Query DNS servers sequentially



  • The 'Query DNS servers sequentially' confuses me; it doesn't behave how I'd expect.

    I have this feature enabled.

    Under System > General Setup > DNS Servers, I have:
    10.1.1.6
    10.1.1.7
    8.8.8.8
    8.8.4.4

    DNS requests to the DNS Forwarder seems to be getting responses from 8.8.8.8 (or possibly 8.8.4.4) even though 10.1.1.6 and 10.1.1.7 can handle the request.

    The DNS Forwarder supplies the correct responses when Domain Overrides are provided and point to the 10.1.1.6 DNS server.

    Given the above settings, I'd expect the DNS Forwarder to get responses from 10.1.1.6 regardless of the Domain Overrides, but that doesn't seem to be the case.

    pfSense version is 2.1.3-RELEASE (amd64)

    What am I misunderstanding?



  • Anyone? I'll take shot in the dark guesses.



  • The checkbox to use sequentially enables dnsmasq's –strict-order. Their man page describes that as:

    By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favour servers that are known to be up. Setting this flag forces dnsmasq to try each query with each server strictly in the order they appear in /etc/resolv.conf

    http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

    The order in resolv.conf should match what you have configured under System>General Setup, at least assuming you also have no dynamic WANs or have disabled DNS server updates from DHCP/PPP.

    If resolv.conf has the order as desired, then I suspect either your internal DNS servers aren't responding for some things, or maybe dnsmasq's –strict-order doesn't do what you're expecting and stopping at the first server that replies (I would think it does, but not entirely sure off the top of my head).

    Getting a packet capture of all UDP 53 traffic on LAN and seeing what that looks like might be telling. Maybe your internal servers are failing to respond at times.