DNS Forwarder not responding to internal requests

I have a server 2008 R2-level internal domain protected by a pfSense firewall. The firewall is set up as a DNS forwarder, and it has no problem resolving queries from its own web interface (using dnslookup). My internal DC is setup to handle AD, DNS, and DHCP. Everything works fine internally - names resolve, IP addresses are issued, etc.
However, I began getting complaints that users could not reach hotmail.com, outlook,com, or live.com - or any of their subsites.
So, I began troubleshooting, and it appears that the names are not resolving internally. The DNS request flow is basically :

client -> internal DNS -> firewall (DNS forwarder) -> ISP

I was able to get the addresses to resolve about 50% of the time by adding the ISP DNS to the DNS forwarders on the internal DNS server, but I understand this is a bad practice, as it could expose AD.

So my question is:
Does anyone know why pfsense would just refuse to forward DNS requests? The dnsmasq service is running and (appears to be) is listening on the internal LAN IP. IF is run wireshark, what should I be looking for to tell me where this is going wrong?

Or is there some other basic issue that I haven't thought about yet?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I usually set the Google external DNS servers ( & as forwarders on my domain controllers, I do not use thefirewalls ip.

radawsonAuthor Commented:
So with everything I've read, I get conflicting advice about using the DC DNS to connect directly to the DNS forwarders (i.e. the ISP DNS servers). How much exposure am I really getting if I'm not sharing a zone with them?

Should I just scrap the whole internal forwarder idea and let the DNS servers ask the ISP directly?

One other possibility: Could I include a DNS server on my Exchange edge server and use it as a forwarder?
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Do you have a rule in pfsense to allow DNS queries to your  Domain 2008 R2?

What happens when you do a tracert  to internet in your  2008 R2?

What is the default gateway of your client Pcs?  Is it the same gate way of your DC? or the Pfsense  Internal IP?

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

I can't speak to getting the pfSense configuration to work, but can about the idea in general.  Using ISP or other public DNS servers as forwarders won't expose your internal AD.  When you have the zones set up on your internal DNS servers, queries for those zones will never be forwarded because the server is already authoritative (it thinks it knows everything about those zones).  I think any conflicting advice you've seen is referring to setting public DNS servers directly on the NIC settings on any of your internal machines, which should not be done, but using them as forwarders is a perfectly common practice.  The only time I see a reason for something like you've set up is for a caching server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
1. Check that ALL your internal DNS servers have their forwarder set to pfsense (so double check your secondary DNS server; 50% sounds as if one server is missing forwarders all together).

2. Check your wireshark logs for DNS traffic coming from the both internal DNS servers to see if either one is being dropped by one of the defense mechanisms in pfsense.
radawsonAuthor Commented:
After playing around with this for way too long (but thanks for all the information, I learned a lot about DNS, including how "authoritative" servers can affect resolution), I just added my ISP and DynDNS servers as forwarders to the DC, and everything seems to be working fine.

I really appreciate all the answers, as they all gave me some insight into the process.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.