Pfsense DNS Resolver Not Working – Troubleshooting DNS Resolution Issues
Step 1: Open the web interface
Step 2: Navigate to Diagnostics
Step 3: Navigate to Ping
Step 4: Enter the ISP gateway address.
If you aren’t sure about the gateway address, you can always put in a known-good DNS server. Google has several free DNS servers that everyone in the world is welcome to use. The IP addresses for Google’s DNS servers are 8.8.8.8 or 8.8.4.4. If the firewall can ping that address, then perform the same test from the client PC:
Step 1: Open a command prompt
Step 2: Type the following command:
ping 8.8.8.8
Step 3: Press Enter
When you test it, if you are indeed able to ping the IP address from the client machine, after that you should try to ping a website name instead, like www.yahoo.com or www.amazon.com.
Try that from the firewall GUI and also do the same thing on the client PC. So, if you are able to ping the IP but not the domain names, then there is definitely some sort of DNS resolution problem that you have to take care of.
Pfsense DNS Resolver Not Working – Check Your DNS Server Settings
If DNS resolution isn’t working well on the firewall, then you might want to check which DNS services are enabled and how they are configured. In pfSense’s default configuration, it will use the DNS Resolver in a mode that doesn’t require that any specific DNS servers have to be put in.
In this configuration, pfSense will query root servers and other authoritative servers directly. This is in contrast to older installations and to upgraded installations that will, by default, use a DNS Forwarder that requires DNS Servers to be entered if they aren’t acquired over a DWAN (Dynamic Wide Area Network) such as DHCP or PPPoE connection.
If you find that the firewall software is unable to resolve hostnames but the DNS Resolver is active, then that may be a sign that you aren’t getting anything coming in on the WAN port. So, you might want to check on your internet connection.
So, that means that one possibility is that you are having an issue with your WAN equipment or some other piece of upstream network gear that is, for whatever reason, not properly passing the DNS traffic using a method that is DNSSEC compatible.
A Pfsense DNS resolver not working can bring a business to it’s knees. An issue with your DNS servers can cause cascading problems that propagate throughout your entire network.
Pfsense DNS Resolver Not Working – Disable DNSSEC
One thing you could do is disable DNSSEC. You can find options for this in the firewalls resolver options. This will let you know if it allows resolution to function or not.
Also, it’s a possibility that your ISP is filtering DNS requests and is going to require the use of specific DNS server addresses in order for you to get an internet connection. So, to resolve this issue, configure the DNS servers, then activate forwarding mode.
In pfSense, you can find the DNS server settings by clicking ‘System’ and then clicking ‘General Setup.’ You can also see them if you click Status and then click Interfaces.
Also, don’t forget to check with ping so you know for sure if the DNS servers are reachable. If your firewall is able to reach the gateway address, but it has trouble communicating with the DNS servers, then there is a chance that you may need to contact your internet service provider so that you can double-check those DNS numbers.
If your DNS servers are obtained over DHCP or PPPoE and the firewall is unable to reach them, then you will definitely need to contact your ISP. There is, of course, always the option to use Google’s public DNS addresses. Remember, those IP addresses are 8.8.8.8 and 8.8.4.4. They will always work.
Pfsense DNS Resolver Not Working – Try Pinging The DNS Server
If you can ping the DNS on the firewall web interface but you are not able to a client PC, then there is a chance that you have an issue with your DNS Resolver or Forwarder configuration in the firewall settings. It could also be the client configuration or firewall’s rules.
It’s one of the two. Remember, by default, the DNS Resolver handles all the DNS queries for clients that are behind the firewall. So, if the client PC is configured with DHCP, then it’s going to get the IP address of the firewall interface that it’s connected to for a DNS server. That is, of course, unless it’s manually changed beforehand.
For instance, if there is a PC on the network and the IP address of the firewall is 192.168.1.1, then the client DNS server should also be set to 192.168.1.1. If the DNS Forwarder and DNS Resolver are turned off, you can adjust which DNS servers are going to be assigned to DHCP clients on your network by going to Services and then clicking DHCP Server.
When the DNS Forwarder and DNS Resolver are not turned on, system DNS servers are then assigned directly to the client machines. So, if the client PC is set up to have a static IP address assigned to them, make sure it also has the proper DNS servers entered. This is either going to be the IP address of the firewall or an alternate DNS server like Google’s.
Another scenario that may cause your DNS to work from the firewall admin page but not a client machine is an incorrectly configured firewall ruleset on the LAN.
So, you might want to go to the Firewall tab, click Status, and then click on System Logs so that you can see if you are getting a blocked connection to appear in the log from the local client that is trying to make a connection to a DNS server.
So, if that’s the case for you, then you should add a firewall rule at the top of the LAN rules for that interface that you are wanting to allow connections to the DNS servers. Set the port for the rules to TCP and UDP port 53.