Post-upgrade 25.07.1 to 25.11 pfBlocker-NG DHCP dynamic hostnames issues
-
Upgraded pfsense plus 25.07.1 to 25.11. Post-upgrade it appears I've got an issue related to pfBlocker-NG (not related to missing VIPs though - I added those back manually). This other issue happens when the pfb_filter service restarts. The pfblocker-ng error log shows these errors for known-valid clients on the LAN:
PFB_FILTER - 7 | Collect dynamic DHCP hostnames [ 12/20/25 11:36:36 ] Failed validation [ desktop-0mlm8mr. ]
I can resolve those hostnames with no error from the firewall and other clients on the LAN. This seems to only be happening with dynamic DHCP hosts and not statically assigned DHCP hosts.
-
I did a packet capture of several clients DHCP communications. This issue does not appear to be related to pfBlocker-NG, rather it seems to be related to Kea DHCP responding to DHCP request with a fully qualified domain name to the client request packet. Kea is adding a '.' at the end of that FQDN name in the response packet. Here's the relevant packet snippets:
Windows client DHCP request: Option: (12) Host Name Length: 15 Host Name: DESKTOP-0MLM8MR Option: (81) Client Fully Qualified Domain Name Length: 18 Flags: 0x00 A-RR result: 0 PTR-RR result: 0 Client name: DESKTOP-0MLM8MR Kea DHCP ACK response: Option: (81) Client Fully Qualified Domain Name Length: 19 Flags: 0x08, Server DDNS A-RR result: 0 PTR-RR result: 0 ===> Client name: desktop-0mlm8mr.I will post this over to the DHCP/DNS forum.