Guide on setting up resolver/forwarder for internal and external DNS.



  • Hi Guys,

    Two questions in one, let me paint the picture here..
    We have all read about the purchasing of OpenDNS by Cisco. That's fine by me if they leave the service as is..
    I was happy with the service, although now I suspect the statistics going to be used for marketing.. Not sure, my opinion..

    So I was thinking of setting up my own DNS Server for resolving internal and external names an IP's.
    This way, pfsense connect's to different DNS servers on the web, to get full lists of all current DNS entry's on the internet. And let's say, do a sync every hour for new ones that are created and deleted.

    Next to that, I have multiple locations with the same domain-name, for example client1.newyork.domainX and client1.miami.domainX.
    Resolving of names to IP's works at each location, although not from and to different locations.
    Under Windows Server you have to setup lookup zone's, and reverse lookup zone's. Not sure about pfsense yet..
    I tried "Domain overrides" under DNS forwarders with source IP of pfsense1 to pfsense2. No luck yet.

    Hope this is clear enough and can help some other people trying to do the same setup.
    Please point me to existing documentation or posts about this, if any, or share your thoughts below.
    Thanks in advance!


  • Rebel Alliance Global Moderator

    "to get full lists of all current DNS entry's on the internet. And let's say, do a sync every hour for new ones that are created and deleted."

    Huh???  Clearly you don't understand even basics of how dns works ;)  If think there is some sort of sync for all the new dns entries on the internet..  Really??

    These are not he same domain
    "client1.newyork.domainX and client1.miami.domainX"

    there is clearly a different subdomain.  How is it you think domain forwarder would not work?  Domain over ride is exactly what you would setup here, you need to make sure that pfsense1 can actually talk to the ip your putting in for pfsense2 that has the other sites hosts.  And pfsense2 if queried actually resolves client1.miami or ny.domainx.tld



  • Hi johnpoz,

    Thanks for your reply. The first question about downloading "lists of DNS entry's" to the local pfsense dns-server is a thing that is not very clear with me. I read an article about it years ago. Not specific for a pfsense server.

    About the forwarding of dns entry's, the pfsense machines can talk to each other via IP and there is an firewall rule created so pfsenseSRV1 is allowed to talk to pfsenseSRV2 via port 53 UDP and visa versa.

    If I ping pfsenseSRV1.miami.domainX from client1.newyork.domainX it works and I got the IP for pfsenseSRV1, but if I ping client1.miami.domainX from client1.newyork.domainX it does not work.. Could be Client settings but I think I will have to do some more research and testing. Could also be my strict firewall rules blocking this request.. I will take a look at this and post my results. Thanks!


  • Rebel Alliance Global Moderator

    What does pinging have to do with resolving?

    When you ping your fqdn, do you get back an IP?

    example - this resolved.. but did not ping
    C:>ping pi.local.lan

    Pinging pi.local.lan [192.168.9.31] with 32 bytes of data:
    Reply from 192.168.9.100: Destination host unreachable.

    See it resolved the address of pi.local.lan

    This is not resolving
    C:>ping something.local.lan
    Ping request could not find host something.local.lan. Please check the name and try again.

    There is HUGE freaking difference!!!

    As to what you read about downloading??  No freaking clue - whatever it was you didn't understand it, or it was complete and utter FUD!!  There is no need to check anything in dns every hour, or download anything every so often, etc..  All dns is related to your ttl, this is how long a record is cached after it was looked up from the authoritative name server..  I would really suggest you read a bit about how dns actually works.  Are you thinking of a zone transfer?  There would really be no reason to do this at some period, other servers would be notified on change be the soa ns, etc.  neither unbound or dnsmasq in pfsense support being authoritative for a zone and do zone transfers, etc.  If your thinking of updating of the root hints?

    So where did pfsenseSRV1.miami.domainX resolve from?  Did you put in a host over ride in newyork pfsense, or did you put in a domain over ride?  When you say there is a firewall rule?  Where is this rule, what interface?  How are these 2 connected?  What is the source interface used for the query?  Are you using the forwarder or the resolver, where did you setup the over ride?

    is domainx really a private non used public tld, or is it something like .net or .com ?