Netgate is offering COVID-19 aid for pfSense software users, learn more.

DNS Resolver Access Lists

Unbound requires access lists (ACLs) to control which clients are allowed to submit queries. By default, IPv4 and IPv6 networks residing on internal interfaces of this firewall are permitted. Additional networks must be allowed manually.


The automatic ACLs may be disabled using the Disable Auto-added Access Control option on the Advanced Settings tab.

To manage Access Lists for the DNS Resolver, navigate to Services > DNS Resolver, Access Lists tab. From this list, new entries may be added and existing entries may be edited or deleted.

When adding or editing an entry, the following options are available:

Access List Name

The name for the Access List, which appears as a comment in the access list configuration file.


Method for handling the networks contained in this Access List


Stops queries from clients in the configured networks


Stops queries from clients in the configured networks and sends back a REFUSED response code


Allows queries from clients in the configured networks

Allow Snoop

Allows recursive and nonrecursive queries from clients in the configured networks, used for cache snooping, and typically only configured on administrative hosts.


A longer text field for reference notes about this entry.


A list of networks to be governed by this access list entry.