ComputersConsumer ElectronicsCell PhonesHome Theater & AudioGraphic Design & Video EditingInternetIndustrial Technology

Improve Internet Performance With the DNS Forwarder Service in pfSense

Updated on September 19, 2016
skear profile image

Sam works as a Network Analyst for an algorithmic trading firm. He obtained his Bachelors Degree in Information Technology from UMKC.

Almost every request a computer sends over over the internet relies on DNS to resolve a hostname to an IP address.

As a result internet performance can be severely reduced if the computers on your network use slow, or overloaded DNS servers.

The DNS forwarder included in pfSense allows much more control over DNS traffic within a network.

By using the forwarder you can override the DNS servers provided by your ISP and utilize fast, high performance servers instead.

The forwarder also further improves performance by acting as a local caching DNS server.

The local cache has the ability to respond to DNS queries faster than any server outside of your network.


Determining Which DNS Servers to Use

There are several different organizations that provide freely available public DNS servers you can choose from. This wide array of choices can make it difficult to decide which servers you should use.

The best choice depends on several factors such as geographical location, upstream ISP, peering locations, and network congestion.

In general you can't go wrong by choosing one of the providers listed in the table below, but to find the top choice I like to run a DNS benchmark which will automatically find the best server.

High Performance Public DNS Servers

Server Name
Primary IP
Secondary IP
OpenDNS
208.67.222.222
208.67.220.220
Google Public DNS
8.8.8.8
8.8.4.4
Level 3 Communications
4.2.2.1
4.2.2.2
The fastest and most reliable public DNS providers.

Configuring the DNS Servers

After determining which DNS servers to use the server IP addresses can be configured in pfSense.

To add the servers open the general setup page of the web gui which is found within the system menu.

I usually configure two server addresses but if you want to add further redundancy you can add up to 4.

After adding the addresses save the changes at the bottom of the page.

Specify local DNS servers in the System \ General  Setup configuration page.
Specify local DNS servers in the System \ General Setup configuration page.

Enabling the DNS Forwarder

To enable the forwarder access the configuration page in the web gui found under the services menu. The first check box 'Enable DNS forwarder' must be enabled in order for pfSense to respond to DNS requests.

All of the other settings are optional and self explanatory. I like to enable the DHCP registration feature so I can resolve client computers via DNS instead of netbios.

To apply the changes and activate the service click the save button.

The DNS forwarder settings is found under the services menu in the web interface.
The DNS forwarder settings is found under the services menu in the web interface.

Configuring the Clients

If you are already using the DHCP service to provide IP settings to client computers then you won't need to make any changes to utilize the local forwarder.

After the DNS forwarder is enabled the DHCP service will automatically configure clients to use the LAN IP of the pfSense system for DNS queries.

I recommend testing the settings by renewing the DHCP lease on a client computer.

In most cases this means the DNS server and default gateway should use the same address (assuming pfSense is the local router).

Clients on Static IPs

If there are hosts on the local network using static IP addresses then their DNS servers will need to be manually updated to point to pfSense.

Clients should point to the LAN IP of the pfSense system for DNS queries.
Clients should point to the LAN IP of the pfSense system for DNS queries.

Testing the DNS Forwarder

After verifying that clients PCs are configured to point to the local DNS server you should test the service. The simplest testing method can be done by browsing the web, if pages don't load then there is likely a problem with the local server.

You can also test the forwarder by using the nslookup

Example Command: nslookup google.com. (be sure to use a trailing period on the request)

If everything is functioning as expected you should see a valid response from pfSense.

Successful test of the DNS forwarder using nslookup.
Successful test of the DNS forwarder using nslookup.

Clearing the DNS Forwarder Cache

The DNS forwarder will store the results from DNS queries in its local cache until the TTL of the DNS record expires.

Occasionally you may want to manually clear the cache to purge a bad record or troubleshoot a DNS problem.

Rebooting pfSense will clear the cache but you can also clear the cache through the web gui. To manually clear the cache you will need to restart the dnsmasq service. The service can be restarted in the Status \ Services menu in the web interface.

To manually clear the DNS cache restart the dnsmasq service.
To manually clear the DNS cache restart the dnsmasq service.

Other Performance Improvements for pfSense

Utilizing pfSense as a caching DNS server will greatly improve the overall speed of web browsing within a network. Below are some other methods to further improve internet performance.

© 2013 Sam Kear

Comments

    0 of 8192 characters used
    Post Comment

    • profile image

      Surajit Chakraborty 5 weeks ago

      Hello sir thanks for your article. It's working if I put the pfsense server ip on my client's DNS. But in my network I have around 1050 computers.So it's next to impossible to change the dns for every computers. I am using my ISP's DNS. I want to redirect all my packets to Open DNS by port forwarding.That I am not able to configure it completely.Will you please help me.

    • profile image

      himanshu 11 months ago

      hello,

      its really brilliant artical thanks for it.

      let me ask you one question. like you said choose any open dns server,

      can't we choose dns ip which we got from isp?? or open dns is secure to do it??

    • skear profile image
      Author

      Sam Kear 4 years ago from Kansas City

      @Vinay - Thanks for stopping by to read the hub.