DNS Forwarder: Port Shut?

  • I'm trying to start using the DNS Forwarder in pfSense. My internal DNS servers - which also answer recursive external queries - are on one internal subnet. Its kind of annoying to have to go in and set up rules on all the other subnets to pass traffic to the DNS servers. I was hoping to let pfSense magically proxy that traffic. However, all the DNS queries return ICMP - udp port 53 unreachable which usually means the port is shut.

    So jumping to conclusions I would guess the forwarder is behind the firewall filters and each subnet is going to need filter rules to allow DNS traffic to pfSense so the DNS Forwarder will work?
    Is there any documentation on the setup of DNS Forwarder? From what I've seen it makes it sound like you just enable the check box and it just magically works but I'm finding that not to be the case.
    So DNS Forwarder is not going to help me because I have to set up rules on every subnet anyway so I might as well not use it?

  • With any service, you have to permit traffic to reach it via the firewall for it to work. There are ways to ease that process, with interface groups, or floating rules.

  • Well, sounds like it won't reduce the number of rules to manually maintain so its best not to use it in this case because its an increase in complexity with no benefit [for me]. Thanks

  • As I said, use interface groups or floating rules. You can do that with 1 rule.

  • That being the case I can "allow" to the local DNS servers with one rule too. I think the main argument for DNS Forwarder is split horizon where you have to proxy DNS requests to different servers. Since all of my DNS queries are answered by one set of servers regardless of whether its an internal or external domain, DNS Forwarder offers no real benefit [that I can see] and would contribute to the complexity of the setup… the rules are really a wash.

  • Where you already have internal DNS servers, the only benefit of the DNS forwarder is it may improve lookup performance since it'll query all its configured servers simultaneously and take the fastest response. Aside from that, it's mostly beneficial for networks that don't have any local DNS servers.

Log in to reply