DNS resolution fails when WAN goes down

  • Hello,

    I have some critical intranet services on my network.  I make extensive use of dnsmasq, DHCP hostname automatic DNS registration, and manual DNS Forwarder entries.

    This all comes to a crashing halt when the WAN goes down.  I need internal DNS resolution to stay functional when the ISP is down.

    How can I mitigate this?  Is the TinyDNS package more resilient and logical when it cannot talk to upstream DNS?  (it shouldn't need to in this case anyways!)

  • You only loose DNS for the external stuff.
    Internal lookups still work.

    To get around the WAN limitations, create a static route pointing to the second WAN gateway for one of the DNS servers.
    Like this you still can reach a DNS server when the primary WAN goes down.

  • I only have one WAN.  Internal resolution must stay up when it is down.  I never recall this being a problem in past products or pfSense versions.

  • Ya what the other guys said sounds right…but this is a workaround really?  Maybe you should have your WAN provider check your connection out...it shouldn't drop that often or too long....or maybe you should switch ISP's :)


    I just noticed you said it worked right on previous versions...maybe something got corrupted on an upgrade? do a fresh install maybe? or at least backup what you have...do a fresh install and reload your backup?

    Good luck!

  • I actually can't remember the behavior in pfSense 1.0, but m0n0 and most other firewalls are able to do local DNS without a WAN up.

    It is nonsensical to require WAN to do internal DNS anyways.  What is it doing, checking with upstream DNS to make sure the records don't exist there?!  That would be a major security issue and could be exploited by anyone able to configure the upstream DNS.  As far as switching ISPs, that is really irrelevant.  This is a bug that should be fixed.  I have critical systems that need to talk to each other, and hostnames are the only logical way with the size of the network and end users.  I could run DNS on another box, but that is yet another point of failure and administration headache.  Outside connectivity isn't nearly as important, work can continue fine with out it.  As you can see, there is a valid use model for local DNS when WAN is down.  (Sorry, but "why would you want to do that" posts really get on my nerves.  Just because something isn't particularly useful to you doesn't mean this is so for others.  If you have valid technical points to make on why something doesn't work, that is acceptable for discussion)

    I tried the 1.2.3 prerelease and it has the same behavior.  I will provide any debugging info needed to help, and can test new images as well.

  • This is critically important to me and I am willing to bounty the issue!

    I NEED DNS resolver for internal DHCP and DNS Forwarder hostnames to STAY UP despite WAN outage.

Log in to reply