Yep, that works. I removed all the DNS servers from System:General Setup, and had both these unchecked:
Allow DNS server list to be overridden by DHCP/PPP on WAN
Do not use the DNS Forwarder as a DNS server for the firewall
This makes /etc/resolv.conf contain just:
domain mydomain.xyz.org
nameserver 127.0.0.1
Then in DNS Forwarder, Advanced:
server=216.146.35.35
server=216.146.36.36
And in DNS Forwarder Domain Overrides I have entries for the various local domains, and local private reverse lookup zones and the IP addresses of the internal DNS servers that know how to answer queries for those (e.g. mydomain.xyz.com 10.42.11.1)
Now when I "nslookup" from the pfSense command line, it can only ask DNS Forwarder. And DNS forwarder knows how to do "default" queries using the "server=216.146.35.35" line/s. And queries for local names and reverse lookups always get resolved correctly, or NXDOMAIN returned correctly if the local name does not exist.
The missing element of this configuration is that I can't specify the gateway to use for each upstream DNS server. DNS Forwarder will be using the default route for all of them. That could be fixed by doing this a slightly different way:
a) Add a checkbox somewhere (General Setup or DNS Forwarder config page?):
"Use only the DNS Forwarder as a DNS server for the firewall"
b) When this is checked:
1) Still define routes through the specified gateways for each DNS server IP in General Setup.
2) Only put 127.0.0.1 in /etc/resolve.conf - so DNS lookups from apps on the firewall itself all go to the DNS Forwarder.
3) Write a separate /etc/resolve-for-dns-forwarder.conf that contains the IPs of the DNS servers specified in General Setup (or given by DHCP).
4) On dnsmasq command use "–resolv-file=/etc/resolve-for-dns-forwarder.conf"
This way DNS Forwarder will be told about the upstream DNS servers automatically, they are routed through the selected gateway/s, and pfSense apps will always use DNS Forwarder to do their DNS lookup work.
Does this sound like a reasonable enhancement to the system?
And to me it actually feels like the behavior that many people would want - that DNS done by apps on pfSense itself uses the same path for resolving names as any ordinary LAN client. Or is there some catch-22 that I have forgotten here?