Skip to main content

Improve Internet Performance With the DNS Forwarder Service in pfSense

  • Author:
  • Updated date:

Sam works as a network analyst for an algorithmic trading firm. He obtained his bachelor's degree in information technology from UMKC.

Almost every request a computer sends over over the internet relies on DNS to resolve a hostname to an IP address. As a result, internet performance can be severely reduced if the computers on your network use slow or overloaded DNS servers.

The DNS forwarder included in pfSense allows much more control over DNS traffic within a network. By using the forwarder, you can override the DNS servers provided by your ISP and utilize fast, high-performance servers instead.

The forwarder also further improves performance by acting as a local caching DNS server. The local cache has the ability to respond to DNS queries faster than any server outside of your network.

Determining Which DNS Servers to Use

There are several different organizations that provide freely available public DNS servers you can choose from. This wide array of choices can make it difficult to decide which servers you should use.

The best choice depends on several factors such as geographical location, upstream ISP, peering locations, and network congestion.

In general, you can't go wrong by choosing one of the providers listed in the table below. But to find the top choice, I like to run a DNS benchmark that will automatically find the best server.

High-Performance Public DNS Servers

The fastest and most reliable public DNS providers.

Server NamePrimary IPSecondary IP


Google Public DNS

Level 3 Communications

Configuring the DNS Servers

After determining which DNS servers to use, the server IP addresses can be configured in pfSense.

To add the servers, open the general setup page of the WebGUI, which is found within the system menu. I usually configure two server addresses, but if you want to add further redundancy you can add up to four.

After adding the addresses, save the changes at the bottom of the page.

Specify local DNS servers in the System/General Setup configuration page.

Specify local DNS servers in the System/General Setup configuration page.

Enabling the DNS Forwarder

To enable the forwarder access the configuration page in the web gui found under the services menu. The first check box 'Enable DNS forwarder' must be enabled in order for pfSense to respond to DNS requests.

All of the other settings are optional and self explanatory. I like to enable the DHCP registration feature so I can resolve client computers via DNS instead of netbios.

To apply the changes and activate the service click the save button.

The DNS forwarder settings are found under the services menu in the web interface.

The DNS forwarder settings are found under the services menu in the web interface.

Scroll to Continue

Configuring the Clients

If you are already using the DHCP service to provide IP settings to client computers, then you won't need to make any changes to utilize the local forwarder.

After the DNS forwarder is enabled, the DHCP service will automatically configure clients to use the LAN IP of the pfSense system for DNS queries.

I recommend testing the settings by renewing the DHCP lease on a client computer.

In most cases, this means the DNS server and default gateway should use the same address (assuming pfSense is the local router).

Clients on Static IPs

If there are hosts on the local network using static IP addresses, then their DNS servers will need to be manually updated to point to pfSense.

Clients should point to the LAN IP of the pfSense system for DNS queries.

Clients should point to the LAN IP of the pfSense system for DNS queries.

Testing the DNS Forwarder

After verifying that clients PCs are configured to point to the local DNS server, you should test the service. The simplest testing method can be done by browsing the web. If pages don't load, then there is likely a problem with the local server.

You can also test the forwarder by using the nslookup

Example Command: nslookup (be sure to use a trailing period on the request)

If everything is functioning as expected, you should see a valid response from pfSense.

Successful test of the DNS forwarder using nslookup.

Successful test of the DNS forwarder using nslookup.

Clearing the DNS Forwarder Cache

The DNS forwarder will store the results from DNS queries in its local cache until the TTL of the DNS record expires.

Occasionally, you may want to manually clear the cache to purge a bad record or troubleshoot a DNS problem.

Rebooting pfSense will clear the cache, but you can also clear the cache through the WebGUI. To manually clear the cache, you will need to restart the dnsmasq service. The service can be restarted in the Status\Services menu in the web interface.

To manually clear the DNS cache, restart the dnsmasq service.

To manually clear the DNS cache, restart the dnsmasq service.

Other Performance Improvements for pfSense

Utilizing pfSense as a caching DNS server will greatly improve the overall speed of web browsing within a network. Below are some other methods to further improve internet performance.

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2013 Sam Kear


ayashinoken on July 07, 2018:

Sir, thanks for your article. It's a great help.

I believe that new versions of pfsense has impemented DNS Resolver as default instead of DNS Forwarder. I humbly request please do a tutorial about DNS Resolver setup/config too.

Thanks a lot and please don't get tired helping us more.

Surajit Chakraborty on September 11, 2017:

Hello sir thanks for your article. It's working if I put the pfsense server ip on my client's DNS. But in my network I have around 1050 computers.So it's next to impossible to change the dns for every computers. I am using my ISP's DNS. I want to redirect all my packets to Open DNS by port forwarding.That I am not able to configure it completely.Will you please help me.

himanshu on November 09, 2016:


its really brilliant artical thanks for it.

let me ask you one question. like you said choose any open dns server,

can't we choose dns ip which we got from isp?? or open dns is secure to do it??

Sam Kear (author) from Kansas City on March 19, 2013:

@Vinay - Thanks for stopping by to read the hub.

Related Articles