2 or more DNS Server (Forwarder)

  • Hello all,

    we are facing a problem with our pfsense network in our company. Our company is split to 4 sites, each has a pfsense with DHCP and DNS Forwarder running.
    Our goal is, that we want to use the FQDN Names of our Clients from all sites. In the theory, that means on the pfsense1 (site1) we need to add the pfsense2, 3 and 4 to our DNS Server. On Pfsense2 (Site2) we need to add Pfsense1, 3 and 4 to the DNS Server. But this doesn't work like planed. If I want to FQDN-Ping a client from Site1 to site2, I get "host unknown".

    I have read that till an early Pfsense version 1.2.X.X (?) all the DNS Servers that have ben set, were sequentialy asked. After that, all DNS Servers were ask at once, and only the fastest reply will be used.

    Is this still the case? How can we set up our pfsense to translate all FQDN from all our sites? Any idea?

    At the moment we ware using at least Version 2.0.3 and newer.

    Thanks in advanced.


  • LAYER 8 Global Moderator

    Are you clients all in the same domain ie company.tld or do you have subdomains or differnet domains like site1.company.tld or site1.tld, site2.tld ?

    You really should just have a single setup for your dns.  Pfsense dns options while great for say single site don't really allow for xfer, etc.  If your in different domains you can setup specific forwarders for the domains to go query the other dns for those sites for that domain, etc.

    But if your in 1 domain then it becomes a bit more difficult.  I would suggest you run say bind that allows for zone xfer and then dns in each site can have copy of all the different domains or copy of your single domain locally, etc.

  • Hello,

    we are running a "virtual domain". We don't have a domain since we are using a novell network. We have the advance setting in the DNS set: rebind-domain-ok=our-domain.com and this is our only "virtual domain.

    "I would suggest you run say bind that allows for zone xfer and then dns in each site can have copy of all the different domains or copy of your single domain locally, etc."

    If I understand that correctly, you mean to make a manual copy to all the sites? We need an automated mechanism, since our clients are very dynamic.


  • What exactly is the DNS research mechanism? What happens with an DNS Lookup from an client if my pfsense has for example 2 DNS Server entries? Does the pfsense ask the 1st DNS Server and if it is unknown, it ask the 2nd DNS Server? or is it still that only the fastest DNS Server counts?


  • LAYER 8 Global Moderator

    No a zone xfer is an automated process.

    So when you create a new record in your soa for that zone, it notifies and transfer that record to any other servers that are authoritative for that zone.

    The problem is that neither dnsmasq or unbound that are the 2 included nameserver services in pfsense allow for any sort of xfer.  They can point to another ns for a different domain.  And can manually hold records for any fqdn you want.  But there is no zone xfer mechanism in either of those 2 products.

    I don't know your connectivity between your sites, so not sure if would make more sense to have a real name server in each site or if couple of them would be fine in just 1 or 2 sites and have all the clients point to them or have your local pfsense forward to them for your domain.  Are you manually creating your records or do you need dynamic registration of your clients IP.

    If you do not have something to run your dns on, you could install the bind package in pfsense and then allow for zone xfer of all your records between the different pfsense boxes and all your clients would point to their local pfsense for dns which would be able to resolve all clients.

  • Our sites are connected over MPLS, so it is like one big Network.

    We don't have so much DNS Records, we only need the Clients (about 120) which are automaticly recorded with DHCP and about 30 manual created dns records.

    Is this really such a big problem? I mean, all we need is our 4 pfsense to point to each other for DNS lookup. What happens if I enter a 1st, 2nd, 3rd DNS Server in the pfsense? Is it still, who ever answers the fastest, counts? The other 2 are ignored?


  • LAYER 8 Global Moderator

    dude even if it was ask 1st, then ask 2nd – when 1st answers back with NX.. its not going to go ask the second one.  Even if it did, it would be a horrific setup for efficiency..  Where does it resolve public stuff?  So you have how many dns servers listed.. And you want it to go down the line asking every single 1 every time something needs to be resolved?

    Its a not a big problem at all, you just need to understand how dns works and the products your using feature set to correctly set it up.

    Trying to use 4 different dns servers that don't exchange information for same domain is not going to be a good setup.

    You could use subdomains like site1.yourdomain.tld, site2.yourdomain.tld, etc..

    Then when client in site1 asks for host.site2.yourdomain.tld there could be an over ride in pfsense site 1 dns forwarder to point to site2 pfsense to resolve it.

