"Disable DNS Forwarder" Option



  • I'm confused about the "Disable DNS Forwarder" option under System > General Setup > DNS Server Settings.

    First, the name of that option doesn't seem to agree with what the text next to it talks about:

    Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall

    By default localhost (127.0.0.1) will be used as the first DNS server where the DNS Forwarder or DNS Resolver is enabled and set to listen on localhost, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers in resolv.conf.

    It doesn't appear to disable DNS Forwarder.  Instead it looks like it just prevents pfSense from using localhost (127.0.0.1) as the first place to check for DNS resolution.  OK.  I'm fine with that.  But, WHY would I not want use localhost?  The Help page appears to be out of date and only refers to DNS Forwarder and not DNS Resolver:

    Do not use the DNS Forwarder as a DNS server for the firewall: By default the firewall itself will also use the DNS Forwarder. This is faster, more robust, and less likely to fail. If the DNS Forwarder is disabled, this should be checked to prevent the firewall from attempting to use the DNS Forwarder for its own DNS.

    But, I assume it now should say something like if BOTH DNS Forwarder and DNS Resolver are disabled, then that option should be checked.  So, just to make sure, if I've got Forwarder disabled and Resolver enabled, I should leave that option OFF?