The DNS Forwarder in pfSense is a caching DNS resolver that employs the
dnsmasq daemon. It is disabled by default in current versions, with the
DNS Resolver (
unbound) being active by default instead. The DNS
Forwarder will remain enabled on older systems or upgraded systems where it was
The DNS Forwarder uses DNS servers configured at System > General Setup, or those obtained automatically from an ISP for dynamically configured WAN interfaces (DHCP, PPPoE, PPTP). For static IP address WAN connections, DNS servers must be entered at System > General Setup or during the setup wizard for the DNS forwarder to function. Statically configured DNS servers may also be used with dynamically configured WAN interfaces by unchecking the Allow DNS server list to be overridden by DHCP/PPP on WAN box on the System > General Setup page.
By default, the DNS Forwarder queries all DNS servers at once, and the only the first response received is used and cached. This results in much faster DNS service from a client perspective, and can help smooth over problems that stem from DNS servers which are intermittently slow or have high latency, especially in Multi-WAN environments. This behavior can be disabled by activating the Query DNS servers sequentially option.
DNS Forwarder and IPv6¶
The DNS Forwarder is fully compatible with IPv6. It accepts and makes queries on IPv6, supports AAAA records, and has no known issues with any aspect of IPv6 and handling DNS.
DNS Forwarder Configuration¶
To configure the DNS Forwarder, navigate to Services > DNS Forwarder
The available options for the DNS Forwarder are:
Checking this box turns on the DNS Forwarder, or uncheck to disable this functionality. The DNS Forwarder and DNS Resolver cannot both be active at the same time on the same port, so disable the DNS Resolver or move one service or the other to a different port before attempting to enable the DNS Forwarder.
When active, internal machine names for DHCP clients can be resolved using DNS. This only works for clients that specify a hostname in their DHCP requests. The domain name from System > General Setup is used as the domain name on the hosts.
This works the same as Register DHCP leases in DNS forwarder, except that it registers the DHCP static mapping addresses instead.
When one IP address has multiple hostnames, doing a reverse lookup
may give an unexpected result if one of the hostname is in host overrides and
the system uses another hostname over DHCP. Checking this option will place
the DHCP obtained hostnames above the static mappings in the hosts file on
the firewall, causing them to be consulted first. This only affects reverse
lookups (PTR), since they only return the first result and not multiple. For
example, this would yield a result of
|Query DNS servers sequentially:|
By default, the firewall queries all DNS servers simultaneously and uses the fastest result. This isn’t always desirable, especially if there is a local DNS server with custom hostnames that could by bypassed by using a faster but public DNS server. Checking this option causes queries to be made to each DNS server in sequence from the top down, and the firewall waits for a timeout before moving on to the next DNS server in the list.
Requires a domain name on hostnames to be forwarded to upstream DNS servers. Hosts without a name will still be checked against host overrides and DHCP results, but they will not be queried against the name servers configured on the firewall. Instead, if a short hostname does not exist locally, an NXDOMAIN result (“Not Found”) is returned to the client.
|Do not forward private reverse lookups:|
When checked, this option prevents
By default, the DNS Forwarder listens on TCP and UDP port
By default, the DNS Forwarder listens on every available interface and all available IPv4 and IPv6 addresses. The Interface control limits the interfaces where the DNS forwarder will accept and answer queries. This can be used to increase security in addition to firewall rules. If a specific interface is selected, both the IPv4 and IPv6 addresses on that interface will be used for answering queries. Queries sent to other IP addresses on the firewall will be silently discarded.
|Strict Interface Binding:|
When set, the DNS forwarder will only bind to the interfaces containing the IP addresses selected in the Interface control, rather than binding to all interfaces and discarding queries to other addresses. This can be used similarly to the Listen Port for controlling the way that the service binds so that it can coexist with other DNS services that have similar options.
This option is not compatible with IPv6 in the current version of
the DNS Forwarder daemon,
Custom dnsmasq configuration parameters that are not configurable in the GUI can
be placed in Advanced Options. For example, to set a lower TTL for DNS
max-ttl=30. Or craft a wild card DNS record to resolve
220.127.116.11 by specifying
Separate commands by either a space or a newline. For more information on the possible parameters that may be used, consult the dnsmasq documentation.
Host override entries provide a means to configure customized DNS entries. The configuration is identical to Host Overrides in the DNS Resolver, refer there for details.
Domain overrides configure an alternate DNS server to use for resolving a specific domain. The configuration is identical to Domain Overrides in the DNS Resolver, with some slight differences:
|Domain:||The Domain field sets the domain name that will be resolved using this
entry. This does not have to be a valid TLD, it can be anything (e.g.
|IP Address:||This field can be used in one of three ways. First, it can be used
to specify the IP Address of the DNS server to which the queries for
hostnames in Domain are sent. Second, it can be used to override another
entry by entering
|Source IP:||This field is optional, and primarily used to contact a DNS server across a VPN. Typically only specific local IP addresses are able to traverse a VPN, this field specifies which IP address on the firewall is used to source the DNS so the queries will pass properly.|
|Description:||A text description used to identify or give more information about this entry.|
DNS Forwarder and Multi-WAN¶
The DNS Forwarder is fully compatible with Multi-WAN. Configure at least one DNS server per WAN gateway under System > General Setup.
DNS Forwarder and DNS Rebinding Protection¶
By default, DNS Rebinding protection is enabled and private IP address responses are rejected. To allow private IP address responses from a known domain, use the Advanced Options box in the DNS Forwarder settings to configure allowed domains as follows: