Need assistance with DNS settings on pfSense? Let me know what you're experiencing.
Need assistance with DNS settings on pfSense? Let me know what you're experiencing.
I understand just enough to cause some confusion, so I’m looking for assistance in clarifying the situation. My pfSense machine is acting as the DHCP and DNS hub for my network, with unbound handling DNS resolution inside pfSense. Since no other DNS servers are set up, all devices should rely on the gateway IP as their DNS provider. I’ve checked the network settings of various clients—wired and wireless—and they’re all pointing to 192.168.1.1 as the DNS server, which matches the gateway address. pfblockerng is functioning correctly for ad blocking across most clients, except one. I confirm ads disappear on known problematic sites, and dnsleaktest.com verifies that only my IP shows up as the DNS source, consistent with internal resolution. I’ve tested pinging blocked domains; they return a fake IP through pfblockerng. My OnePlus 6T (Android 10) phone works when using Chrome but fails with Firefox. In Chrome, ads reappear and dnsleaktest.com lists multiple Google DNS servers, while Firefox blocks them all. I can see this in pfSense logs as well. There’s a secondary DNS listed—8.8.8.8 (Google)—alongside the gateway, though it isn’t configured by me. Some sources say this was added for Android or OnePlus during a past update. It seems Chrome is favoring that secondary server over the default one. If I manually configure my phone’s IP and DNS, it works perfectly, but with NAT forwarding, it doesn’t. I followed the pfSense guide to redirect DNS requests through the gateway, but Chrome on Android still finds a way. There are some network requests from other devices being sent to 127.0.0.1:53, suggesting the core process is active. Still, Chrome on Android appears to be bypassing the intended resolution. I’m trying to figure out what’s wrong—why does it work for others but not for this device?
I stumbled upon those links while trying to understand what was happening. The first one explains how to force a specific DNS on Android by turning off DHCP and using static mappings. I’m familiar with that method and it functions correctly. The second link mentioned PiHole specifically, but it wasn’t clear which router was being pointed to for the PiHole DNS. From what I gather, pfSense doesn’t provide alternative DNS servers when acting as its own resolver. It only does so in DNS Forwarder mode, which interferes with pfblockerng and ad blocking, the main purpose of this setup. My main concern remains why Chrome on Android ignores the NAT and firewall rules that redirect all DNS queries to the gateway for resolution.
On my device, the Wi-Fi settings show a main DNS at 192.168.1.1 (DHCP-assigned) and a secondary at 8.8.8.8 (added by Google or OnePlus). Only Chrome uses the secondary DNS, while other traffic goes through the primary. This setup is what’s causing the problem—why the expected DNS changes aren’t taking effect.
Existing DNS redirection applies to every DNS server via the port forwarding setup on the router. Chrome may now rely on DNS over HTTPS, so we need to adjust accordingly.
The article inspired me to configure my DHCP server to provide both DNS 1 and DNS 2 addresses. While pfSense's standard settings block duplicates, DHCP allows this, which seems to resolve the issue of my phone not automatically using the Google DNS as a secondary. Now only my pfSense device appears, and the Chrome firewall behavior functions properly. This highlights an interesting aspect of DNS over HTTPS. I’m puzzled about how it works but think it might explain why the redirect I set up failed—since it only covers port 53. I’ll explore this further and try a cleaner solution in the meantime.