All LAN boxes resolve local hosts but the pfSense gateway

  • Greetings -

    I have a minor quirk in my network dns resolution process, that while I don't think it is causing any problems right now, I would like someone more knowledgeable to educate me and maybe I can fix it.

    In short, the problem is that the pfSense gateway box itself can not resolve fully qualified host names of any of the LAN boxes on the network.

    All the boxes on my LAN are getting DHCP and DNS settings from a dnsmasq server on the network that is separate from my pfSense router / gateway box.  The dnsmasq box has been present on the network for many years before the pfSense gateway box was installed.

    A generic network diagram would be:

    Windows LAN box:

    dnsmasq server:

    pfSense gateway:

    A Windows box on the network has an internet connection and can resolve all host names.  The network settings provided to the Windows box by the dnsmasq server include the following:

    C:\Users\jeffb>ipconfig /all
    Windows IP Configuration
      Host Name . . . . . . . . . . . . : jab-prec3610
      Primary Dns Suffix  . . . . . . . :
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : mei.lan

    Ethernet adapter Local Area Connection:
      Connection-specific DNS Suffix  . : mei.lan
      Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
      Physical Address. . . . . . . . . : 98-90-96-A2-5F-02
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::28f1:3c0b:c6a8:91ea%11(Preferred)
      IPv4 Address. . . . . . . . . . . :
      Subnet Mask . . . . . . . . . . . :
      Lease Obtained. . . . . . . . . . : Tuesday, June 20, 2017 2:32:03 PM
      Lease Expires . . . . . . . . . . : Thursday, June 22, 2017 7:31:41 AM
      Default Gateway . . . . . . . . . :
      DHCP Server . . . . . . . . . . . :
      DHCPv6 IAID . . . . . . . . . . . : 244879510
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-D4-D6-D5-98-90-96-A2-5F-02
      DNS Servers . . . . . . . . . . . :
      Primary WINS Server . . . . . . . :
      NetBIOS over Tcpip. . . . . . . . : Enabled

    Applicable DNS settings on the dnsmasq server include the following:


    I am using the DNS Resolver on the pfSense box, and it includes the following settings:

    DNS Resolver = enabled
      Network Interfaces = all
      Outgoing Network Interfaces = all
      System Domain Local Zone Type = transparent
      DNSSEC = not checked
      DNS Query Forwarding = not checked
      DHCP Registration = not checked
      Static DHCP = checked
      Domain Override =  taxa.mei.lan

    The dashboard on the pfSense box shows:
      DNS Servers =

    The DNS Forwarder on the pfSense box is not enabled.

    I am assuming that I have a minor configuration change that could be made on the pfSense box that would correct my issue, but didn't know what, and didn't want to randomly experiment with changing the settings.  I know that I could manually add the host names and IP addresses into the /etc/host file of the pfSense box, but don't know if that would be retained across upgrades.

    So in summary, what change would I need to make to enable the pfSense box to resolve fully qualified host names of other boxes on the LAN?


  • LAYER 8 Global Moderator

    so pfsense domain is mei.lan

    But then your dnsmasq box also thinks its authoritative for mei.lan

    And your wondering why pfsense can not lookup host.mei.lan ?

    I see your domain override for your PTR.  But where is your domain override telling pfsense to go check your dnsmasq when it wants to look up host.mei.lan

  • so pfsense domain is mei.lan


    But then your dnsmasq box also thinks its authoritative for mei.lan

    I believe so.  That shows my lack of knowledge regarding how this is integrated between the two boxes.  Any specific pointers to good reference documents that would educate me on this particular issue are welcome, as I haven't found the answer on my own over the last month or so.

    And your wondering why pfsense can not lookup host.mei.lan ?

    I can't tell if that is a rhetorical question, sarcasm, or otherwise.  But, yes, I believe that is the question I am asking.  If you are implying that the answer is the logical result of your first two statements, then I will of course need some more explanation to understand it.

    I see your domain override for your PTR.  But where is your domain override telling pfsense to go check your dnsmasq when it wants to look up host.mei.lan

    I don't recall the reason why the domain override is there, and my notes don't make it any clearer to me.  I have showed you all my configuration information, so if there is something missing that should be present to fix this I need to understand what that is.  I am not really clear on what a domain override is, or does.

    My logical understanding of this is that the pfSense box only knows to look outward (to the internet) for name resolution, but doesn't know to look inward (LAN) to resolve my local domain.  That is what got me to the point of thinking that it is a minor configuration error on the pfSense box and not a problem on the dnsmaq box or elsewhere.  But I don't understand what I need to change on the pfSense box to fix it.

    Further explanation, or pointers to good reference documentation is appreciated.


  • Have you tried adding

    Domain Override = mei.lan    taxa.mei.lan

  • Thanks gjaltemba,

    After much research and reading about what domain override is and what it does, I did put that in my domain override yesterday afternoon before I saw your reply.  Upon testing it appears to solve my issue.  In hind site the simple description of what domain override does on the pfSense Unbound DNS Resolver help page seems to describe my case.  However, I was getting stuck in my searches through the forum and other Google results that describe domain overrides used in combination with VPN tunnels and other situations that confused me more than helped.

    Now I have to figure out whether I really need that first override that I had listed, as I don't understand what it should do.  I may remove it and see what the effects are.  Looking through my notes I put it there trying to solve a split DNS issue, which is still unsolved.  I have an OwnCloud site on my network that I would like to be able to access from within my LAN using the same domain name that is used from outside the LAN.  Right now I have to use cloudserver.mei.lan from within the LAN and from outside the LAN.  When using the from within the LAN, I get the pfSense page that identifies a potential DNS rebind attack detected, instead of the login page for the cloud server.


  • Domain Override =    taxa.mei.lan

    This one is for reverse lookup. Get name from ip.


  • Ahh, I see the usefulness of that now.  It will stay.

Log in to reply