAN Address

Destination Port Range: DNS (53)

Description: Pass DNS to the Firewall

Click fa-check Apply Changes to reload the ruleset

@bingo600
I've deleted all the expired and assigned addresses under the GUI --> Status -- DHCP leases -- Show all configured leases -- and manually deleted them. If i remember right when i made such a delete by manually the DHCP server started assigning the first available address, which was in my case the .100. I've just found it strange that even the man page says it shouldn't be assigning the addresses one after the other. I'm not too concerned, just thought there is some mistake in my configuration.

I've found the dhcpd files under /var/dhcpd/var/db/, i'm just a bit unsure if i can delete them after the server is stopped, or just delete the content. I have backups, so i think I'm gonna find it out.

Thanks for the answer!

@an-erd said in unbound not resolving some names:

Ok, I forwarded this issue to the VPN provider

you will not achieve much with this 😉

(all VPN service providers indicate in their operating conditions (general terms of service) that the use of VPN in many cases causes some websites to be unusable)

you have to live with it or you can do tricks

@visseroth

It's not because unbound does "DNSSEC checking" that unbound stops working.
And the other way around : If unbound is 'told' not to do DNSSEC checking then that won't make it stop neither.

Check the system logs, and the Resolver logs for details and reasons.

@johnpoz sorry for the late response, but you are right. was not a pfsense issue, my switch Dell PC5224 first 12 ports got fried from the storm. I got it up and running with Dell PC6248 and working fine. Thanks for guiding me in the right direction.

@johnpoz
@tabmow

thanks for support 👍

@godhead83

Start simple. Get the main LAN going first, including DHCP. Once that is done, you can do the same with the VLANs, including a DHCP server for each one. By doing things one step at a time, it's easier to resolve problems. Also, you should get handy with Wireshark, to see what's actually happening on the wire. You can also enable a column in it to display VLAN ID.

I AM AN IDIOT. LOL.

Repeat after me:

When using LOCAL servers for FORWARDING ensure that you have the LOCAL interfaces enabled for OUTGOING requests.............

STUPID, STUPID, STUPID.

PtMpYU.gif