pfsense DNS forwarder randomly stops working only for certain hosts

[Red Squirrel]

I noticed this odd issue with the DNS forwarder in pfsense. I have a few locked down vlans that I don't want to give direct access to my internal DNS server but still want them to resolve from it so I use the forwarder and just point the machines to the gateway. This works 99% of the time. Every now and then, completely randomly, 1 host will fail to resolve only on 1 machine. Restarting the service on pfsense fixes this.

What would cause this to happen? Very worse case scenario I might just allow the internal DNS server through the firewall and skip using the forwarder.

 

[diizzy]

Why not handle these clients/VLANs the correct DNS via DHCP instead of going some weird roundabout way?
//Danne

 

[TCM2]

Do you filter your DNS from the VLANs because they shouldn't see your zones? There's split-view DNS for that.

 

[Red Squirrel]

It is being pushed via DHCP, but instead of exposing the DNS port directly (in case there's a bind exploit or something) I use a forwarder and put that IP in the DHCP instead. But considering the very very very low odds of DNS being compromised and the fact that it's in a chroot jail (that and it's designed to be wide open to the internet, let alone in a slightly risky vlan) so I might just get rid of the forwarder and open up the IP directly. Just find it odd how the pfsense forwarder behaves in the way I mentioned though. It should be fairly cut and dry but not sure why it randomly stops resolving specific hosts on a specific host.