The DNS Forwarder in pfSense® software is a caching DNS resolver that employs
dnsmasq daemon. It is disabled by default in current versions, with the
DNS Resolver (
unbound) being active by default instead. The DNS
Forwarder will remain enabled on older systems or upgraded systems where it was
The DNS Forwarder uses DNS servers configured at System > General Setup, or those obtained automatically from an ISP for dynamically configured WAN interfaces (DHCP, PPPoE, PPTP). For static IP address WAN connections, DNS servers must be entered at System > General Setup or during the setup wizard for the DNS forwarder to function. Statically configured DNS servers may also be used with dynamically configured WAN interfaces by unchecking the Allow DNS server list to be overridden by DHCP/PPP on WAN box on the System > General Setup page.
By default, the DNS Forwarder queries all DNS servers at once, and the only the first response received is used and cached. This results in much faster DNS service from a client perspective, and can help smooth over problems that stem from DNS servers which are intermittently slow or have high latency, especially in Multi-WAN environments. This behavior can be disabled by activating the Query DNS servers sequentially option.
DNS Forwarder and IPv6¶
The DNS Forwarder is fully compatible with IPv6. It accepts and makes queries on IPv6, supports AAAA records, and has no known issues with any aspect of IPv6 and handling DNS.
DNS Forwarder Configuration¶
To configure the DNS Forwarder, navigate to Services > DNS Forwarder
The available options for the DNS Forwarder are:
Checking this box turns on the DNS Forwarder, or uncheck to disable this functionality. The DNS Forwarder and DNS Resolver cannot both be active at the same time on the same port, so disable the DNS Resolver or move one service or the other to a different port before attempting to enable the DNS Forwarder.
- DHCP Registration
When active, internal machine names for DHCP clients can be resolved using DNS. This only works for clients that specify a hostname in their DHCP requests. The domain name from System > General Setup is used as the domain name on the hosts.
- Static DHCP
This works the same as Register DHCP leases in DNS forwarder, except that it registers the DHCP static mapping addresses instead.
- Prefer DHCP
When one IP address has multiple hostnames, doing a reverse lookup may give an unexpected result if one of the hostname is in host overrides and the system uses another hostname over DHCP. Checking this option will place the DHCP obtained hostnames above the static mappings in the hosts file on the firewall, causing them to be consulted first. This only affects reverse lookups (PTR), since they only return the first result and not multiple. For example, this would yield a result of
labserver01.example.com, a test server’s DHCP obtained IP address, rather than a host override name of
testwww.example.comthat would be returned otherwise.
- Query DNS servers sequentially
By default, the firewall queries all DNS servers simultaneously and uses the fastest result. This isn’t always desirable, especially if there is a local DNS server with custom hostnames that could by bypassed by using a faster but public DNS server. Checking this option causes queries to be made to each DNS server in sequence from the top down, and the firewall waits for a timeout before moving on to the next DNS server in the list.
- Require domain
Requires a domain name on hostnames to be forwarded to upstream DNS servers. Hosts without a name will still be checked against host overrides and DHCP results, but they will not be queried against the name servers configured on the firewall. Instead, if a short hostname does not exist locally, an NXDOMAIN result (“Not Found”) is returned to the client.
- Do not forward private reverse lookups
When checked, this option prevents
dnsmasqfrom making reverse DNS (PTR Record) lookups for RFC1918 private IP addresses to upstream name servers. It will still return results from local entries. It is possible to use a domain override entry for the reverse lookup zone, e.g.
1.168.192 .in-addr.arpa, so that queries for a specific subnet will still be sent to a specific DNS server.
- Listen Port
By default, the DNS Forwarder listens on TCP and UDP port
53. This is normal for any DNS server, as it is the port clients will try to use. There are some cases where moving the DNS Forwarder to another Listen Port, such as 5353 or 54 is desirable, and then specific queries may be forwarded there via port forwards.
By default, the DNS Forwarder listens on every available interface and all available IPv4 and IPv6 addresses. The Interface control limits the interfaces where the DNS forwarder will accept and answer queries. This can be used to increase security in addition to firewall rules. If a specific interface is selected, both the IPv4 and IPv6 addresses on that interface will be used for answering queries. Queries sent to other IP addresses on the firewall will be silently discarded.
- Strict Interface Binding
When set, the DNS forwarder will only bind to the interfaces containing the IP addresses selected in the Interface control, rather than binding to all interfaces and discarding queries to other addresses. This can be used similarly to the Listen Port for controlling the way that the service binds so that it can coexist with other DNS services that have similar options.
This option is not compatible with IPv6 in the current version of the DNS Forwarder daemon,
dnsmasq. If this is checked, the dnsmasq process will not bind to any IPv6 addresses.
Custom dnsmasq configuration parameters that are not configurable in the GUI can
be placed in Advanced Options. For example, to set a lower TTL for DNS
max-ttl=30. Or craft a wild card DNS record to resolve
184.108.40.206 by specifying
Separate commands by either a space or a newline. For more information on the possible parameters that may be used, consult the dnsmasq documentation.
Host override entries provide a means to configure customized DNS entries. The configuration is identical to Host Overrides in the DNS Resolver, refer there for details.
Domain overrides configure an alternate DNS server to use for resolving a specific domain. The configuration is identical to Domain Overrides in the DNS Resolver, with some slight differences:
The Domain field sets the domain name that will be resolved using this entry. This does not have to be a valid TLD, it can be anything (e.g.
lab), or it can be an actual domain name (
- IP Address
This field can be used in one of three ways. First, it can be used to specify the IP Address of the DNS server to which the queries for hostnames in Domain are sent. Second, it can be used to override another entry by entering
#. For example, to forward
220.127.116.11, but have
lab.example.comforward on to the standard name servers, enter a
#in this field. Third, it can be used to prevent non- local lookups by entering a
!. If host override entries exist for
mail.example.org, but other lookups for hosts under example.org must not be forwarded on to remote DNS servers, enter a
!in this field.
- Source IP
This field is optional, and primarily used to contact a DNS server across a VPN. Typically only specific local IP addresses are able to traverse a VPN, this field specifies which IP address on the firewall is used to source the DNS so the queries will pass properly.
A text description used to identify or give more information about this entry.
DNS Forwarder and Multi-WAN¶
The DNS Forwarder is fully compatible with Multi-WAN. Configure at least one DNS server per WAN gateway under System > General Setup.
DNS Forwarder and DNS Rebinding Protection¶
By default, DNS Rebinding protection is enabled and private IP address responses are rejected. To allow private IP address responses from a known domain, use the Advanced Options box in the DNS Forwarder settings to configure allowed domains as follows: