SplitDNS doesn't work as good as it should



  • Hi,

    I have several servers behind my firewall using 1:1 NAT.
    So as advised by people on this forum, I set up the firewall for a splitDNS but
    the splitDNS (the PFSense) doesn't answer every time and give the hand to our DNS and give the external IP of an internal website…
    Users complaint about that because they have to flush the DNS :-(

    Any clue? Can I avoid having a splitDNS ?

    Thank you very much for your help



  • I assume you're using the DNS forwarder?

    Are your internal PCs setup to use pfSense as their ONLY DNS server? If not, the PCs may be trying to get DNS info from a secondary server and pulling the external IP.

    I have a split-DNS setup using the DNS forwarder and it seems to work reliably..



  • Thank you for your answer.

    I configured our two windows DNS server to forward all requests to domain to the PFSense.
    This seems to be the problem, I reconfigured the DNS to set the PFSense as the default DNS.

    Wait and see :-)

    Thank you.



  • No problem. I have mine setup to work with our domain, so what I do is hand out the pfSense IP as the DNS server to the systems, and within the DNS forwarder, setup the internal DNS servers as responsible for the domain.


  • Rebel Alliance Developer Netgate

    Usually if you have a Windows AD setup, you want your DCs as the DNS server for the clients, and then set pfSense as the forwarder for the DC's DNS service.

    There are some features that seem to work better if the DC handles DNS directly (especially if you use the DCs for DHCP as well)



  • @jimp:

    Usually if you have a Windows AD setup, you want your DCs as the DNS server for the clients, and then set pfSense as the forwarder for the DC's DNS service.

    There are some features that seem to work better if the DC handles DNS directly (especially if you use the DCs for DHCP as well)

    You bring up a good point. I can't remember why I didn't go that route at first. Possibly a moment of stupidity..

    Anyway i'll probably reconfigure next weekend and see if I run into any problems flipping things around (Instead of Machine > pfsense > AD, make it Machine > AD > pfsense)



  • @Jahntassa:

    @jimp:

    Usually if you have a Windows AD setup, you want your DCs as the DNS server for the clients, and then set pfSense as the forwarder for the DC's DNS service.

    There are some features that seem to work better if the DC handles DNS directly (especially if you use the DCs for DHCP as well)

    You bring up a good point. I can't remember why I didn't go that route at first. Possibly a moment of stupidity..

    Anyway i'll probably reconfigure next weekend and see if I run into any problems flipping things around (Instead of Machine > pfsense > AD, make it Machine > AD > pfsense)

    Will pfSense do all the DNS records required for a AD domain to function?  I'm leaning towards no…. I have my network setup as client->pfsense->MS Server and I don't have any problems.


  • Rebel Alliance Developer Netgate

    @Panix:

    Will pfSense do all the DNS records required for a AD domain to function?  I'm leaning towards no…. I have my network setup as client->pfsense->MS Server and I don't have any problems.

    It may relay the DNS requests for lookups properly, but perhaps not some of the other special things that AD seems to rely on happening via DNS for updates. (Someone more intimately familiar with AD would probably be more helpful for the details).


Log in to reply