Since policy-based routing does not apply to traffic generated by pfSense, the router's internal routing table determines the route to DNS servers. Because of this, if static routes are not configured, pfSense will only use the primary WAN interface to access DNS servers. Although this may be what you want, you must configure static routes if you want pfSense to use the correct WAN interface for DNS queries.
If you do not configure status routes for these WAN interfaces, then you will face the following issues:
- It can be a problem if you are using your ISP’s DNS servers. This is because ISPs will often block recursive DNS queries from outside of their network. You can eliminate this problem by using alternative DNS servers, such as the ones run by OpenDNS, or the privacy-friendly DNS servers operated by CloudFlare.
- If no static routes are configured and the primary WAN interface goes down, then you will have lost the only interface with a route to DNS servers, and therefore would be left with no means of DNS resolution.
One of the ways to solve this problem is to use the DNS server for a secondary WAN gateway as the monitor IP address for the gateway. In this case, pfSense will automatically add a static route for the gateway's DNS server, and we needn't add a static route manually.
You can always add a new rule, though. To add a static route to 1.1.1.1, for example, navigate to System | Routing, click on the Static Routes tab, and from there, click on the Add button. The Destination network field should have 1.1.1.1/32 (1.1.1.1 with a CIDR of 32). Select the secondary gateway in the Gateway drop-down box. Then, enter a brief description in the Description field and click the Save button and Apply Changes.