Active Directory Server and pfsense pfblockerNG

  • Good evening,

    I am looking for articles or advice on how to configure AD / pfsense so I can utilize pfblockerNG

    AD requires a DNS server that is part of the install and located on the Windows server .. my AD DNS server is on IP:

    My pfsense router is on the

    I need my local workstations to use the AD DNS of when logging into the server ( at least that is how I have always known to do it)

    But, I want to have my local clients use the pfsense DNS when traveling outside the local network. I need this so I can use the pfBlocker NG to use block lists to help stop malware, ads, etc..

    Looking for help on how to configure the DNS server on the windows box or pfsense to handle this... any help is greatly appreciated!

    Thank you

  • So.. I need my AD DNS on my Windows box to only resolve local network names and have pfsense resolve all outside addresses ... I am thinking DNS forwarder on the Windows box to point to the pfsense DNS...
    Thank you in advance

  • might work, might not, try it.

    also: you should change your lan subnet. its invalid

  • I have a similar issue:

    2 active directory domain controllers, pfSense box with pfblockerng installed/configured.

    DC1 dns is pointing to DC2 as primary dns, DC1 as secondary
    DC2 dns is DC1 primary, DC2 secondary

    Both DCs dns server settings have use root hints disabled (even cleared the root hints list) and pointing to pfSense box as forwarder.

    By all accounts this should work, and internal DNS queries work great. DNS queries to outside the network (, some malware domains from the pi-hole lists) are returning their actual ip's instead of the of the DNSBL server.

    In a testing environment where pfSense handles both DHCP and DNS, pfblocker is working perfectly.

  • Add pfsense as a forwarding dns on both of your dc. this will force all non internal traffic to pass pfsense.

  • Thanks for the reply; I don't think that I explained that I have done this. Both DCs have the pfSense IP set in the forwarding tab of their DNS server settings. All other forwarders were removed and the "use root hints" box has been unchecked. I then restarted both DCs, and it still appears that the servers aren't using forwarders properly.

    I've also checked that the clients connecting have gotten the DNS settings properly from DHCP.

  • As a test I pointed a machine directly to the pfSense box for DNS and I'm still able to access a site that I think should be blocked. I'll go back to checking that pfblocker is configured properly.

  • a simple tracert from the dc would have shown if pfsense is used as a forwarder😉

  • Really? I thought that'll just follow the route out of the gateway. is there an option that I'm missing?

  • tracert will follow the configured dns servers.

    btw. leave the root hints checked if no forwarders are available if you have a pfsense ha cluster.

Log in to reply