Topics tagged with dns resolver

Can't enable unbound-control

el_baby — Invalid Date

Thanx a lot @Gertjan That was it. It was listening on port 953. Since I had not seen any configuration option in the UI I thought it was disabled.

DNS Resolver Refusing All Queries: host_entries.conf has local-zone: "." refuse set

Nimda_2025 — Invalid Date

@johnpoz Ahhhhhhhh. Gotcha. great point. Will have a re-think. Thanks for sticking with me. Not sure what I'm doing is pointless, but hadn't really considered that, had tunnel vision.

DNS resolver working for pfSense but not on LAN

SteveITS — Invalid Date

@NickJH DNSSEC should be disabled if forwarding. See blue note here: https://quad9dns.github.io/documentation/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/

Captive portal & external DNS Server - not redirecting

sazanof — Invalid Date

@Gertjan Yes, it turns out a whole trip to the theater. Also, it turns out that the problem is solved, the solution (in my case) is found, published. Maybe it will help someone. Thank you very much! As for DNSBL - perhaps I will create a new topic.

chrome://net-internals/dns#dns ???

JonathanLee — Invalid Date

@johnpoz I mostly do, except some university classes require we use it. [image: 1688851689003-r.png]

Feature Request: GUI options to Unbound Resolver's new DoH abilities

jimp — Invalid Date

If it's fully standalone in Unbound that should be possible, though I don't know what kind of time frame we'd be looking at. I haven't kept an eye on it but last I saw it required passing in the https requests from something else like an nginx proxy setup but from the look of those docs they seem to have native support now. The library they mentioned is present on pfSense and is a dependency of Unbound already (the ports option DOH is enabled) so all the backend parts appear to be present, just the GUI/PHP config code would need to be implemented. The larger problem is that it's going to want to use port 443 which complicates GUI access and makes it trickier to use in practice.

How do you simplify LAN addresses?

johnpoz — Invalid Date

@sokonomi so your running sonarr - pretty sure you can change that default 8989 port. Are you running it as docker, you can also set the docker port to be something different and leave sonarr as 8989. As to accessing via just sonarr via some url link, you can set your box to use a search suffix so that just using host would auto do a dns query for whatever your search suffixes are, ie sonarr.yourdomain.tld I never get why this is of concern to so many - so what if the url is http://something.domaint.tld:port - once you create the bookmark, what does it matter just click the bookmark. Unless you were wanting to hand this off to users, and you feel the users are too stupid to understand putting the :port on the end of the url, or you concerned that port would not be available outbound from where they are at, etc. But if you provide more details of what your trying to accomplish we can go over all the different ways to skin that specific cat. but anything via just host name is going to be bad practice - you should always use fqdn when accessing resources.

DNSSEC and SSL/TSL for outgoing DNS queries

johnpoz — Invalid Date

@tikiyetti for starters you should really update pfsense, that version is quite dated. If you want to do your own dnssec, then yes you should just resolve which is what unbound does out of the box. Or if your wanting to forward then just pick a dns that does it already and uncheck dnssec in unbound. I am not aware of any of the major dns providers that do not do dnssec out of the box - some of them have special IPs you can point to that don't do it - like the 9.9.9.10 IP for quad9, etc.. But pretty much any of the major players are doing it out of the box. So there is little point to having unbound try and do it if your forwarding - more likely than not just going to cause you possible issues at some point or another. Its just extra work for something that is already being done. If you order a cheeseburger, do you scrape off the cheese when you get it an put your own cheese on? If you want to control putting cheese on your burger, just order it plain (resolve) and then do your own thing for the cheese ;)

SSL certificates on internal A name records

johnpoz — Invalid Date

@swami_ you can setup haproxy to use your wan or you lan interface. Comes down to where the traffic is going to hit. Even if you ha proxy listens on you wan IP, unless you open a firewall rule on the wan that would not be available to internet IPs. But your wan IP is still going to be able to be hit via your lan devices. Comes down to where you want to point the fqdn you want to use to point to - if all your going to want it for is lan, then just use your lan IP and point all your fqdn you want to use to your pfsense lan IP.

dns resolver stop problem!

enesas — Invalid Date

@gertjan -After Wan is active, DNS resolver does not start automatically. We will review your suggestions. thank you

Purpose of multiple DNS per gateway

AndyRH — Invalid Date

The way MS describes it: Windows will ask the primary DNS, if a response is not seen in a short time it asks the 2nd and so on. The DNS that responds first becomes the primary. If you are looking a packet capture you should see some amount of time, my guess is 10's of ms, between the queries. MS never defined a "short time" when I asked about it. However it is said to work, it seems most OSs do what you describe, hit several before the first DNS responds. The packets are small enough I don't think the developers care and are more worried about response time.

DNS over TLS Not Working?

Gertjan — Invalid Date

@coyote1abe said in DNS over TLS Not Working?: could you please be a little more specific about the change you made to system Somewhere in the past, he changed the IP settings of his device ( a Windows PC ) from the default DHCP settings to a static setting. Like this : [image: 1659682406226-d3577074-a66d-4dc6-9d2a-47fe70abc2e1-image.png] which means this windows device doesn't use pfSense at all for DNS .... because he asked 1.2.3.4 to be used. He has undone that, and now all is well.

DNSBL Stops DNS Service (Solved)

Gertjan — Invalid Date

@the-other said in DNSBL Stops DNS Service (Solved): pfblockerng_dev (do not know about the other one) does NOT reload a list from servers if there are noch changes. It seems "smart" enough to recognize a change in the list. No changed list > no download (at least that's what the log says... I hope so, I'm not so sure. File attributes, size, last modified time stamp etc are needed before the file gets downloaded again. But : /usr/local/pkg/pfblockerng/pfblockerng.inc line 3373 : if (($fhandle = @fopen("{$file_dwn}.raw", 'w')) !== FALSE) { The local destination file is opened for writing - so initial file size date etc are lost : CURL doesn't cache by itself : the file can only be re downloaded at this stage. Also : /usr/local/pkg/pfblockerng/pfblockerng.inc line 170 : CURLOPT_FRESH_CONNECT => true Now read Is there a way to tell curl to not use cache edit : I forget something : most feeds are https://..... and default TLS web server caching is : no caching. So even if you, on the receiving side, are ok to receive a cached version, you still get the entire file again. Btw :less used download methods like rsync are version/date/time aware.

DNS resolver - forwarding working recursive resolution not working

Gertjan — Invalid Date

@jeremyj said in DNS resolver - forwarding working recursive resolution not working: it would have been more intuitive for me to show screen shots with it set for recursive mode i.e. with the forwarding mode box unchecked. I probably not using the default settings, and I really want to help, but won't reset my pfSense to default. But you can do so, and you see what the default settings are. @jeremyj said in DNS resolver - forwarding working recursive resolution not working: as if I reset I have to rebuild all the rules, the vpns, etc. Noop. You can retrieve 'just' the OpenVPN settings, and 'just' the firewall rules from the backup you made. @jeremyj said in DNS resolver - forwarding working recursive resolution not working: I am also intrigued as to why it is not working and what I am missing Ones you have it working, make again a config backup. Compare it with the initial backup. The difference you'll find is the reason. @jeremyj said in DNS resolver - forwarding working recursive resolution not working: my outgoing NAT Outgoing NAT ?? That makes me think : when you undo all the changes you made when setting up the OpenVPN client, DNS works ... ?

How to remove old IP entry of host [solved]

Kalle13 — Invalid Date

@gertjan said in How to remove old IP entry of host: Look here Services > DNS Resolver > General Settings at the bottom of the page. Check also Services > DHCP Server > (any LAN) at the bottom of the page : "DHCP Static Mappings for this Interface" Thanks for the hint with the DCHP server. I totally forgot about it. I looked in both and found that there is a static DHCP lease in the DCHP server list. But it is shown no where else in the DCHP server and so I couldn't delete it. Then I remembered that this old IP is the an IP of the range of an old now disabled interface. Luckily I only disabled the interface and not deleted it. So I enabled it which created a tab in the DCHP Server menu with this interface and the static mapping of the old IP. I removed it, disabled the interface again and now I am happy! Solved!

Internal LAN routing when connected to a VPN service

pfsense_joe — Invalid Date

@mer Thanks for the reply! Your comments got me to thinking which can be dangerous ;-) I figured out the problem. It has to do with little Windows 10 app that the commercial VPN provides. This app resides in the system tray on the right side of the task bar in Windows 10. The app is used to connect and disconnect from the VPN. With your comments, I had the thought to try to figure out what DNS server windows was using when connected to the VPN and when not connected to the VPN. With a quick google search I found the Windows 10 command prompt nslookup command. Simply entering "nslookup" in a windows command prompt will return the DNS server being used. In my case, when I wasn't connected to the VPN, it returned the ip of my pfSense router. When I was connected to the VPN it returned an ip of a DNS server that belongs to my VPN provider. It seems that everytime you connect to the VPN service using their Windows 10 app, they change your DNS server address to their DNS server. I tried manually changing it back to the ip of my pfSense router but that didn't work when connected to the VPN - in that case I broke internet access altogether and couldn't connect to anything. When connected to the VPN, Windows wasn't able to resolve the local ip of my pfSense router. The solution will have to be to stop using the app provided by the VPN provider so that the DNS server that Windows uses stays pointing to my pfSense router. I had previously setup a gateway associated wiht the commercial VPN provider in my pfSense router. My solution will be to configure pfSense to route traffic from my Windows 10 through the VPN gateway when I want to use the VPN from my Windows 10 pc. Sort of a pain b/c I will have to log in to pfSense every time I want to use (or not use) the VPN. But in this scenario I can use the https://server1name.domain_name.tld paradigm to access my local services from my Windows 10 pc whether or not its WAN traffic is being routed through the VPN. This is because my Windows 10 pc will always be configured to use pfSense for domain name resolution.

LAN rewrite hostname/subdomain to hostname/subdomain.example.com

johnpoz — Invalid Date

That is on the client side, simple search suffix for example.com Now when your host does query for hosta it will really do query for hosta.example.com example.. My host. indows IP Configuration Host Name . . . . . . . . . . . . : I5-Win Primary Dns Suffix . . . . . . . : local.lan Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : local.lan See the search suffix - now when it pings it for say some host it auto does query for the fqdn including the domain $ ping brother Pinging brother.local.lan [192.168.2.50] with 32 bytes of data: Reply from 192.168.2.50: bytes=32 time=1ms TTL=254 Reply from 192.168.2.50: bytes=32 time=1ms TTL=254 You can see my client did a query for the fully qualified name [image: 1623700351392-dns.png]

DNS resolver hostname

johnpoz — Invalid Date

If the client sends that as its hostname.. Then ok - but dhcp leases shouldn't be showing a fqdn.. It would only be showing the hostname. If you want client amazon-random# to show up as alexa-name in your dhcp lease. The correct solution is to either have that specific client send that hostname to the dhcpd, which I don't think you can do on alexa. Or tell the dhcp server to use hostname xyz in the host name when you set a reservation. If your setting reservations for your clients, and register that in dhcp settings - then all your dns is taken care of.

DNS RESOLUTION BEHAVIOR

Gertjan — Invalid Date

@patch said in DNS RESOLUTION BEHAVIOR: @tiger-0 said in DNS RESOLUTION BEHAVIOR: DNS was from 127.0.0.1 to DNS is 192.168.2.99, is this a normal If not done explicitly by you, I suspect pfSense added the setting from you ISP when setting up your WAN That happens when this option [image: 1622701604669-0f3ad839-7508-40ce-94dd-25b9dc758aa2-image.png] is checked. It should not be checked.

Consistent Loss of Internet Connectivity With Wireless Clients

papdee — Invalid Date

@wmheath586 you might also want to drill down further to the MAC address tables in your router. If you are using a managed switch you should be able to telnet into your router and inspect the MAC address table. This would be relevant if you are running multiple VMs and have left the MAC addresses at their defaults.

21.02.02 on SG-5100 - Every Reboot Requires Restart of DNS Resolver

scottlindner — Invalid Date

I have the SG-2220 and do not have this issue. I know this doesn't help a whole lot but someone suggested it could be hardware specific. I hadn't used my SG-2220 for about two years due to divorce and just recently got it going again which is what led me here. I did have this problem and when I did an update when it came out I still had some troubles but not this trouble. I did a factory reset twice and for whatever reason the second reset is what made everything happy. I started with all new settings and didn't restore a thing. I know this doesn't necessarily help a whole lot, but I wanted to offer additional relevant info. It isn't failing on my Netgate SG-2220. What can you do with that? I don't know exactly, but I don't think it is just the software. It might be hardware specific race conditions as another user noted.

Unbound durch OpenVPN Client tunneln, sofern verfügbar

Bob.Dig — Invalid Date

Musste leider feststellen, dass "meine" Lösung wohl nur eine gewisse Zeit funktioniert. Irgendwann scheint es so, dass Windows den "ersten" DNS-Server nicht mehr nutzt und daher interne Namen nicht mehr auflöst. Habe daher vorerst auf IPs umgestellt.

Using DNS Resolver as authoritative

johnpoz — Invalid Date

Unbound not really meant to be authoritative - but you can for sure answer with authoritative responses, ie SOA and create pretty much any record you want. But your not going to be able to create those records in the gui. Why do you think you need a full blown authoritative NS? What exactly are you trying to do - if all you want is to respond for some MX records... Just do that in the custom option box

pfSense Unbound DoT - additional setting needed?

MikeV7896 — Invalid Date

Thanks for that... I had seen the DNS hostname boxes, but must've missed the text below indicating that they're related to DoT. Something might want to be mentioned on the DNS Resolver page at the SSL/TLS checkbox too, that for best security the hostnames for the servers should be entered on System > General.

Two "dumb" devices no internet access

JoesCat — Invalid Date

@bmeeks Thanks for your feedback, I'll try your suggestions! And I can narrow those down to just a couple: DHCP is set to almost default - it hands out it's own ip address as the default gateway. I didn't want to use the ISP's DNS servers, preferring to specify my own (used to be OpenDNS now Cisco Umbrella, 208.67.222.222 and 208.67.220.220). I've since changed to Google's and CloudFlare's as they support DNS over TSL - I HAD that running fine for ALL hosts on the network - except when the Roku TV came along. It's again important to note out of the box, the TV (wired to the WiFi router, NOT WiFi), promptly connected to the internet, downloaded and applied an "update" all on its own, restarted, only then could not access the internet ever since as long as pfSense is the firewall. NO other changes! All other hosts still have internet just fine also with no changes. Since that time, pfSense DNS Resolver and Forwarder are disabled. I've tried letting the TV grab an ip address via DHCP from the lease pool - it does, shows the proper default gateway (no ability to show much else), cannot access the internet. Phone hotspot via WiFi: internet works. Swapping pfSense to an old Cisco Pix - internet works - with the same WiFi router connection (wired to one of its LAN ports). I've since plugged the TV directly into the LAN port of pfSense, eliminating all other devices. It obtained a pfSense DHCP address and proper gateway . . . no internet. That entirely eliminates the WiFi router as the culprit. I hear you about tinkering with DNS settings - although I'm rather new to pfSense, I do know DNS rather well (running many DNS servers myself in my day job, mostly Windows) plus configuring many corporate outside DNS configurations for outside-facing DNS for their domains). Something has to be set correctly - again every other device has internet access no problem - ONLY the TV does not, only when connected through pfSense. I just tried using my phone hotspot, connected the TV via WiFi - internet works. We also know it can connect using the old PIX firewall (also a DHCP server and NAT device). I'm running pfSense 2.4.5-RELEASE-p1 Taking your suggestion, DNS is at "default" - IIRC. General tab is blank for all DNS items, all boxes unchecked. Services/DNS Resolver is enabled, all top checkboxes unchecked. Interfaces set to ALL ALL. Only "Register DHCP leases in DNS resolver" is enabled, and "DHCP static mappings in DNS resolver" is checked. The TV does not have a DHCP reservation, it (IS) obtaining a LAN ip address from the DHCP lease pool. Currently ethernet connected. As always, other hosts access the internet just fine. My own laptop I'm posting this message with. I renewed my pfSense DHCP address, and changed from specified DNS addresses to only the pfSense ip address (DHCP server, default gateway, and the only DNS server are all the LAN address of pfSense (192.168.30.1). System Logs/Firewall/Dynamic: Filter, enter my LAN address and I see lots of activity of course. Enter the TV's leased address and NOTHING appears in the firewall logs. ????? On the TV screen it verifies the same ip address and default gateway (and MAC address). I just don't understand why this TV is unlike every other device on the LAN, wired or wireless, that it just won't seemingly attempt internet access but will show up as reaching the firewall. The same TV, connected either through the exact same connection can promptly access the internet with a different firewall (still wired the same), or wireless through a phone hotspot. The problem points squarely at pfSense then.

[Solved]Unbound stops resolving intermittently

Inxsible — Invalid Date

@brad-edmondson said in Unbound stops resolving intermittently: have short DHCP leases I did disable the DHCP registration and also the OpenVPN clients checkboxes as suggested by @Gertjan . In addition to that, I also updated my VPN client settings to add multiple servers -- in case my VPN provider decides to change IP addresses or if they simply decommission the server that I am connecting to. I haven't seen any issues since then. So it was a combination of those two things that fixed it for me. Obviously if you don't use a VPN provider, then the second part wouldn't apply to you.

Apply pfBlockerNG DNSBL to one VLAN but not the LAN (or other VLAN)?

Gerry2204 — Invalid Date

@The-Party-of-Hell-No Listo amigo ya quedo, lo que pasa es que tenia dns asignados a la vlan dejando el nativo se soluciono

DNS Forwarder and Resolver in Parallel with different DNS Servers

Duckmuck — Invalid Date

And another update in my "blog". In Pihole you can set "Use Conditional forwarding" and list your domain and pfsense ip. That way I can resolve my own internal domain and at the same time use 1.0.0.3 and 1.1.1.3 for dns lookup without going to pfsense. No need to copy over the hosts file. I ended up not launch resolver and forwarder in parallel. My setup now is that I Port forward all dns request on all interfaces except the kids-vlan to my pihole-1, I then portforward request coming on my kids vlan to 53 to pihole-2. I allow outgoing requests from my pihole-1 and pihole-2. Regards. D

Domain Overrides for .local not working with DNS Resolver

heebtob — Invalid Date

I configured the DNS Resolver as default DNS on my network. I have several different VLAN's. One of them is for work with access to the company network over IPSec.
At work we have three AD domains with DNS Server. One with .ch, one with .int and one .local
I configured Domain Overrides for all three. They point to the DNS Server of their domain.
Problem is that .ch and .int are working but .local is not working.

It works for the first 15 minutes after I change something in the DNS Resolver.
In the status page of the DNS Resolver I saw two entries for the .local domain. One with TTL 900 and one with TTL 0.
After 15 minutes both are gone and the DNS lookups to the .local domain gives me a "non-existent domain" error.
I also tested it with the DNS Lookup on the pfSense. No results.

In the logs of the DNS Resolver I saw something with domain.local.localdomain. instead of what I expect domain.local.

I read something that .local is a very special domain (and the default in AD) but I don't unterstand why the pfSense has problems with that.
If I do a nslookup with the addition of the DNS Server of the .local domain it gives me the correct results. That tells me that I can reach the DNS Server for the .local domain.
Is it possible to get the DNS Resolver with Domain Overrides working with .local or is this some kind of MS didn't respect the RFC's Issue?

Some Cloudflare hosted websites not working and throw: ERR_NAME_NOT_RESOLVED

h_b — Invalid Date

Hi,
I am pretty noob here, in my network I am facing an intermittent issue with some website.
I am facing ERR_NAME_NOT_RESOLVED when trying to access a certain website while other websites work fine. While this error sometimes automatically disappears for a short period and user can access the site, also if anyone tries to access it outside of the network (like personal WiFi hotspot) it works perfectly fine. I don't it is DNS related issue feel free to correct if I am wrong. I think it is related to redirects, but not sure looking at the right place.
Also, when I tried accessing the site with an success I got the following response [ I have filtered some sensitive info ]:
Output of "curl -I -L @@@@"
Test (copy).txt
Again for same command when the website was not working:
Test7 (copy).txt

I am using pfSense 2.4.4,
On that using Squid for HTTP and SquidGuard, DNS resolver (though I am providing DNS separetly via DHCP),

Please Help.

PS: I can ping the website and it works fine, but can't traceroute.

[UPDATE]
I have found that this behaviour is with those websites which have Cloudflare servers.
log1.txt
This txt contain both results for when it works and when it doesn't

Windows Server DNS & pfSense DNS Issue

[[global:former-user]] — Invalid Date

@Derelict Okie, i'll give it a try!

[SOLVED] DNS Resolver & DHCP Server are constantly restarting

Crunk_Bass — Invalid Date

Hi and thank you for your reply. When I stop unbound and check for running processes there is no unbound running. [2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root: ps ax | grep unbound 21735 0 S+ 0:00.00 grep unbound [2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root: After stopping all DHCP servers the following processes are running: [2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root: ps ax | grep dhcp 4049 - S 0:00.00 /bin/sh /var/etc/dhcp6c_wan_script.sh 56033 - Ss 618:49.04 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -l /tmp/haproxy_chroot/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf 97216 - Ss 0:01.42 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_pppoe0.pid pppoe0 14705 0 S+ 0:00.00 grep dhcp [2.4.4-RELEASE][admin@gateway.REDACTED.TLD]/root: The DHCP log keeps getting spammed by DHCP6 client: Nov 5 17:12:53 dhcp6c 97216 Sending Solicit Nov 5 17:12:54 dhcp6c 97216 Sending Request Nov 5 17:12:54 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:12:54 dhcp6c 97216 status code for NA-0: no addresses Nov 5 17:12:55 dhcp6c 97216 Sending Solicit Nov 5 17:12:57 dhcp6c 97216 Sending Request Nov 5 17:12:57 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:12:57 dhcp6c 97216 status code for NA-0: no addresses Nov 5 17:12:58 dhcp6c 97216 Sending Solicit Nov 5 17:12:59 dhcp6c 97216 Sending Request Nov 5 17:13:00 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:13:00 dhcp6c 97216 status code for NA-0: no addresses Nov 5 17:13:02 dhcp6c 97216 Sending Solicit Nov 5 17:13:03 dhcp6c 97216 Sending Request Nov 5 17:13:03 dhcp6c 97216 dhcp6c Received REQUEST Nov 5 17:13:03 dhcp6c 97216 status code for NA-0: no addresses My WAN connection uses DHCP6 and I confimed IPv6 connectivity. WAN has an address and IPv6 is routed as expected. After killing 97216 - Ss 0:01.42 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_pppoe0.pid pppoe0 I lost IPv6 connectivity and the spamming of DHCP log by DHCP6 client stopped. So I reconnected WAN and the spamming was back. Nov 5 17:26:20 dhcp6c 97216 Start address release Nov 5 17:26:20 dhcp6c 97216 Sending Release Nov 5 17:26:20 dhcp6c 97216 remove an address 2003:REDACTED:d1d4/64 on igb0 Nov 5 17:26:20 dhcp6c 97216 dhcp6c Received RELEASE Nov 5 17:26:20 dhcp6c 97216 status code: success Nov 5 17:26:21 dhcp6c 97216 exiting Nov 5 17:30:56 dhcp6c 74412 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory Nov 5 17:30:56 dhcp6c 74412 failed initialize control message authentication Nov 5 17:30:56 dhcp6c 74412 skip opening control port Nov 5 17:30:57 dhcp6c 74510 Sending Solicit Nov 5 17:30:58 dhcp6c 74510 Sending Request Nov 5 17:30:58 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:30:58 dhcp6c 74510 add an address 2003:REDACTED:d1d4/64 on igb0 Nov 5 17:30:58 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:00 dhcp6c 74510 Sending Solicit Nov 5 17:31:01 dhcp6c 74510 Sending Solicit Nov 5 17:31:03 dhcp6c 74510 Sending Solicit Nov 5 17:31:07 dhcp6c 74510 Sending Solicit Nov 5 17:31:15 dhcp6c 74510 Sending Solicit Nov 5 17:31:32 dhcp6c 74510 Sending Solicit Nov 5 17:31:33 dhcp6c 74510 Sending Request Nov 5 17:31:33 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:33 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:35 dhcp6c 74510 Sending Solicit Nov 5 17:31:36 dhcp6c 74510 Sending Request Nov 5 17:31:36 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:36 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:37 dhcp6c 74510 Sending Solicit Nov 5 17:31:38 dhcp6c 74510 Sending Request Nov 5 17:31:38 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:38 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:40 dhcp6c 74510 Sending Solicit Nov 5 17:31:41 dhcp6c 74510 Sending Request Nov 5 17:31:41 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:41 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:43 dhcp6c 74510 Sending Solicit Nov 5 17:31:44 dhcp6c 74510 Sending Request Nov 5 17:31:44 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:44 dhcp6c 74510 status code for NA-0: no addresses Nov 5 17:31:46 dhcp6c 74510 Sending Solicit Nov 5 17:31:47 dhcp6c 74510 Sending Request Nov 5 17:31:47 dhcp6c 74510 dhcp6c Received REQUEST Nov 5 17:31:47 dhcp6c 74510 status code for NA-0: no addresses @Gertjan said in DNS Resolver & DHCP Server are constantly restarting: and thus dhcpleases should not run. Or, it's that process that restart unbound - see your own logs. dhcpleases was running because I enabled it again after disabling didn't change the behaiviour. @Gertjan said in DNS Resolver & DHCP Server are constantly restarting: Then restart unbound (resolver) and DHCP servers one by one - pause and observe behaviour in logs after each start. After starting only unbound with DHCP Registration and Static DHCP disabled unbound gets restarted every time dhcp6c is logging "Sending Solicit" So I checked my WAN settings and compared it to another pfSense firewall I am running with the same ISP (Deutsche Telekom Business). Under DHCP6 Client Configuration there is an option called Request only an IPv6 prefix (Only request an IPv6 prefix, do not request an IPv6 address). After enabling the checkbox the spamming of DHCP logs by DHCP6 client stopped and unbound is running without getting restarted. DHCP servers are also running again with no issues. I have no idea why it was working fine for 2+ years without the "Request only an IPv6 prefix" option checked. Maybe the ISP changed some settings on their side. Thank you very much @Gertjan for pointing me in the right direction.

pfBlockerNG-devel and unbound not there

feerab — Invalid Date

@dragoangel thanks a lot it works now.

Ping spikes on WAN and LAN site

janchroback — Invalid Date

@stephenw10 I think it is related to the P and C state settings in the BIOS. It is possible that I changed one of them and just forgot. P-state is the exact one I changed I think. It has to be set to its default value (HW_ALL irc). These may help: https://www.supermicro.com/support/faqs/faq.cfm?faq=29482 https://www.thomas-krenn.com/en/wiki/Processor_P-states_and_C-states

PFSense not playing nicely with Android TV

Millstone50 — Invalid Date

I was having a myriad of issues with an Android P device after upgrading to 2.4.4_3 and also having SSL/TLS DNS turned on; this would cause intermittent DNS lookups to take an excessively long time (2-3 minutes). I don't use forwarding. I captured packets and there was a ton of TLS spam between pfSense and said device, all for DNS, with intermittent communication breakdowns and retries. Being that I probably gave the settings a once-over when doing the upgrade to 2.4.4_3, I am unsure whether it is something specifically in that version or if it's a coincidence. Regardless, turning off is a workaround for now. I'm not sure if a proper certificate is needed for this to work properly or if it's just a bug.

Setting up DNS correctly

bwalkco — Invalid Date

@KOM said in Setting up DNS *correctly*: enable resolver, disable forwarder, check DNS Query Forwarding and put 1.1.1.1 under System - General Setup - DNS Servers. This is the exact configuration I went with. Thank you very much for the help!

Unbound resolver error: Can't assign requested address for 127.0.0.1

jonsy777 — Invalid Date

Hey all. I hate to dig up a long dead thread, but I was wondering if this ever got resolved (other than reinstalling Pfsense and restoring from a working config. Having a similar issue actually on my machine. Little more background: these issues started with an attempted install of a freeRadius package. It was having trouble, giving similar "assigning address" errors (didn't screenshot at the time. apologies). I gave up, thought nothing of it, and removed the freeradius package and then my pfblockerng dns blacklist started giving me trouble. I restored to a config that I knew was working, but that also did not solve the problem. I've tried reinstalling pfblocker, totally deleting the config, and resetting it up, rebooting the whole pfsense box, and continue to get the same error. I still could reinstall pfsense from scratch, and then restore that config file, but have there been any updates?

Block PPPoE WAN IPv6 DNS

dez — Invalid Date

Solved by enabling " Enable Forwarding Mode"

Routing out to Internet through pfSense HW

Derelict — Invalid Date

Using LAN is OK as long as you understand that you almost certainly shouldn't put anything but other routers with full infrastructure routing knowledge on LAN.

Unbound cant resolve domains - which exists correctly

Derelict — Invalid Date

i resolved the problem. I installed a bind 9.11 in a docker container and activated only the resolver for my subnet. And everything works without any problems. As I have said multiple times in other threads, this is the way to solve DNS resolution issues when you are policy-routing all over the place.