DNS Forward not working for AD domain through VPN (solved)

  • I'm fairly new to pfSense, started learning about a week ago as I have a new client with pfSense installed at their main and remote locations.
    The problem they are experiencing is that the previous admin setup DHCP at the remote location to only use the DNS server at the main location, which it access through the the ipsec VPN connection. While this works fine when the VPN is connected, if there is a connection problem at the main location and the VPN is down, the remote location cannot access the internet at all (makes sense as they cannot access the domain DNS server).

    Having worked for many years on Windows servers, I'm assuming the correct way to configure this is to have the clients at the remote location use the IP of their local pfSense box as the DNS server and the pfSense unit do DNS forwarding. I've been able to set this up and it works well for internet DNS lookups, but when I try to do an nslookup (from a PC or pfSense diags., on any domain computers, including the DNS server at the main office, DNS times out.

    The version of pfSense is 2.3.2, under system-general, I have the domain DNS server listed first, then the ISP's DNS servers as 2 and 3 (all connecting through the WANGW).

    Firewall rules for LAN and IPSEC are allow all, I also tried allowing DNS for all on the WAN interface, but removed that when it didn't help.

    Enable DNS forwarder is checked and DNS Resolver is unchecked. I have added host and domain overrides for the AD DNS server to the DNS forwarder, but it didn't help. DNS forwarder is selected for interfaces LAN and Localhost.

    Under diagnostics, DNS lookup, it finds internet addresses immediately, but if I query for an internal DNS record, it takes about 20 seconds and the DNS request to the internal DNS server returns "no response".

    One other thing that seems strange to me is that when I run nslookup on a PC and set the server to the pfSense IP, it returns the IP address and not the pfSense firewall name.

    I can't help but to think I'm overlooking something, but have spent hours trying to fix the problem and searching the internet endlessly.

    Thank you in advance,


  • When you added the domain override for the AD domain in the forwarder, did you specify the LAN IP of the pfSense box in the 'source ip' field?

  • No, it is the WAN IP of the pfSense box, should it be the LAN IP?

    Thank you

    Also, I checked the box to receive notification of reply and have checked my junk mail and spam filter, but didn't receive notification that you had replied. Is there somewhere I can verify those settings?

  • I assumed that your response was indicative of what he setting should be and once I changed it to the LAN IP, it's working perfectly.

    Thank you very much for your assistance.

    Other than clicking on "thank you" is there any other way to flag your answer as helpful or the correct answer?

  • You might be able to modify the subject to add (solved). Glad to be of help.