DNS Forwarder Configuration

To configure the DNS Forwarder, navigate to Services > DNS Forwarder

The available options for the DNS Forwarder are:


Controls whether or not the DNS Forwarder service is enabled.

Checking this box turns on the DNS Forwarder, or uncheck to disable this service.

Two DNS services cannot both be active at the same time on the same ports. This includes, but is not limited to, the DNS Resolver, the DNS Forwarder, and the BIND package. Ensure other services are disabled or moved to different ports before attempting to enable the DNS Forwarder.

DHCP Registration

Controls whether or not internal machine names for DHCP clients are registered in the DNS Forwarder. The domain name from System > General Setup is used as the domain name on the hosts.

This feature allows systems using the DNS Forwarder as their DNS server to resolve these names using DNS.


This only works for clients that specify a hostname in their DHCP requests.

Static DHCP

This works the same as Register DHCP leases in DNS forwarder, except that it registers the DHCP static mapping addresses.

Prefer DHCP

Controls whether DNS records from DHCP sources are returned before host overrides if both use the same name.

When one IP address has multiple hostnames, doing a reverse lookup may give an unexpected result if one of the hostname is in host overrides and the system uses another hostname over DHCP. Checking this option will place the DHCP obtained hostnames above the static mappings in the hosts file on the firewall, causing them to be consulted first.

This only affects reverse lookups (PTR), since they only return the first result and not multiple. For example, this would yield a result of labserver01.example.com, a test server DHCP obtained IP address, rather than a host override name of testwww.example.com that would be returned otherwise.

Query DNS servers sequentially

Controls whether the DNS Forwarder queries all DNS servers at the same time, or in sequence.

By default the firewall queries all DNS servers simultaneously and uses the fastest result. This is not always desirable, especially if there is a local DNS server with custom hostnames that could by bypassed if a faster public DNS server replies first.

Checking this option causes queries to be made to each DNS server in sequence from the top down, and the firewall waits for a timeout before moving on to the next DNS server in the list. This results in more predictable responses but may be considerably slower if a server high in the list is unreachable.

Require domain

Controls whether or not the DNS Forwarder requires a domain name on hostnames to be forwarded to upstream DNS servers.

When checked, hosts without a domain name will still be checked against host overrides and DHCP results, but they will not be queried against name servers. If a short hostname does not exist locally, an NXDOMAIN result (“Not Found”) is returned to the client.

Do not forward private reverse lookups

Controls whether or not the DNS Forwarder will make reverse DNS (PTR Record) lookups for RFC1918 private IP addresses to upstream name servers.

The DNS Forwarder will still return results from local entries in either case.


Use a domain override entry for the reverse lookup zone, e.g. 1.168.192.in-addr.arpa, to make the DNS Forwarder send queries for a specific subnet to a DNS server.

Listen Port

The TCP and UDP port on which the DNS Forwarder will listen for queries from clients. By default this is port 53. This is the normal port for any DNS server, as it is the port expected by clients.

Certain use cases may involve moving the DNS Forwarder to another Listen Port, such as 5353 or 54, and then specific sources may be forwarded there via port forwards.


The network interface(s) to which the DNS Forwarder will bind when listening for queries from clients.

By default the DNS Forwarder listens on every available interface and IPv4 and IPv6 address. This option limits the interfaces where the DNS Forwarder will accept and answer queries. This can be used to increase security in addition to firewall rules.

If specific interfaces are selected, both the IPv4 and IPv6 addresses on those interfaces will be used for answering queries. Queries sent to other IP addresses on the firewall will be silently discarded.

Strict Interface Binding

Controls how the dnsmasq daemon binds to interfaces when deciding how to handle queries.

When set, the DNS forwarder will only bind to the interfaces containing the IP addresses selected in the Interface control, rather than binding to all interfaces and discarding queries to other addresses.

This can be used similarly to the Listen Port for controlling the way that the service binds so that it can coexist with other DNS services that have similar options.


This option is not compatible with IPv6. If this is checked, the dnsmasq daemon will not bind to any IPv6 addresses.

Advanced Options

Custom dnsmasq configuration parameters that are not configurable in the GUI can be placed in Advanced Options. Separate each command by either a space or a newline.

For example, to set a lower TTL for DNS records:


To craft a wildcard DNS record resolving *.lab.example.com to


See also

For more information on the possible parameters that may be used, consult the dnsmasq documentation.