Can pfSense do DNS failover

  • I have a customer that uses an Ecessa Powerlink 200 WAN Optimizer device.  They have a web server on the LAN with port forwards.  There are two WAN connections.  Not only will the Ecessa failover if one connection is down (I know pfSense can handle that), but the 2 WAN interfaces are the primary and secondary name server for their domain.

    The TTL on the A, MX, etc records are very low.  Within a few minutes, traffic from the outside world will be directed to the appropriate interface if one or the other is down.

    In addition to the DNS failover, they have 2 remote offices, also with 2 WANs.  They do site-to-site "VPNs" between them, I put VPNs in quotes because Ecessa calls it site-to-site line bonding. As far as I can tell, it just acts as a site-to-site VPN, not sure if it's encrypted or anything.

    Anyway, is it possible to replace this thing and the ASA behind it with a pfSense box and get all this functionality?


  • Short answer is no.
    There was a short-lived offshoot called pfDNS that was a dedicated DNS appliance that IIRC had this functionality.
    Personally, I think the idea is problematic.
    What happens if the office loses power or the device dies? The company's public DNS is dead. Their website dies, mail will bounce.
    If the outage is short lived, the records may have updated to the new address by the time it's back up. Large providers have been known to ignore very small TTLs.
    If it is a long outage, then just change the A record.
    If your website is hosted, then this is a non-issue. If you have mail on site, you can assure mail flow with redundant MX records. Things like webmail and activesync would be dead, but I would just change the record on the (externally hosted) DNS servers.

  • The webserver is internal so if the device goes down their site is down anyway….mail is a good point thought, they have Google Apps for that domain, I guess if their internet goes down for a while, that goes down too!

    Anyway, I think DynDNS has a service that will monitor and switch DNS if we transfer the domain to them.

  • If you're using the 2 WAN connections in an active/passive type setup.. If you did dynDNS on a machine behind PFsense, when the WAN failed over the dynDNS would get the other wan's public IP. 
    Then just sent the web and MX record to point towards the dynDNS address.

Log in to reply