Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Post-upgrade 25.07.1 to 25.11 Kea DHCP dynamic hostnames issues - errors in pfBlocker-NG logs.

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 3 Posters 508 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      NickD 0
      last edited by NickD 0

      This started out as an error thrown in the pfBlocker-NG error.log after upgrading pfsense plus 25.07.1 to 25.11.

      The issue happens whenever the pfb_filter service is started/restarted. The pfblocker-ng error log shows these errors for known-valid clients on the LAN:

      PFB_FILTER - 7 | Collect dynamic DHCP hostnames [ 12/20/25 11:36:36 ] Failed validation [ desktop-0mlm8mr. ]

      I can resolve those hostnames with no error from the firewall and other clients on the LAN. This seems to only be happening with dynamic DHCP hosts and not statically assigned DHCP hosts.

      After collecting the output of the kea leases I noticed the hostnames for dynamic Windows-based clients had the ending '.' appended to the FQDN returned by Kea.

      I also did a packet capture of several clients DHCP communications. The issue seems to be related to Kea DHCP responding to DHCP request with a fully qualified domain name to the client request packet. Kea is adding a '.' at the end of that FQDN name in the response packet OPTION 81. Here's the relevant packet snippets:

      Windows client DHCP request:
      Option: (12) Host Name
      Length: 15
      Host Name: DESKTOP-0MLM8MR
      Option: (81) Client Fully Qualified Domain Name
      Length: 18
      Flags: 0x00
      A-RR result: 0
      PTR-RR result: 0
      Client name: DESKTOP-0MLM8MR

      Kea DHCP ACK response:
      Option: (81) Client Fully Qualified Domain Name
      Length: 19
      Flags: 0x08, Server DDNS
      A-RR result: 0
      PTR-RR result: 0
      ===> Client name: desktop-0mlm8mr.

      I'm not sure if this is how previous versions of Kea responded as I have no prior version's packet captures to compare with. I'm not even sure if this is an actual issue other than internally Kea is causing pfBlocker-NG to fail when loading dynamic DHCP Windows hostnames.

      GertjanG 2 Replies Last reply Reply Quote 0
      • GertjanG Online
        Gertjan @NickD 0
        last edited by

        @NickD-0

        Have a look at /etc/hosts
        All looks fine ?

        No "help me" PM's please. Use the forum, the community will thank you.

        N 1 Reply Last reply Reply Quote 0
        • N Offline
          NickD 0 @Gertjan
          last edited by

          @Gertjan Good morning, my pfSense /etc/hosts contains all the unbound host overrides I have in place. Those are correct and not showing up anywhere with the trailing '.' This is affecting only Windows clients using dynamic DHCP DDNS option 81. More background; these Windows clients are in workgroup mode, not AD domain joined. As such, the default for Windows is they will have no tcpip primary DNS suffix at the machine level. When they DHCP request they receive the response with the domain suffix from Kea and apply that to the interface. I did a test last night by manually setting the machine-level domain suffix on the clients. This did stop the errors in pfBlocker-NG, but Kea is still sending back a modified FQDN with trailing '.' in the ACK response. Example from my original post now looks like this:

          Windows client DHCP request:
          Option: (12) Host Name
          Length: 15
          Host Name: DESKTOP-0MLM8MR
          Option: (81) Client Fully Qualified Domain Name
          Length: 18
          Flags: 0x00
          A-RR result: 0
          PTR-RR result: 0
          Client name: DESKTOP-0MLM8MR.example.net

          Kea DHCP ACK response:
          Option: (81) Client Fully Qualified Domain Name
          Length: 19
          Flags: 0x08, Server DDNS
          A-RR result: 0
          PTR-RR result: 0
          ===> Client name: desktop-0mlm8mr.example.net.

          tinfoilmattT 1 Reply Last reply Reply Quote 0
          • tinfoilmattT Offline
            tinfoilmatt LAYER 8 @NickD 0
            last edited by

            @NickD-0 said in Post-upgrade 25.07.1 to 25.11 Kea DHCP dynamic hostnames issues - errors in pfBlocker-NG logs.:

            Kea is still sending back a modified FQDN with trailing '.' in the [ . . . ] response.

            This is not a 'modified FQDN' but a foundational element of the DNS that's not worth discussing here. Suffice it to say that you should consider the 'trailing dot' to be a red herring in whatever you're troubleshooting here.

            N 1 Reply Last reply Reply Quote 0
            • N Offline
              NickD 0 @tinfoilmatt
              last edited by

              @tinfoilmatt I understand the '.' is the root zone and may not be the underlying issue. It likely was sent as part of the ACK response even in the prior 25.07.1 version. I'm just documenting what I've had in place and what I've observed related to the pfBlocker-NG error.

              1 Reply Last reply Reply Quote 1
              • GertjanG Online
                Gertjan @NickD 0
                last edited by

                @NickD-0 said in Post-upgrade 25.07.1 to 25.11 Kea DHCP dynamic hostnames issues - errors in pfBlocker-NG logs.:

                PFB_FILTER - 7 | Collect dynamic DHCP hostnames [ 12/20/25 11:36:36 ] Failed validation [ desktop-0mlm8mr. ]

                Can you tell/show in what context this message showed up ?
                pfBlockerng version ?

                I can image that pfBlockerng found in its internal logs the reference of "desktop-0mlm8mr.".
                This host doesn't have a static DHCP assignment (== always known, so known even when it is not connected at that time and the lease had expired).
                Do you register also dynamic DHCP leases into the local (unbound) DNS ?

                I guess the message is just pfBlockerng telling you that it found in its logs that host name, and it could do a DNS request to discover it's IP at that moment.

                No "help me" PM's please. Use the forum, the community will thank you.

                N 1 Reply Last reply Reply Quote 0
                • N Offline
                  NickD 0 @Gertjan
                  last edited by

                  @Gertjan Sorry delayed response. This is happening with all non-static DHCP leased Windows clients. So for example, if I dump the leases directly from Kea I get:
                  desktop-0mlm8mr. 192.168.1.10

                  But dumping the unbound leases4.conf gives me:
                  local-data: "desktop-0mlm8mr.example.net. IN A 192.168.1.10"

                  I believe pfBlocker-NG is using the hostname that's output from the Kea leases to test resolution as you noted, however it won't resolve that name due to the trailing '.'. Statically assigned leases show the hostname without the trailing '.' so they resolve properly. I won't muddy this up any longer, I just read @cmcdonald post in the problems installing sub.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.