Split DNS Tutorial

I have been scouring Google and YouTube trying to find a good tutorial on how to configure a split DNS and use PFSense.

I am using DigitalOcean to resolve DNS outside my firewall and I have a wildcard entry for each of my domains pointing to my PFSense firewall static IP. I also am running a self-hosted nameserver to host all my internal servers. I plan to follow the HAProxy and Lets Encrypt Tutorial to try to expose the desired services to the internet.

Where I am falling down is how to configure PFSense to resolve the back-end domain names from my internal name-server whether the request comes from internal or external. Although I am not wanting to put my local name-server on the internet and want to continue to use an external name server to wildcard resolution to my static WAN ip. I just want everything in the internal side of the firewall to check the local name-server first then go to an external DNS for anything not listed in the local name-server. I have to believe this is a pretty common ask but the answer might be just to obvious for me to grasp.

I am not sure if I should set-up the DNS server settings in the “General Setup” so that the local name-server,, is listed first followed by the external name-server,, as the second. I believe this forces PFSense to check the local first and if unresolved checks the next name-server.

Would that force HAProxy to resolve the back-end server via the local domain server before checking the external? I would expect that internal requests would then resolve to the local ip and external request would hit the wan interface and HAProxy would check the local for the back-end and redirect to the correct server.

Also, Internal dhcp clients would get the local name-server server to it as the first entry for resolving host names and the external for the second.

Do I have this right? Is there a tutorial that describes how to do this that is a little better that checking the NAT reflection box?

When you add entries in the unbound DNS server within pfsense those are checked before the external ones. I might do a DNS & DHCP tutorial because making sure you are handing out the right serves and having unbound setup properly go hand in hand.

Thanks Tom, I look forward to seeing that video. Hopefully you have time to do it soon as I am starting to run up to a need for this. Also, if you could integrate the Wildcard Cert tutorial with HAProxy into it that would be great and present a complete solution. Lastly, I am a real step by step guy and I love your videos but the wildcard cert and HAProxy video packs so much into it and clearly expects a lot of implied knowledge that it is taking me quite a lot of research to begin to understand it. Not that learning is bad, but a more “for dummies” or step-by-step implementation would be extremely helpful.

Love the channel and looking forward to all your future videos.

1 Like

I think you are over complicating things @quartzeye.

Assuming that your lan client devices are looking at pfSense for DNS

go to services → dns resolver
tick enable dns resolver
play with other settings if you know what they do and need them
scroll right to the bottom
in the “hosts override” section, click add,
add the hostname and FQDN of the servers (the one that you want to use from outside) and the internal LAN IP address

You should now be able to ping the device using it’s host+FQDN and get a reply from the internal address. Leave your external dns server providing the wildcard to your WAN.

If your internal devices are looking to a different local DNS server then just setup the hosts on that as you would normally.

If your intertnal devices are looking to an external DNS server then change them to look at pfSense.