Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Force primary DNS as pfsense DNS

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wastapi
      last edited by Wastapi

      I need to force all my users in the network to use my pfsense as primary DNS.

      Then they can set their own like 8.8.8.8, but it needs to be secondary.

      The problem I have is that if the 192.168.8.1 (my DNS) is last in the chain, the local custom hosts do not work.

      It seems to query 8.8.8.8 and then abandon.
      How can I achieve this?

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        You are learning one of the first lessons about DNS servers. You really only want your users pointing to pfSense and nothing else. You can't control which DNS server a given client may choose to query when it has more than one to pick from. Not all clients will honor "primary" and "secondary" like you think they should.

        But in your case, the root problem is that 8.8.8.8 will return "NXDOMAIN" (or non-existent domain) for your local hosts, thus the client gives up looking further. A client only checks a secondary DNS when the primary fails to respond at all. After a timeout, the client will check any other DNS servers it has configured. But if the primary responds, the client takes its answer and does not query any further. So the Google DNS server tells your client the host (or domain) does not exist, and the client says "OK, thank you -- I'm done looking for this.".

        Point your clients to pfSense as their only DNS server. Then on pfSense you can configure resolving (which is the default anyway if you change nothing). You can even go farther and do DNS redirection so even if your clients attempt to configure their own DNS server, any traffic destined for ports 53 or 853 can be redirected to your pfSense DNS server.

        S 1 Reply Last reply Reply Quote 1
        • S
          SteveITS Galactic Empire @bmeeks
          last edited by

          @bmeeks said in Force primary DNS as pfsense DNS:

          Not all clients will honor "primary" and "secondary" like you think they should.

          In particular, Windows will use the "last known good" DNS server first and not honor the "order" in the network settings.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          W 1 Reply Last reply Reply Quote 0
          • W
            Wastapi @SteveITS
            last edited by

            Thanks
            I ended up creating a nat firewall rule redirecting all dns requests port 53 to local.

            Just wondering if this puts a toll on pfsense

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @Wastapi
              last edited by

              @wastapi Probably not a noticeable one but it would take a few extra CPU cycles per lookup.

              Also look into DoH (DNS over HTTPS).

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.