Yes, JKnott, I do have "do not allow PD Address release" checked. And you're right, there is no control over what the ISP will actually do. I think the addresses had been the same for about 2 months but it seems like a power cycle of the modem is what triggered the IP change. pfSense had little control over it.

I'm actually on the phone with Comcast Xfinity now, it's taken 1h22m to get to a supervisor. Seems I've been talking a foreign language to both reps I've talked to so far. How hard is it to get a static /60 - /48 on an account? :) I'm currently finding out. It's not like I'm asking for a static IPv4, I'm not even bothering with that.

...and after the call, Comcast Xfinity confirmed they still don't hand out/sell IPv6 blocks to Residential customers. So it is what it is.

Would it be a fair (acceptable?) compromise to only run DNS lookups over IPv4? It looks like if I reorder my IPv4 DNS servers System -> General to place my DCs IPv4 addresses at the top of the list (with no outside interface assigned to it), then remove the RA & DHCPv6 DNS servers - the pfSense DHCPv6 server will assign out its own IPv6 per-interface address as a DNS server, and proxy the replies from the servers, in sequence, from Settings -> General. Seems to do away with the need for a DNS forwarder, which also seems to be IPv6-dependent (i.e. only take IPv6 addresses).

Here's some snips that might help:

Interface setup
0_1535825194214_guest.PNG
0_1535825254928_LAN.PNG

DHCP
0_1535825404886_DHCP.PNG

DNS
0_1535825472979_DNS.PNG

Changed the client's metric. Ethernet > VPN.

@gertjan said in Bind - Setup pfSense as slave DNS server:

your DNS zone has to be fully IPv6 and IPv4

Don't agree with this.. While sure if you have IPv6 then yeah be nice to do that.. But it sure doesn't have to do anything IPv6..

And while I agree you should do dnssec - again not a requirement.. You do not have to setup dnssec - and people using dnssec will still resolve you. Unless you try setup dnssec and you mess it up.. Then yeah if your dnssec fails you won't resolve.

He is trying to show you that yes it gets complicated very quickly.. But when it comes down to setting up a slave. You tell your master what IP are you slaves, and you setup the zones on your slave and tell them the IP of the master.

But he makes a good point about your PTR.. Can you even set that either of your NSers IPs? That really should be set.. Is where you running pfsense even a static IP?

What are you going to do if someone attacks your dns? What are you going to do if someone tries to use your NSers for a amplification attack and you didn't secure for that? What your using for NS should not be recursive.. An authoritative NS should not do queries for other clients. They only should answer for the domains they are authoritative for..

If you just want to do DNS bases blacklisting you could take a look at pfBlockerNG.