• Do you know how to set up the pfsense DNS server as a secondary DNS server?

    I have a few domain names using my personal Windows server 2019 DNS server (at the data center location) to resolve IP for the public. Now, I want to set up secondary DNS (at the office location) using pfsense to replicate the Windows Server 2019 DNS server. Do you know how?


  • @leungda
    Just enter the first DNS servers IP at the first position of DNS servers in System > General Setup > DNS Server Settings.

    If the WAN is DHCP/PPP ensure that DNS Server Override is not checked below.


  • I guess you misunderstood my question

  • LAYER 8 Netgate

    @leungda The only way you can do that is to run the BIND package and set up slave zones to pull the zone files from the master name server.

    I am not sure I would do that. I would probably roll a new BIND server or - probably even better - a windows server to do that duty.


  • Yes, you got my question correctly. The Windows Server 2019 DNS is the MASTER DNS and the pfsense BIND server will be the SLAVE DNS server.

    I understand I can install another server at the office location. My point is if the pfsense has the BIND server. Why not using the pfsense as a SLAVE server.

    I checked the internet and youtube. I cannot find any configuration video or documentation regarding this kind of set up.


  • @leungda said in Secondary DNS Server:

    Why not using the pfsense as a SLAVE server.

    Because https://forum.netgate.com/topic/133593/bind-setup-pfsense-as-slave-dns-server/8?_=1607327341512

    I'll add a why not more : bind, as any other daemon type process, bind uses config files.
    And like servers daemons like apache2, nginx, postfix etc : it's close to impossible to build a GUI around them. You wind up doing what's been done for the last 3 or 4 decades : edit the config files with a text editor. Typically, you'll be needing 3 SSH open during editing :
    One where you edit the config files - bind has config many files, zone files. One to restart or reload bind9, and one where you 'tail' the bind log file(s). Typically, these log files are split in debug, xfer, dnsssec, debug, query, etc.
    Ones set up correctly, you'll be fine for some time.

    You have two choices :
    bind does everything for your pfSense, working as a resolver for pfSense, and your LAN's and slave DNS name server for your domain name.
    Or you make a mix : unboud listens only to the LANs and pfsense local host, and have bind bind to the WAN IP, port 53.
    I guess it is possible - with actually ONE restriction : you have to know bind.

    My own slaves run on a VPS that exists for only that reason : for DNS and mail backup server.

    I've been using https://freedns.afraid.org/ a long time as a second (third, actually) but had to remove them : as I'm using Letsencrypt, freedns.afraid.org is to slow to update (execute the XFER upon NOTIFY) so acme failed to renew my certs.
    What happens is that I ask mostly for wild card certs, which implies two records being pushed (using nsupdate) to the master DNS. When this happens, the master sends out after each record update a NOTIFY to the slaves. The first XFER initiated by the salves happens quickly, but then - @freedns - some rate limiting kicks in, the second records gets XFERred much kater, making the Letsencryptcheck fail. In the past, Letsencryptchecked just one name server, which could be the master answering, or the slave, making the chance bigger to succeed. These days, master and all the slaves are checked.

  • Banned

    This post is deleted!
  • Banned

    This post is deleted!