PfSense DNS Forwarder with Other DNS Server



  • Hello,

    Let me explain my network config ;

    I have 2 sites that connected with IPSec, Site A (192.168.11.0/24) and Site B (192.168.12.0/24). Both sites connected with IPsec connection and Site A have DNS Server that used PFsense DNS Forwarder. So, people in Site A can access their server using server.siteA.com and has DHCP server using also in PFsense. Site B has a few server and it's also have DNS Server using BIND9. In their network (Site B), they also can access their server using server.siteB.com and it's working well without any problem.

    How come people in Site A access server in Site B using server.siteB.com? How can we configure it in PFsense in Site A to give DNS Server in Site B to all users in Site A? I tried to add DNS Server IP in DHCP Server setting in Site A but still failed to access it via server.siteB.com

    Please help me. :(


  • LAYER 8 Global Moderator

    NO!! you do not want to have clients directly query siteB dns..  Does siteB dns have the records for site A?

    What you do is since users in siteA query pfsense dns there, is put in a host over ride record pointing siteB.com to siteB.com NS(s)  Ie their bind server in pfsense.

    Then you will have to allow for dns across any firewall rules, and then you will have to allow the ACLs in Bind to serve to 192.168.11.0/24 since its prob locked down to only allow queries from its local 12.0/24 network.

    Client machines should never point to dns that don't contain zones they need to query, or can do a recursive for them for the client.

    So sounds like to me you have authoritative servers for siteA and siteB domains.  But these records are not public dns are they?  Do the siteA and siteB dns you point to have forwarders to go ask the other site if asked about those domains?

    So a client pointing to multiple public dns is fine, since any public dns can resolve any public domain..  But where you can run into problems is if you point a client to say a public dns, and say a local authoritative dns for a local only domain, say local.lan

    So if the clients asks public dns for local.lan – he gets returned what?  Most like nxdomain - and quite possible the client will say ok thanks and not ask his other dns, since he was told hey that domain does not exist!  My other dns will just tell me the same thing so why even ask.

    Now if public dns is slow and just does not answer then sure the client will prob go ask the other one..

    Common best practice is to point to dns that can resolve everything you need to resolve, and let them ask for stuff they don't know about.  So if you need to resolve local dns - only ask local dns, and have them either query or forward to other dns that can lookup stuff they are not authoritative for.  You don't want to split and asked different dns servers where some of them wont be able to resolve stuff your asking about.

    For one its a bit of security concern as well - do you want for example to ask googledns for the name of your AD DC server?  From performance wise - do you really need to send queries out to the public net for stuff you are for sure will not be resolvable, etc.



  • What you do is since users in siteA query pfsense dns there, is put in a host over ride record pointing siteB.com to siteB.com NS(s)  Ie their bind server in pfsense.

    Little correction - you add this in the Domain Overrides section of the DNS Forwarder GUI page. To tell DNS Forwarder that names ending in siteB.com should be sent to 192.168.12.n (the IP of the SiteB name server)


  • LAYER 8 Global Moderator

    ^ my bad, yes domain overrides.. Just bottom of page under host over rides section under dns forwarder ;)


Log in to reply