On pfSense, DNS resolution is managed using 2 components: the DNS resolver and the DNS forwarder.
The DNS resolver allows domain names to be resolved into IP addresses while caching the responses.
It supports DNS over TLS, DNSSEC (signed DNS zone), as well as many options.
This way, client machines will be able to resolve domain names by indicating the pfSense IP address as the primary DNS server.
Which is the case by default when using the pfSense DHCP server.
To configure the DNS Resolver, go to: Services -> DNS Resolver.
Source : DNS Resolver | pfSense Documentation.
For the DNS Resolver, you can configure the settings:
Source : DNS Resolver Configuration | pfSense Documentation.
At the bottom of the page, you will find a "Host Overrides" section that will allow you to change the DNS response for a specific domain name (or subdomain).
Which can be useful for blocking access to specific websites, even if the user can always bypass this protection by directly typing the IP address of the desired site or by modifying their "hosts" file (if he has the necessary right to modify it).
Source : Host Overrides | pfSense Documentation.
Just below you will also find a "Domain Overrides" section.
This time, it will allow you to resolve specific domains using specific DNS servers.
Which can be used to resolve the domain names of an Active Directory infrastructure using the relevant Active Directory domain controller, for example.
This is primarily used to resolve internal domain names from remote sites (via a VPN tunnel).
This allows configuration of DNS zones to be managed only at the company headquarters, while allowing each site (geographic location) to cache responses to speed up access to commonly requested DNS data.
Source : Domain Overrides | pfSense Documentation.
When you want to add a Host Override, a "Host Override Options" form will appear where you can specify the settings:
When you want to add a Domain Override, a "Domains to Override with Custom Lookup Servers" form will appear where you can specify the settings :
To resolve existing domain names on the Internet, pfSense can redirect DNS queries to other DNS servers using its DNS Forwarder using the dnsmasq daemon.
Note that this DNS forwarder only forwards DNS queries to other DNS servers (those specified in "System -> General Setup and those obtained dynamically on the WAN interface via DHCP, PPPoe, ...).
The DNS forwarder also caches received responses to speed up responses for future clients making the same DNS requests.
To configure this DNS forwarder, go to: Services -> DNS Forwarder.
Source : DNS Forwarder | pfSense Documentation.
On the "DNS Forwarder" page which will appear with a "General DNS Forwarder Options" section, you can configure the settings:
Note that this DNS forwarder will only be used by the pfSense DNS Resolver if the "DNS Query Forwarding" option is enabled in the DNS Resolver configuration.
Once again, you will find the "Host Overrides" and "Domain Overrides" sections also available for the DNS resolver and whose principle is therefore the same.
For more information on these 2 sections, refer to the explanations given previously for the DNS resolver.
Firewall 5/21/2025
Firewall 5/28/2025
Firewall 5/17/2025
Firewall 5/23/2025
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment