pfSense DNS Configuration

I have been running a home lab for quite some time now. Being a software engineer, I wanted to have self-hosted state of the art tools both for continuous learning and for my own personal side projects. One of the things I lacked, however was a sufficient security posture.

To solve this problem, I have chosen to utilize pfSense. pfSense is an open source security software which provides firewall, intrusion detection, intrusion prevention, and many other features. Its setup is relatively straightforward, but I did have some issues that I needed to work through regardin DNS.

I chose to run pfSense in a small form factor fanless appliance. Installation of the software required downloading the pfSense image to a USB drive and then following through the on-screen setup. I configured the Wide Area Network (WAN) and Local Area Network (LAN) interfaces as needed and then replaced my old router with the appliance.

I have other DNS servers running on my network. I have an ad-blocking DNS and a DNS which runs in my Windows Server instance. The idea was to have the pfSense DNS Resolver use the ad-blocker as its upstream server. Then use the Windows instance for upstream to the ad blocker. And finally, use Google’s public DNS as the upstream for the Windows instance.

This configuration just did not want to work. I continuously received timeouts when querying sites which I knew were available. At first, I thought it may have been the appliance because I could replace it with my original router and all would work fine.

Ad Blocker Dashboard

As you can see from the image above, I was able to get everything working the way I wanted, but I did have to make some minor changes. I reversed the order of my DNS servers. In the DHCP setting of my appliance, I set the ad blocking DNS as the root DNS for my network. The ad blocking DNS uses the Windows server as its upstream and the Windows server uses pfSense as its upstream. Finally, the appliance uses Google’s public DNS for its upstream. In this configuration, as client devices renew DHCP leases they pick up the ad blocker as their DNS and queries are routed properly. This gives me the DNS protection I want and also allows proper queries for network.