Pfsense DNS Resolver Not Working [Troubleshooting Guide]

Is your Pfsense DNS resolver not working? Well, if so then we are here to help. Pfsense is a fantastic, free, and highly capable firewall solution. Sometimes, however, things don’t go as planned when your Pfsense firewall isn’t working right.
When your Pfsense DNS resolver is not working, it can be frustrating. The good news, however, is that it’s usually a setting in the firewall or a problem with the DNS servers themselves.
A good thing to try is to double check your settings, do some simple tests from the firewall administration page and a client PC. If that doesn’t work, you could always use Google’s DNS servers.   
Unfortunately, though, there are times where your pfSense firewall has a hard time getting clients to connect to DSN servers.
In this article, we are going to walk you through all the reasons why your firewall may not be able to connect to your desired DNS servers. We will also go over some of the most common solutions to this problem.

Pfsense DNS Resolver Not Working – Troubleshooting DNS Resolution Issues

Step 1: Open the web interface

Step 2: Navigate to Diagnostics

Step 3: Navigate to Ping

Step 4: Enter the ISP gateway address.

If you aren’t sure about the gateway address, you can always put in a known-good DNS server. Google has several free DNS servers that everyone in the world is welcome to use. The IP addresses for Google’s DNS servers are 8.8.8.8 or 8.8.4.4. If the firewall can ping that address, then perform the same test from the client PC:

Step 1: Open a command prompt

Step 2: Type the following command:

ping 8.8.8.8

Step 3: Press Enter

When you test it, if you are indeed able to ping the IP address from the client machine, after that you should try to ping a website name instead, like www.yahoo.com or www.amazon.com.

Try that from the firewall GUI and also do the same thing on the client PC. So, if you are able to ping the IP but not the domain names, then there is definitely some sort of DNS resolution problem that you have to take care of.

Pfsense DNS Resolver Not Working – Check Your DNS Server Settings

If DNS resolution isn’t working well on the firewall, then you might want to check which DNS services are enabled and how they are configured. In pfSense’s default configuration, it will use the DNS Resolver in a mode that doesn’t require that any specific DNS servers have to be put in.

In this configuration, pfSense will query root servers and other authoritative servers directly. This is in contrast to older installations and to upgraded installations that will, by default, use a DNS Forwarder that requires DNS Servers to be entered if they aren’t acquired over a DWAN (Dynamic Wide Area Network) such as DHCP or PPPoE connection.

If you find that the firewall software is unable to resolve hostnames but the DNS Resolver is active, then that may be a sign that you aren’t getting anything coming in on the WAN port. So, you might want to check on your internet connection.

So, that means that one possibility is that you are having an issue with your WAN equipment or some other piece of upstream network gear that is, for whatever reason, not properly passing the DNS traffic using a method that is DNSSEC compatible.

A Pfsense DNS resolver not working can bring a business to it’s knees. An issue with your DNS servers can cause cascading problems that propagate throughout your entire network.

Pfsense DNS Resolver Not Working – Disable DNSSEC

One thing you could do is disable DNSSEC. You can find options for this in the firewalls resolver options. This will let you know if it allows resolution to function or not.

Also, it’s a possibility that your ISP is filtering DNS requests and is going to require the use of specific DNS server addresses in order for you to get an internet connection. So, to resolve this issue, configure the DNS servers, then activate forwarding mode.

In pfSense, you can find the DNS server settings by clicking ‘System’ and then clicking ‘General Setup.’ You can also see them if you click Status and then click Interfaces.

Also, don’t forget to check with ping so you know for sure if the DNS servers are reachable. If your firewall is able to reach the gateway address, but it has trouble communicating with the DNS servers, then there is a chance that you may need to contact your internet service provider so that you can double-check those DNS numbers.

If your DNS servers are obtained over DHCP or PPPoE and the firewall is unable to reach them, then you will definitely need to contact your ISP. There is, of course, always the option to use Google’s public DNS addresses. Remember, those IP addresses are 8.8.8.8 and 8.8.4.4. They will always work.

Pfsense DNS Resolver Not Working – Try Pinging The DNS Server

If you can ping the DNS on the firewall web interface but you are not able to a client PC, then there is a chance that you have an issue with your DNS Resolver or Forwarder configuration in the firewall settings. It could also be the client configuration or firewall’s rules.

It’s one of the two. Remember, by default, the DNS Resolver handles all the DNS queries for clients that are behind the firewall. So, if the client PC is configured with DHCP, then it’s going to get the IP address of the firewall interface that it’s connected to for a DNS server. That is, of course, unless it’s manually changed beforehand.

For instance, if there is a PC on the network and the IP address of the firewall is 192.168.1.1, then the client DNS server should also be set to 192.168.1.1. If the DNS Forwarder and DNS Resolver are turned off, you can adjust which DNS servers are going to be assigned to DHCP clients on your network by going to Services and then clicking DHCP Server.

When the DNS Forwarder and DNS Resolver are not turned on, system DNS servers are then assigned directly to the client machines. So, if the client PC is set up to have a static IP address assigned to them, make sure it also has the proper DNS servers entered. This is either going to be the IP address of the firewall or an alternate DNS server like Google’s.

Another scenario that may cause your DNS to work from the firewall admin page but not a client machine is an incorrectly configured firewall ruleset on the LAN.

So, you might want to go to the Firewall tab, click Status, and then click on System Logs so that you can see if you are getting a blocked connection to appear in the log from the local client that is trying to make a connection to a DNS server.

So, if that’s the case for you, then you should add a firewall rule at the top of the LAN rules for that interface that you are wanting to allow connections to the DNS servers. Set the port for the rules to TCP and UDP port 53.

Conclusion

A Pfsense DNS resolver not working can make for a really bad day. It can be frustrating when you have tried everything and still, nothing works. That’s what it is helpful to know the ins and outs of all the commands so that you can get your firewall up and running properly again.
Usually, when a Pfsense DNS resolver is not working, it’s a simple setting either on the client PC or on the firewall end. Make sure to double check all your settings, and never underestimate process-of-elimination. So, use other computers, other devices, and even other DNS servers to find out where the problem lies.