Best DNS Setup Practice

  • Hello Everyone,

    I wanted to know if anyone could please advise me on the best way to configure Pfsense as a secondary DNS server for an internal network. I am very new to using Pfsense, and have been having difficulty with getting clear steps to take in this matter. Currently I have my internal server (Nethserver) as the primary DNS server for all of my systems/clients, and a Pfsense firewall as my gateway and secondary DNS server. Everything is resolving internally and externally, but I'm wondering if there is a better way to configure everything for faster performance. I wanted to have my Nethserver as the primary DNS to be able to resolve internal names, and the Pfsense DNS is set to resolve while looking to OpenDNS servers for external requests/queries for speed and light filtering. I know that's perhaps a lot of hops to make but I didn't want to sacrifice name resolution for internal client names. Right now I don't have any resolution issues, but wanted to know what would be the best way to configure Pfsense for ideal performance. Like I said, it is set up as a resolver (not a forwarder) and I have blocked internal clients from all external DNS queries except to the Pfsense box. However, I am experiencing slow page loads on Android phones for some reason which I cannot explain.

    Any advice or pointing to other helpful resources would be greatly appreciated.

    Thank you very much in advance.


  • LAYER 8 Global Moderator

    You should point all your clients to your internal ns, and then have it forward to pfsense to resolve external dns.  This is common normal setup.

    If you want pfsense to actually be a secondary ns for your internal dns then you would most likely want to install the bind package and use that vs unbound which is just a caching resolver.

    As to your android having slowness with dns - are they trying to use googledns that your blocking and it fails over to using your internal - is it using ipv6 which you have maybe some problems with?

    No client should have any issues resolving anything.. If some specific client is having issues then you should look to what that client is doing different than your other clients that are not having issues.

  • Thanks for your reply. Currently all clients look to my internal server for their primary DNS and then for external queries it goes to the Pfsense box (not sure how to configure the Nethserver to actually forward to Pfsense - at least there's nothing through the standard interface). I've read elsewhere of others suggesting BIND instead of Unbound as well. Do you know if there is a reason Pfsense made Unbound their standard as opposed to BIND like other distros?

    Regarding the Android phones, not really sure what the problem is there. I can test manually setting in the Google DNS (while removing the block rule in Pfsense) just to see if that helps. I also enabled IPv6 traffic in case that was the problem, but it didn't help. Thankfully there are no resolving issues, but slow page loads on the Android browser and in some apps.

    Thanks again Johnpoz.

  • LAYER 8 Global Moderator

    "r their primary DNS and then for external queries it goes to the Pfsense box"

    So you you have clients set with 2 different NS??  That can not resolve the same thing - that is borked setup and yeah going to have problems…

    You do not set your client to point to your internal NS as dns 1, and say google dns for 2nd dns... Which sounds like you have done - yeah that is borked setup and will cause all kinds of problems..

    If your client happens to ask googledns for google is either going to send back the wrong info if your just using someone's public domain internally.. Or it will send back NX, telling the client domain doesn't exist.. Once a client hears back that domain doesn't exist why would it ask a different NS??  It will cache this neg response for specific amount of time before it will ask any ns anything for that domain.

    You can point your client to multiple NS.. but they need to be able to resolve all the same stuff.  You do not point to external dns and internal dns at the same time..  Its a borked config.. You can point to multiple external, you can point to multiple internal..

    Nethserver is just a linux distro based on centos... What dns software is it running?  Bind?  Whatever dns your running - RTFM on how to forward it to pfsense..  Then only point your clients to your internal DNS...

  • Hello Johnpoz,

    You misunderstood me, or more likely I failed to explain properly. My clients get their DHCP and DNS settings from the internal Nethserver. I can configure two DNS addresses servers to go to each client (which are both just internal IP addresses: one for the Nethserver, and the other (or 2nd one) for the Pfsense box).

  • LAYER 8 Global Moderator

    "ne for the Nethserver, and the other (or 2nd one) for the Pfsense box). "

    And what does pfsense do?  Does it have a forwarder to your internal?  Seems pointless to do that.. What scenario does that help you with..

    Pfsense would resolve your external stuff..  Your doing what I already stated is bad.. Even if pfsense can resolve your internal - how is your internal resolving external - can it?  Did you forward it to pfsense so pfsense resolves for it, or is forwarding to outside, is it resolving?

  • Hello Johnpoz,

    The Pfsense box resolves external requests. The Internal (Nethserver) only resolves internal client names. The Pfsense does not point back/forward back to the internal. My original question basically is, given the set up that I currently have (internal Nethserver to provide DHCP and DNS configuration to clients; Pfsense to serve as network firewall & to handle external DNS requests), what would be the best way to configure everything for optimal performance?  More specifically on the Pfsense box itself. Being new to using Pfsense, the documentation cannot clearly answer for my specific environment. Also, official training in its use is cost prohibitive for me and the freely available online video tutorials are for older versions.

    I'd appreciate any configuration specifics anyone could provide for my particular case.

    Thanks again for your input.

  • LAYER 8 Global Moderator

    Dude how many dns entries do your clients have?  If they have both internal and pfsense then is borked..

    Your dns clients should only point to the nethserver for dns.

Log in to reply