Sam works as a network analyst for an algorithmic trading firm. He obtained his bachelor's degree in information technology from UMKC.
Almost every request a computer sends over over the internet relies on DNS to resolve a hostname to an IP address. As a result, internet performance can be severely reduced if the computers on your network use slow or overloaded DNS servers.
The DNS forwarder included in pfSense allows much more control over DNS traffic within a network. By using the forwarder, you can override the DNS servers provided by your ISP and utilize fast, high-performance servers instead.
The forwarder also further improves performance by acting as a local caching DNS server. The local cache has the ability to respond to DNS queries faster than any server outside of your network.
Determining Which DNS Servers to Use
There are several different organizations that provide freely available public DNS servers you can choose from. This wide array of choices can make it difficult to decide which servers you should use.
The best choice depends on several factors such as geographical location, upstream ISP, peering locations, and network congestion.
In general, you can't go wrong by choosing one of the providers listed in the table below. But to find the top choice, I like to run a DNS benchmark that will automatically find the best server.
High-Performance Public DNS Servers
|Server Name||Primary IP||Secondary IP|
Google Public DNS
Level 3 Communications
Configuring the DNS Servers
After determining which DNS servers to use, the server IP addresses can be configured in pfSense.
To add the servers, open the general setup page of the WebGUI, which is found within the system menu. I usually configure two server addresses, but if you want to add further redundancy you can add up to four.
After adding the addresses, save the changes at the bottom of the page.
Enabling the DNS Forwarder
To enable the forwarder access the configuration page in the web gui found under the services menu. The first check box 'Enable DNS forwarder' must be enabled in order for pfSense to respond to DNS requests.
All of the other settings are optional and self explanatory. I like to enable the DHCP registration feature so I can resolve client computers via DNS instead of netbios.
To apply the changes and activate the service click the save button.
Configuring the Clients
If you are already using the DHCP service to provide IP settings to client computers, then you won't need to make any changes to utilize the local forwarder.
After the DNS forwarder is enabled, the DHCP service will automatically configure clients to use the LAN IP of the pfSense system for DNS queries.
I recommend testing the settings by renewing the DHCP lease on a client computer.
In most cases, this means the DNS server and default gateway should use the same address (assuming pfSense is the local router).
Clients on Static IPs
If there are hosts on the local network using static IP addresses, then their DNS servers will need to be manually updated to point to pfSense.
Testing the DNS Forwarder
After verifying that clients PCs are configured to point to the local DNS server, you should test the service. The simplest testing method can be done by browsing the web. If pages don't load, then there is likely a problem with the local server.
You can also test the forwarder by using the nslookup
Example Command: nslookup google.com. (be sure to use a trailing period on the request)
If everything is functioning as expected, you should see a valid response from pfSense.
Clearing the DNS Forwarder Cache
The DNS forwarder will store the results from DNS queries in its local cache until the TTL of the DNS record expires.
Occasionally, you may want to manually clear the cache to purge a bad record or troubleshoot a DNS problem.
Rebooting pfSense will clear the cache, but you can also clear the cache through the WebGUI. To manually clear the cache, you will need to restart the dnsmasq service. The service can be restarted in the Status\Services menu in the web interface.
Other Performance Improvements for pfSense
Utilizing pfSense as a caching DNS server will greatly improve the overall speed of web browsing within a network. Below are some other methods to further improve internet performance.
- Configure pfSense as a caching web proxy.
- Double internet bandwidth with a dual wan router.
- Prioritize traffic using QOS by enabling the traffic shaper.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2013 Sam Kear
ayashinoken on July 07, 2018:
Sir, thanks for your article. It's a great help.
I believe that new versions of pfsense has impemented DNS Resolver as default instead of DNS Forwarder. I humbly request please do a tutorial about DNS Resolver setup/config too.
Thanks a lot and please don't get tired helping us more.
Surajit Chakraborty on September 11, 2017:
Hello sir thanks for your article. It's working if I put the pfsense server ip on my client's DNS. But in my network I have around 1050 computers.So it's next to impossible to change the dns for every computers. I am using my ISP's DNS. I want to redirect all my packets to Open DNS by port forwarding.That I am not able to configure it completely.Will you please help me.
himanshu on November 09, 2016:
its really brilliant artical thanks for it.
let me ask you one question. like you said choose any open dns server,
can't we choose dns ip which we got from isp?? or open dns is secure to do it??
Sam Kear (author) from Kansas City on March 19, 2013:
@Vinay - Thanks for stopping by to read the hub.