Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to use DNS servers from active tier only in dual WAN failover setup

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kassu
      last edited by

      I have pfSense with two WAN interfaces configured for failover. DNS forwarder is enabled. How do I make DNS forwarder to use DNS servers from the active WAN interface only?

      My gateway group consists of Tier 1 WAN with unmetered cable modem and Tier 2 OPT1 with metered wireless dongle.

      In General Setup / DNS server settings I do not have any manually configured DNS servers, but have DNS Server Override enabled as I want to use the ISP assigned DNS servers.

      Regular traffic from LAN is routed correctly. But when both gateways are online, DNS queries are being forwarded to DNS servers from both ISPs. This causes unnecessary traffic to the Tier 2 backup connection when it should remain idle.

      1 Reply Last reply Reply Quote 0
      • S
        Soyokaze
        last edited by

        Create floating rule with destination addresses and use Gateway group in it.

        Need full pfSense in a cloud? PM for details!

        1 Reply Last reply Reply Quote 0
        • K
          kassu
          last edited by

          Thanks. Do you mean rules with the DNS server IP addresses as the destination?
          The DNS servers are ISP assigned through DHCP/PPP. So those IP addresses aren't really known in advance. Static rules would rot on the first change at the ISP.
          Or is there a way to reference the assigned DNS servers by a symbolic name in the rules?

          1 Reply Last reply Reply Quote 0
          • S
            Soyokaze
            last edited by

            Well, ISP rarely change DNS but…
            You have two options:
            1. Create floating rule with destination any and port 53 - this will force all DNS queries to go through active tier. There is some caveats with this (cant access any DNS through inactive tier), but probably will work fine for you.
            2. Create floating rule with  destination any and port 53 AND source ''This firewall (self)''. This is best solution (forces only traffic originating from pfsense to go through active tier), but depends on how queries are made.

            Start with second variant, if no success - fallback to first.

            Need full pfSense in a cloud? PM for details!

            1 Reply Last reply Reply Quote 1
            • K
              kassu
              last edited by

              Thanks pan_2 for your suggestions.
              Actually the caveat in option 1 would actually be in line with what I need. My goal is zero traffic on inactive tier.

              However, I think there are issues with both options. DNS forwarding would still use the DNS server addresses provided by the inactive tier ISP as well. These queries would simply be routed through active tier ISP, right?
              1. inactive tier ISP DNS would see the queries as coming from outside network, not their own clients: likely denying recursive queries?
              2. wireless networks typically use private addresses and NAT: DNS servers provided may not even be routable from outside?

              You're probably right that DNS may not change that often, but there is little point using automatically configured DNS in the first place if you have to specify the same addresses elsewhere manually anyway.

              1 Reply Last reply Reply Quote 0
              • S
                Soyokaze
                last edited by

                DNS forwarding would still use the DNS server addresses provided by the inactive tier ISP as well
                1. Probably
                2. Yes
                Your only option would be to use some public DNS, like Google ones, or PublicDNS. If you need to resolve some entries through ISP servers only, you can add them to unbound overrides.

                Need full pfSense in a cloud? PM for details!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.