DNS failover

ACNiC

i have the dns forwarder and resolver turned off and specified the dns servers in the DHCP settings.
(the dns servers in the general settings tab is set to 192.168.1.2 (pihole) and 1.1.1.1)
my first DNS server is a pi-hole and second dns server is 1.1.1.1
but i want to have the hole network use the pi-hole and when the pi-hole is not available then the devices can get a dns request from 1.1.1.1...
i have already set a few firewall rules as shown but these firewall rules allow both dns servers to be used but i want 1.1.1.1 accessible when pihole is turned off.
i have also specified the 2 DNS servers on the DHCP settings.
is there a solution for this?

kiokoman

uhm there is something wrong on that rules
if the network is 192.168.1.0/24 you don't need to specify destination 192.168.1.2
as you can see states is 0/0
communication between device inside the same network are direct and do not pass through pfsense

for the rest of the question, i think the best way would be to use dns forwarder instead as you can't force windows client to behave like you want but i think that you can set pfsense as dns server for all your device and configure forwarding to send request to 192.168.1.2 and 1.1.1.1

ACNiC

@kiokoman thanks for the input!

bcruze

under services > dhcp server. there are 4 spots for DNS servers there.

wouldn't you just put the PI as the first. 1.1.1.1 as the 2nd to simplify this? and a 3rd if desired?

kiokoman

sadly not enough, afaik windows doesn't always query the first dns server, iot stuff like for example google nest take in consideration only the first dns

SteveITS

@kiokoman said in DNS failover:

windows doesn't always query the first dns server

Correct it does not. Windows queries the "last successful" DNS server first. Other OSs query DNS servers in order. Notably, on a Windows Server domain the domain DNS should always be queried because public DNS doesn't know about the LAN network.