And another update in my "blog". In Pihole you can set "Use Conditional forwarding" and list your domain and pfsense ip. That way I can resolve my own internal domain and at the same time use 1.0.0.3 and 1.1.1.3 for dns lookup without going to pfsense. No need to copy over the hosts file. I ended up not launch resolver and forwarder in parallel. My setup now is that I Port forward all dns request on all interfaces except the kids-vlan to my pihole-1, I then portforward request coming on my kids vlan to 53 to pihole-2. I allow outgoing requests from my pihole-1 and pihole-2. Regards. D

@Derelict Okie, i'll give it a try!

Hi and thank you for your reply. When I stop unbound and check for running processes there is no unbound running. [2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root: ps ax | grep unbound 21735 0 S+ 0:00.00 grep unbound [2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root: After stopping all DHCP servers the following processes are running: [2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root: ps ax | grep dhcp 4049 - S 0:00.00 /bin/sh /var/etc/dhcp6c_wan_script.sh 56033 - Ss 618:49.04 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -l /tmp/haproxy_chroot/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf 97216 - Ss 0:01.42 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_pppoe0.pid pppoe0 14705 0 S+ 0:00.00 grep dhcp [2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root: The DHCP log keeps getting spammed by DHCP6 client: Nov 5 17:12:53 dhcp6c 97216 Sending Solicit Nov 5 17:12:54 dhcp6c 97216 Sending Request Nov 5 17:12:54 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:12:54 dhcp6c 97216 status code for NA-0: no addresses Nov 5 17:12:55 dhcp6c 97216 Sending Solicit Nov 5 17:12:57 dhcp6c 97216 Sending Request Nov 5 17:12:57 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:12:57 dhcp6c 97216 status code for NA-0: no addresses Nov 5 17:12:58 dhcp6c 97216 Sending Solicit Nov 5 17:12:59 dhcp6c 97216 Sending Request Nov 5 17:13:00 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:13:00 dhcp6c 97216 status code for NA-0: no addresses Nov 5 17:13:02 dhcp6c 97216 Sending Solicit Nov 5 17:13:03 dhcp6c 97216 Sending Request Nov 5 17:13:03 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:13:03 dhcp6c 97216 status code for NA-0: no addresses My WAN connection uses DHCP6 and I confimed IPv6 connectivity. WAN has an address and IPv6 is routed as expected. After killing 97216 - Ss 0:01.42 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_pppoe0.pid pppoe0 I lost IPv6 connectivity and the spamming of DHCP log by DHCP6 client stopped. So I reconnected WAN and the spamming was back. Nov 5 17:26:20 dhcp6c 97216 Start address release Nov 5 17:26:20 dhcp6c 97216 Sending Release Nov 5 17:26:20 dhcp6c 97216 remove an address 2003:REDACTED:d1d4/64 on igb0 Nov 5 17:26:20 dhcp6c 97216 dhcp6c Received RELEASE Nov 5 17:26:20 dhcp6c 97216 status code: success Nov 5 17:26:21 dhcp6c 97216 exiting Nov 5 17:30:56 dhcp6c 74412 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory Nov 5 17:30:56 dhcp6c 74412 failed initialize control message authentication Nov 5 17:30:56 dhcp6c 74412 skip opening control port Nov 5 17:30:57 dhcp6c 74510 Sending Solicit Nov 5 17:30:58 dhcp6c 74510 Sending Request Nov 5 17:30:58 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:30:58 dhcp6c 74510 add an address 2003:REDACTED:d1d4/64 on igb0 Nov 5 17:30:58 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:00 dhcp6c 74510 Sending Solicit Nov 5 17:31:01 dhcp6c 74510 Sending Solicit Nov 5 17:31:03 dhcp6c 74510 Sending Solicit Nov 5 17:31:07 dhcp6c 74510 Sending Solicit Nov 5 17:31:15 dhcp6c 74510 Sending Solicit Nov 5 17:31:32 dhcp6c 74510 Sending Solicit Nov 5 17:31:33 dhcp6c 74510 Sending Request Nov 5 17:31:33 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:33 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:35 dhcp6c 74510 Sending Solicit Nov 5 17:31:36 dhcp6c 74510 Sending Request Nov 5 17:31:36 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:36 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:37 dhcp6c 74510 Sending Solicit Nov 5 17:31:38 dhcp6c 74510 Sending Request Nov 5 17:31:38 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:38 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:40 dhcp6c 74510 Sending Solicit Nov 5 17:31:41 dhcp6c 74510 Sending Request Nov 5 17:31:41 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:41 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:43 dhcp6c 74510 Sending Solicit Nov 5 17:31:44 dhcp6c 74510 Sending Request Nov 5 17:31:44 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:44 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:46 dhcp6c 74510 Sending Solicit Nov 5 17:31:47 dhcp6c 74510 Sending Request Nov 5 17:31:47 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:47 dhcp6c 74510 status code for NA-0: no addresses @Gertjan said in DNS Resolver & DHCP Server are constantly restarting: and thus dhcpleases should not run. Or, it's that process that restart unbound - see your own logs. dhcpleases was running because I enabled it again after disabling didn't change the behaiviour. @Gertjan said in DNS Resolver & DHCP Server are constantly restarting: Then restart unbound (resolver) and DHCP servers one by one - pause and observe behaviour in logs after each start. After starting only unbound with DHCP Registration and Static DHCP disabled unbound gets restarted every time dhcp6c is logging "Sending Solicit" So I checked my WAN settings and compared it to another pfSense firewall I am running with the same ISP (Deutsche Telekom Business). Under DHCP6 Client Configuration there is an option called Request only an IPv6 prefix (Only request an IPv6 prefix, do not request an IPv6 address). After enabling the checkbox the spamming of DHCP logs by DHCP6 client stopped and unbound is running without getting restarted. DHCP servers are also running again with no issues. I have no idea why it was working fine for 2+ years without the "Request only an IPv6 prefix" option checked. Maybe the ISP changed some settings on their side. Thank you very much @Gertjan for pointing me in the right direction.

@dragoangel thanks a lot it works now.

@stephenw10 I think it is related to the P and C state settings in the BIOS. It is possible that I changed one of them and just forgot. P-state is the exact one I changed I think. It has to be set to its default value (HW_ALL irc). These may help: https://www.supermicro.com/support/faqs/faq.cfm?faq=29482 https://www.thomas-krenn.com/en/wiki/Processor_P-states_and_C-states

I was having a myriad of issues with an Android P device after upgrading to 2.4.4_3 and also having SSL/TLS DNS turned on; this would cause intermittent DNS lookups to take an excessively long time (2-3 minutes). I don't use forwarding. I captured packets and there was a ton of TLS spam between pfSense and said device, all for DNS, with intermittent communication breakdowns and retries. Being that I probably gave the settings a once-over when doing the upgrade to 2.4.4_3, I am unsure whether it is something specifically in that version or if it's a coincidence. Regardless, turning off is a workaround for now. I'm not sure if a proper certificate is needed for this to work properly or if it's just a bug.

@KOM said in Setting up DNS *correctly*: enable resolver, disable forwarder, check DNS Query Forwarding and put 1.1.1.1 under System - General Setup - DNS Servers. This is the exact configuration I went with. Thank you very much for the help!

Hey all. I hate to dig up a long dead thread, but I was wondering if this ever got resolved (other than reinstalling Pfsense and restoring from a working config. Having a similar issue actually on my machine. Little more background: these issues started with an attempted install of a freeRadius package. It was having trouble, giving similar "assigning address" errors (didn't screenshot at the time. apologies). I gave up, thought nothing of it, and removed the freeradius package and then my pfblockerng dns blacklist started giving me trouble. I restored to a config that I knew was working, but that also did not solve the problem. I've tried reinstalling pfblocker, totally deleting the config, and resetting it up, rebooting the whole pfsense box, and continue to get the same error. I still could reinstall pfsense from scratch, and then restore that config file, but have there been any updates?

Solved by enabling " Enable Forwarding Mode"

Using LAN is OK as long as you understand that you almost certainly shouldn't put anything but other routers with full infrastructure routing knowledge on LAN.

i resolved the problem. I installed a bind 9.11 in a docker container and activated only the resolver for my subnet. And everything works without any problems. As I have said multiple times in other threads, this is the way to solve DNS resolution issues when you are policy-routing all over the place.

Moin moin, leider hat es mit der Antwort etwas gedauert, kam leider nicht vorher dazu. Aber gut, dann habe ich den Resolver ohne Forwarding richtig verstanden und eigentlich ist es auch genau das, was ich möchte. Ich möchte unverfälschte DNS-Antworten vom Root-DNS/SOA ohne Zentralisierung auf einen Dienst bzw. DNS-Anbieter. Die derzeit eingetragenen DNS-Server greifen halt nur wenn ich Forwarding an mache, was ich nun erst einmal nicht tun möchte. Bleibt für mich jedoch die Frage wieso ich www.avm.de (ignorieren wir mal ohne www) nicht aufgelöst bekomme. Hin und wieder treffe ich halt auch andere deutsche Domains - interessanterweise gefühlt immer nur DE-Domains. Wenn ich nun per dig einen Google DNS anfrage, dann erhalte ich für www.avm.de die IP-Adresse 212.42.244.122 Schaue ich nun in die Statistik meines DNS Resolvers, dann finde ich dort diese beiden IP-Adressen: 212.42.244.66 und 212.42.244.67 für avm.de (vermutlich die NS von AVM) Die SOA von avm.de ist die ns1.avm.de und dies besitzt 212.42.244.66, ns2.avm.de hat die 67 (okay, Vermutung bestätigt) Wenn ich einen der NS für www.avm.de direkt "andigge", dann bekomme ich die gleiche Antwort wie von Google Rufe ich einmal www.avm.de über die pfsense Funktionalität "Diagnostics/DNS Lookup" auf, dann sehe ich den korrekten Record. Hier werden nun jedoch auch die externen DNS angefragt, ich kann daher nicht sehen woher die Antwort kommt Digge ich direkt von meinem PC, ohne Angabe eines DNS, mit "dig www.avm.de" dann erhalte ich eine leere Antwort DNSSEC habe ich einmal deaktiviert. Dies hat keine Änderungen bewirkt. Da ich von meinem PC und meiner Leitung direkt mit dem DNS von AVM sprechen kann vermute ich keine Blockade oder ähnliches. Dennoch würde ich gerne dieses Problem lösten, da Forwarding für mich eigentlich keine Option ist. Hier würde ich dann doch gerne meine Privatsphäre schützen.

Yes I understand that The high latency connection will run in to time outs noting you can do to change that. Cashing with unbound may alleviate some of the problems, but there are so many setting he can do that will help with a high latency. Also setting up squid would help as well. Also you may confuse him by saying forwarding mode as there are to options he can use Unbound/Resolver and Forwarder.