Allow external / public DNS queries to internal server

  • Hello, I am new to pfSense and have been really loving it!  However, I cannot seem to find out exactly how to fix an issue I am having.

    The problem is public DNS requests do not seem to go through the pfSense firewall to a DNS server I have running on one of my internal servers.  I have multiple web sites at multiple locations and control the Public DNS records myself.  I am trying pfSense on one of my locations to see how it acts.  So far so good - but any DNS requests from the internet to resolve my web server names get this on the logs:

    The rule that triggered this action is:
    @48 block drop in log quick all label "Default deny rule"

    I have added a rule on the WAN to forward DNS/53 to my internal server.  I assume by what I have read so far is that there is some default rule (that I cannot seem to find) that is "protecting" the firewall.  Can someone please point me in the right direction (or even better yet, tell me what I need to know?  :-) )

  • I just found the 'services' status page, and I can see that there is a 'dnsmasq' service - if I turned this off - would that default rule be altered?  I do not need any DNS services running on this firewall at all - so what would this do if I turned it off?

  • You can't change the Default deny rule: everything that doesn't match a previous rule is blocked.

    What protocol(s) did you specify on the "DNS/53" rule?

    If you don't want pfSense to provide DNS services you should turn off everything under Services -> DNS

  • I tried UDP first, then TCP/UDP, but that didn't work either.  My original firewall was a simple FVS318 that was configured for UDP only - so I tried that first.  I think DNS is always UDP, but I can be wrong, haven't looked it up in a long time :-)

  • I tried stopping the dnsmasq service, the system still refuses to route incoming DNS requests.  I then rebooted the firewall and the dnsmasq service restarts.

    My question would be then -
      1. how could I 'uninstall' or disable this service, or
      2. edit the default rules - is there a way to get to the rules file for this thing?

    Sorry for being a pain, but this is a new system I don't know and am unfamiliar with.  I will also continue to search for an answer.

    (assuming there is one! - has anyone successfully done this?

    To be more clear, as I see how you are detailing the issues here, I have:

    [Web Server:] 
      [DNS Server:] -  [LAN:] pfSense [WAN:] - internet - Client

    The domain (WWW.DOMAIN.COM) I have is registered with a name server of NS1.DOMAIN.COM - which is listed as  My DNS server hosts multiple domains, some at my location, some at another.  The 'Client' cannot resolve WWW.DOMAIN.COM because it times out querying NS1.DOMAIN.COM - because the pfSense doesn't send the request on to the internal server.

    I have a rule entered that has these values:
      Action: Pass
      Interface: WAN
      Protocol: UDP  (also tried TCP/UDP)
      Source: any
      Destination: Single Host / Alias,  Alias = "DNSServer" which is set to ""
      Destination Port: From DNS to DNS  (also tried 53)
      Schedule: none
      Gateway: default

    If anyone has this working - please let me know how you did it, or point me to the information!

    Thank you!

    BTW - I am not really heart felt to use my DNS server if pfSense can do this for me as well - but I cannot seem to find out how to respond to public requests.  Internal requests I can get working just fine!

    BTW - Would it help if I offered money for a solution?!  :o  ;D

  • Your client on the internet probably can't send a DNS request directly to your DNS server because the IP address of the DNS server ( is a private address. So the client will have to send the DNS address to a public IP address ( so the DNS request coming in to the pfSense box won't match your rule because the rule has a private IP address.

    You probably need to setup a port forwarding rule (Firewall -> NAT -> Port Forwarding ) for the DNS requests from the WAN.

  • SWEET!!!! Thank you - Thank you - Thank you - Thank you - Thank you!!!!

    Now that I understand what that is doing - first firewall rules to allow, then the NAT to forward, it all makes sense now!  Thank you!

    I guess I got hung up on the Rule, when I entered teh private IP I "assumed" it was like the FVS319 - it allowed and forwarded in one step - this way is nice (an extra step, but I see why!)

    Again - thanks!  Where do you want the gift card sent to?  :-)

  • @Referee2000:

    Again - thanks!  Where do you want the gift card sent to?  :-)

    I give my time to the pfSense forums as way of expressing my gratitude for this great project. If you would like to make a gift of a more material kind how about a donation to the pfSense project ( ) or a micro loan to a project in Thailand or a Pacific Islands country (see