DNS Resolver vs DNS Forwarder in pfSense (Full Explanation)

DNS plays a critical role in every network infrastructure. In pfSense firewall, DNS handling is flexible and powerful thanks to two main mechanisms: DNS Resolver (Unbound) and DNS Forwarder.

Understanding how these two DNS modes work is extremely important when designing a stable and secure network environment, especially when pfSense is used together with services such as Active Directory, internal DNS servers, or DNS filtering tools like pfBlockerNG.

In this guide, we will explain how DNS Forwarder in pfSense works, how it differs from DNS Resolver, and when you should use Host Override or Domain Override for internal DNS management.

1. Basic DNS Configuration in pfSense

Before configuring advanced DNS features, you should define basic DNS servers in pfSense.

Navigate to:

System → General Setup

Example DNS server:

This DNS server will be used by pfSense itself when resolving external domain names.

You may configure multiple DNS servers such as Google DNS or Cloudflare DNS for redundancy and faster resolution.

Proper DNS configuration ensures the firewall can reliably resolve internet domains and forward queries when necessary.

2. DNS Resolver (Unbound)

The DNS Resolver service in pfSense uses Unbound, which allows the firewall to resolve DNS queries directly without relying on external DNS providers.

Instead of forwarding queries to Google or ISP DNS, pfSense communicates directly with the global DNS hierarchy.

Mechanism:

Client → pfSense → Root DNS → TLD → Authoritative DNS

This process is called recursive DNS resolution.

Advantages of DNS Resolver

• Independent of Google/ISP
• More secure

• Supports DNSSEC
• Supports DNS over TLS
• Excellent local caching

Because of these advantages, DNS Resolver is the recommended DNS mode for most pfSense deployments.

To configure it, navigate to:

Services → DNS Resolver

Enable DNS Resolver

Enable the following options:

✅ Enable DNS Resolver
✅ Network Interfaces

Select:

• LAN
• Localhost

⚠️ DO NOT select WAN

This ensures that only internal networks can access the DNS service.

Outgoing Network Interfaces

Select:

• All (or WAN)

This allows pfSense to reach external DNS servers when necessary.

Enable DNSSEC Support

Enable the option:

✅ Enable DNSSEC Support

DNSSEC provides cryptographic validation of DNS responses, protecting clients from DNS spoofing or tampering attacks.

For environments requiring higher security, DNSSEC is strongly recommended.

3. Configuring Host Override

Host Override allows administrators to manually create DNS records directly inside pfSense.

This feature functions similarly to editing the hosts file in Windows, but instead of applying to a single computer, it applies to the entire network.

Host Override is useful in several situations.

When to Use Host Override

1️⃣ When you do not have Active Directory

In small environments without an internal DNS server, Host Override can be used to create simple internal DNS records.

2️⃣ When you have Active Directory but want to override a host

Example scenario:

• The domain controller currently has a DNS record
web.tsf.local → 192.168.16.60

• But you want to migrate to a new server
192.168.16.80

Instead of modifying the domain controller immediately, you can create a Host Override entry in pfSense, which will return the new IP address first.

Navigate to:

Services → DNS Resolver → Host Overrides

Practical Example

Suppose your network contains the following servers:

• NAS: 192.168.16.50
• Internal Web: 192.168.16.173

You want the correct IP address to appear automatically when users type:

• nas.tsf.local
• web.tsf.local

in their web browser or when performing a ping test.

Without a DNS record, these hostnames will not resolve.

Host Override allows pfSense to resolve these internal hostnames instantly.

4. Domain Override

Domain Override is used when pfSense acts as the primary DNS gateway for the network.

This configuration is especially important when using pfBlockerNG or centralized DNS filtering.

In a typical Microsoft environment, the Domain Controller usually acts as the DHCP and DNS server, so Domain Override may not always be required.

However, when pfSense manages DNS queries for clients, Domain Override becomes extremely useful.

What Domain Override Does

Domain Override allows pfSense to:

👉 Detect DNS queries belonging to a specific domain

👉 Forward those queries to a different DNS server

Example scenario:

You have an internal Active Directory server:

Domain: tsf.local
IP: 192.168.16.186

You want the query path to be:

Client → pfSense → query tsf.local → pfSense redirects to 192.168.16.186

Instead of pfSense resolving the domain automatically.

Important DHCP Configuration

The pfSense DHCP server must assign the following DNS server to clients:

DNS Server:

This is the pfSense LAN IP address.

If clients use the Domain Controller directly as DNS:

• Domain override will be meaningless
• pfSense will not control DNS traffic
• pfBlockerNG may not function correctly

Domain Override Deployment Steps

Step 1: On the pfSense DHCP Server, add DNS 192.168.16.1 (pfSense IP)

Step 2: Create basic DNS 8.8.8.8 / 1.1.1.1 in General Setup

Step 3: Create Domain Override pointing to DC IP

Step 4: Test by allowing clients to join the domain.

5. Comparing Host Override and Domain Override

Understanding the difference between Host Override and Domain Override helps administrators design better DNS architecture.

Domain Override

Domain Override means redirecting the DNS query to another server.

“This is not my responsibility, ask the DC.”

Host Override

Host Override means pfSense directly answers the query.

“I know this, IP address here.”

Conclusion

Understanding the difference between DNS Resolver and DNS Forwarder in pfSense is essential for building a stable and secure network environment.

DNS Resolver provides direct recursive resolution, enhanced security, and powerful caching, while Domain Override and Host Override allow administrators to control internal DNS behavior in complex environments.

When configured properly, pfSense can function as a centralized DNS gateway, providing better visibility, stronger security, and more efficient DNS management across the entire network. 🌐🔐