PfSense DNS Forwarder Problem

  • Hi all!

    I have a pfSense 2.1 firewall with 2 boxes behind it, on a LAN. One box is a dns server, configured so queries from receive different answers for some specific queries than queries coming in from the WAN.

    In System -> General Setup I have the dns servers set to (my LAN dns server's address). I also have the following option enabled since it sounded like what I wanted:

    Do not use the DNS Forwarder as a DNS server for the firewall
    By default localhost ( will be used as the first DNS server where the DNS forwarder is enabled, so system can use the DNS forwarder to perform lookups. Checking this box omits localhost from the list of DNS servers.

    Edit: However, I have tried disabling this option and it seemed to have no effect.

    After applying the above configuration, I don't receive a response for any query that I have a specific LAN answer for.

    For example:

    Querying from the outside: -> -> NXDOMAIN (this hostname only exists in the view/zone that replies to LAN queries. So this is expected) ->

    Querying from the inside, directly to the dns server: -> (LAN ip of web server) -> ->

    Querying from the inside, to the pfSense dns forwarder: -> ? -> ? ->

    The response I get in dig for the "?" answers above is:

    me@box:/etc/init.d$ dig @

    ; <<>> DiG 9.9.2-P1 <<>> @
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46691
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ; EDNS: version: 0, flags:; udp: 4096
    ;              IN      A

    ;; Query time: 2 msec
    ;; SERVER:
    ;; WHEN: Tue Dec 10 16:57:08 2013
    ;; MSG SIZE  rcvd: 44

    And I'm not sure what to make of that.

    Interestingly enough, if I enable the shell on Pfsense and run the dig query dig, I get the expected response of a LAN ip. So this says to me that the problem is in the forwarder?

    Any advice would be appreciated!

  • Does WAN use HDCP to get its public-facing IP?
    If so, then System->General Setup "Allow DNS server list to be overridden by DHCP/PPP on WAN" will mean that the DNS you have keyed in will get overridden by the DNS server/s given out by the ISP DHCP server on WAN. Uncheck this option and you may have more success.

  • Hey Phil, I've got that option disabled unfortunately (as I am on a static IP).

    Edit: So I found a workaround. I read here that the effect of disabling the DNS forwarder will simply cause the servers specified under the General setups' DNS server list to be specified as DNS servers for the DHCP LAN clients. Perfect!

Log in to reply