We help IT Professionals succeed at work.

DNS Forwarder not responding to internal requests

radawson asked
I have a server 2008 R2-level internal domain protected by a pfSense firewall. The firewall is set up as a DNS forwarder, and it has no problem resolving queries from its own web interface (using dnslookup). My internal DC is setup to handle AD, DNS, and DHCP. Everything works fine internally - names resolve, IP addresses are issued, etc.
However, I began getting complaints that users could not reach hotmail.com, outlook,com, or live.com - or any of their subsites.
So, I began troubleshooting, and it appears that the names are not resolving internally. The DNS request flow is basically :

client -> internal DNS -> firewall (DNS forwarder) -> ISP

I was able to get the addresses to resolve about 50% of the time by adding the ISP DNS to the DNS forwarders on the internal DNS server, but I understand this is a bad practice, as it could expose AD.

So my question is:
Does anyone know why pfsense would just refuse to forward DNS requests? The dnsmasq service is running and (appears to be) is listening on the internal LAN IP. IF is run wireshark, what should I be looking for to tell me where this is going wrong?

Or is there some other basic issue that I haven't thought about yet?
Watch Question

I usually set the Google external DNS servers ( & as forwarders on my domain controllers, I do not use thefirewalls ip.



So with everything I've read, I get conflicting advice about using the DC DNS to connect directly to the DNS forwarders (i.e. the ISP DNS servers). How much exposure am I really getting if I'm not sharing a zone with them?

Should I just scrap the whole internal forwarder idea and let the DNS servers ask the ISP directly?

One other possibility: Could I include a DNS server on my Exchange edge server and use it as a forwarder?
Zacharia KurianAdministrator- Data Center & Network
Do you have a rule in pfsense to allow DNS queries to your  Domain 2008 R2?

What happens when you do a tracert  to internet in your  2008 R2?

What is the default gateway of your client Pcs?  Is it the same gate way of your DC? or the Pfsense  Internal IP?

Top Expert 2014
I can't speak to getting the pfSense configuration to work, but can about the idea in general.  Using ISP or other public DNS servers as forwarders won't expose your internal AD.  When you have the zones set up on your internal DNS servers, queries for those zones will never be forwarded because the server is already authoritative (it thinks it knows everything about those zones).  I think any conflicting advice you've seen is referring to setting public DNS servers directly on the NIC settings on any of your internal machines, which should not be done, but using them as forwarders is a perfectly common practice.  The only time I see a reason for something like you've set up is for a caching server.
1. Check that ALL your internal DNS servers have their forwarder set to pfsense (so double check your secondary DNS server; 50% sounds as if one server is missing forwarders all together).

2. Check your wireshark logs for DNS traffic coming from the both internal DNS servers to see if either one is being dropped by one of the defense mechanisms in pfsense.


After playing around with this for way too long (but thanks for all the information, I learned a lot about DNS, including how "authoritative" servers can affect resolution), I just added my ISP and DynDNS servers as forwarders to the DC, and everything seems to be working fine.

I really appreciate all the answers, as they all gave me some insight into the process.