DNS Best Practice Setup

Hello Everyone,

I wanted to know if anyone can advise me as to perhaps a better way to optimize my DNS set up for my home network. Currently I have my Nethserver as the primary DNS server for all of my internal systems/clients, and a Pfsense firewall as my gateway and secondary DNS server. Everything is working correctly, but I’m wondering if there is a better way to configure everything for faster performance. I wanted to have Nethserver as the primary DNS to be able to resolve internal names, and the Pfsense DNS is set to resolve while looking to OpenDNS servers for external requests/queries for speed and light filtering. I know that’s a lot of hops to make but don’t want to sacrifice name resolution for internal client names. Any advice would be appreciated.

Thank you very much in advance.

Looks as a fine strategy to me. Keep in mind that priority in dnsmasq on NethServer seems to be reverted. Nethserver DNS primary and secondary server entries have mixed priorities in dnsmasq?
I hope that will get solved so the priorities are clear.

1 Like

In my opinion, this is the best strategy.
I use the same scenario at work with no problems for many years, regardless of the combination used for internal DNS / Gateway-DNS external.

Nice and simple DNS configuration. However (as I have stated within previous threads), I like the usage of reverse lookups and master / slave DNS replication, therefore prefer to use Bind9 services instead of the DNSMasq daemon.

I don’t know if it’s your case, but with an Active Directory accounts provider a secondary and non-AD aware DNS could lead to problems.

All AD members should have only AD-aware DNS, like NethServer.


Thank you for all of your help everyone.

1 Like

You can always make pfsense AD aware (but still need AD DNS for your LAN)


I know this is an old topic, but for the longest time pfsense was my internal dns and dhcp for my network and I just recently setup nethserver as an ad DC, but some of the hostnames on my internal network are not working like they used to, because I have nethserver setup as the primary dns for the ad functionality.

Is there a setting I may have missed on either pfsense or nethserver?

Did you try it with and without domain suffix?

Nethserver DNS only knows about the connected DHCP and samba clients. You may have to enter hosts with static IP to the Nethserver DNS hosts.

yes I tried both ways and nethserver is the host for e-mails, but when I set the ip address of the dc part of it it couldn’t even resolve it. When I go to server aliases under dns they are all there, so does the dc side of it perhaps resolve stuff differently? or does it use the same dns server.

I think I found my problem AD DNS is handled differently than the server DNS.