Pfsense dns resolver not forwarding corectly?

Dear All,
I have a pfsense setup with a few vlans (home, guest, office, iot). All of these vlans have a DHCP server enabled on them with only the pool range and the ntp server ip address set. The dns resolver is enabled with forwarding checked, and the dns servers under System > General settings are set to 1.1.1.1 and 1.0.0.1. The problem I’m having is that I am able to access basically any site on the internet except for my ISPs client panel.

The main site is tygrys.net which is perfectly accessible
The client panel is located under bok.tygrys.net and here I have a problem.

Normally, if accessed from outside the ISP network (ex. via mobile phone), the bok.tygrys.net site will show a timeout (it’s only accessible from within the ISP network for security reasons) but when accessed from within the ISP network it should work fine.

I managed to do some testing and here’s what I got.

  1. Diagnostics > DNS lookup will resolve bok.tygrys.net only if System > General Settings > Disable DNS Forwarder IS CHECKED

  2. If I don’t set a DNS server address in the DHCP server options for a particular vlan, than nslookup bok.tygrys.net called from a machine on that vlan will not resolve. If I set the DNS server IP to 1.1.1.1 nslookup bok.tygrys.net will resolve

  3. If I call nslookup bok.tygrys.net 1.1.1.1 from any of my vlans, the host gets resolved properly

  4. nslookup tygrys.net gets resolved in any vlan regardless of setting the dns server IP in the DHCP server settings or specifying the 1.1.1.1 server in the nslookup command directly.

nslookup commands from within the vlan return as the dns server the IP I have set on the vlan interface in pfsense. To my understanding this is correct as the dns resolution should follow (in my opinion) the following route: nslookup command from client on vlan -> vlan interface ip -> pfsense internally forwards the querry to one of the dns servers set in general settings -> the dns server resolves the name -> name gets back to client on vlan

Can someone please help me out in sorting this issue and maybe point out my error in reasoning? Networking is still a very new subject for me. Thanks in advance!
Below the relevant pfsense settings:
General settings:

DNS Resolver settings:


DHCP server settings:



Not totally sure here but I’m guessing your ISP only gives the “correct” IP for that server if you are using their DNS servers and then only allow access if you are on their network.

I’d try getting hold of your ISP’s DNS server address’ and manually set a machine to use them and see if that fixes it. If it does then try adding an entry to the dns resolver in pfsnese for that hostname / IP address.

If it helps, when I ping bok.tygrys.net I get nothing back.

@garethw Thank you for the response. As I’ve mentioned in the original post, if I do an nslookup from my computer using 1.1.1.1 (which is a global dns server like 8.8.8.8, not the one from my ISP) than the name gets resolved. That’s why I think there’s no relation as to which dns server is in use

Also, I’ve changed /etc/resolv.conf (I’m on linux) to point directly to the 1.1.1.1 server and the bok.tygrys.net address gets resolved. So I’m effectively bypassing any hostname resolution via the pfsense box whatsoever. IMO this still points to a problem with pfsense

nslookup bok.tygrys.net

Non-authoritative answer:
Name: bok.tygrys.net
Address: 192.168.233.7

Isn’t that a private address?

Yep. So it looks like you are being double natted

If you put that in your dns resolver (right down at the bottom) and try your machines again that might work.

Can you please be so kind and explain “double natted” Im not yet familiar with the whole NAT concept :frowning:

You are probably better giving that a google as I’m sure others will be able to explain it a whole lot better than I can but I’ll give it a go.

NAT takes one publicly addressable IP address and allows lots of private address’ to use it to access the internet. Traditionaly your router would have a public IP on it’s WAN side and a private address on it’s LAN. Any computers accessing the internet would appear to be using the WAN IP of the router, the router keeps a table of which internal computer went to which website. Each customer has their own public address.

Double NAT is when your ISP gives your router a private address and they connect several customers to the same public IP. It means that the ISP doesn’t need to have as many IP address’ in their pool and as IP address’ (we are talking ipv4 here) are becoming scarce it is becoming more popular. It makes it very difficult to run any internal servers, you would have to get the ISP to pass ports through from the public address to you and I guess that could be problematic.

Personally if you have the choice I would opt to go for an ISP that does not do this, my main ISP (Zen Internet) here in the UK does not but my mobile carrier (Vodafone) does.

1 Like

Thank you for the explanation. I believe I’m not double natted because I had an issue once (on a previous tp-link router) and was asked by the ISP to serve to them the login page of my VOIP gate using the virtual server function on that router. I did it and the service was accessible both using my internal IP address and a public one as well (To my best knowledge i am assigned a constant public ip).

I’m still thinking there is something inherently wrong with either my pfsense setup or pfsense itself.

If the ISP’s DNS server is returning an address from the private range and you are not double natted then they must be either broken or pulling that range off before you hit the actual internet. I guess this is possible. They can provide you with a public address still. What’s the wan address on your router?

Now that you mention it I realize I made an error in my previous post. I have a constant public IP but the IP assigned to my WAN interface on pfsense by the ISP is from a local IP address pool - 192.168.x.x

A Schematic of the whole setup to make things clear:

I FOUND IT!!! :smiley:

The issue is due to this setting in the Advanced settings:

Since the rebind check was unchecked, the reply comming from my ISP was being blocked as the DNS query for bok.tygrys.net was being resolved to an IP from a private pool of 192.168.x.x

1 Like

That would do it. Worth remembering that for future reference! Didn’t know that setting existed.

You are behind double nat. If there is no router between your pfSense box and the ISP then you are essentially double natting yourself but as long as it works for you and you have a static for any incoming you need then you are golden.

1 Like