PfSense can DNS-resolve all domains but "" itself!

  • Environment:
    LAN network, with DNS server at (Win srv 2016 domain controller), and PfSense gateway at (its LAN interface). It's a virtual ESXi environment, with virtual PfSense appliance as gateway. I've configured PfSense's DNS to be (as it should be). The version is 2.4.2-RELEASE (amd64), community edition.


    • First I've noticed that PfSense cannot resolve internal host names, and I've solved that by checking "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" option. Without forwarder/resolver PfSense started resolving internal host names successfully.

    • But after that I've noticed that PfSense cannot list available packages. I've googled for a solution, and concluded that neither of websites cannot be opened (Firefox reporting its "unknown host name" message).

    • I immediately tried to open the site on my other machine, which isn't in virtual LAN, but at my home, and concluded that "" works normally.

    • I've came back to LAN again, and tried with nslookup from one of machines in network, and it also failed to resolve "". But the biggest surprise for me was in the fact that all other domains I've tried (i.e.,, etc.) - can be resolved! And the issue was the same with all my other LAN machines - all being able to resolve any other domain, but not "" and its subdomains.

    • Even PfSense itself (Diagnostic -> DNS Lookup) was able to resolve all other domains, public and LAN, but not "" itself! One cannot get more weird symptoms.

    • Then I unchecked "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" option again, and PfSense, in its Diagnostics -> DNS Lookup, started resolving "" successfully. But not the rest of my network which queries my WinSrv 2016 domain controller private DNS. But with resolver/forwarder PfSense isn't able to resolve my LAN host names. So it looks that I cannot get both  :P

    Keep in mind that my private DNS successfully resolves all other domains I've tried. Not only a huge ones like and, but even some of my domains no one else knows about.

    So what causes the problem? Well, there are two possible suspects (in my opinion), both being very strange:

    • WinSrv 2016 DNS refuses to resolve "", but works great with all other domains;

    • WinSrv 2016 DNS actually tries to resolve "", but my PfSense appliance blocks its external DNS requests if they are for "" domain name(s).

    :o Weird!

    Maybe someone knows something about this?


  • Hi,

    Instead of explaining what might happened, I'll propose the easy one :
    Use defaults settings and you'll be fine.
    Not using default settings is fine to, but there are consequences. One of them is : pfsense itself can't resolve anymore. After that, pfsense can't find any upgrade anymore (and packages).

    edit: sorry, forget say this : the default setting is : use Resolver.

    edit : like this : - happens all the time.

Log in to reply