Occasional brief loss of DNS forwarder overrides

  • Hi,

    I have a dozen pfsense Captive Portals getting DNS from a single pfsense host 'hub'. The only source of DNS for the portals is the hub, and the only source of DNS for the hub is a pair of external DNS services. The hub has a host override for a particular site.

    Occasionally the portals (and therefore the clients) don't get the override address, instead they get the address as provided by the external DNS services. This happens rarely, maybe once every couple of weeks, and lasts only as long as the address is cached for.

    I run Nagios, and have set up specific tests against the portals and the hub. The hub always returns the correct address, but I guess that's just chance. It's the portals that fail - they'll get the wrong address, then cache it for a while.

    I've added the following advanced options to portals and hub -


    • and sure enough the error only persists for five minutes each time.

    I've upgraded from 2.15 to 2.2.6, and the problem remains. For portals and hub all DNS forwarder options are unticked (except 'enable', of course!).

    It's not a major issue - it happens rarely, and reducing the TTL means it doesn't last long. But I would like to fix it if possible.

    Any suggestions?

  • Hi,

    I notice the same things with mine. Some time the external IP address come back instead of beeing override by DNS Forwarder. (only 1 pfsense, 15+ virtual lan, 30+ host override)

    Did you notice this trouble appear some hours after you apply new host override ? Sometime i think the dns forwarder services didn't reload/restart fine ?

    TTL may be a nice first patch. => i understand it's not the first time you think networks :), well done !


  • maybe a way : have you all your inetwork nterfaces enable for dnsforwarder ? Not mine.

    I have a few dns cache "corruption" this afternoon and i think one of my subnetwork which query pfsense dns without dns-forwarder enable could corrupt the pfsense cache for the other subnetwork. could it be right ?

    I change dnsforwarder to listening at all my subnetwork….result coming soon :)


Log in to reply