domain override not working
-
Im trying get domain override to work. I have my ms domain at ip 192.168.151.3 but things not working. But it started to work when i turned off pfsense firewall. What am i missing here do i need to put a firewall rule. Ill attach a picture for my rules
-
@rasithapr lets go over different steps in validation that your override can/will work, this might help us figure out where its going wrong.
If you have dns setup on 192.168.151.3 that resolves lets call it mydomain.tld, so I setup a domain override for this..
I pointed it to nameserver I have on my network on 192.168.9.10
I can validate that is where unbound will ask via
unbound-control -c /var/unbound/unbound.conf lookup host.mydomain.tldI can look in unbound.conf that it set this domain as private - so it can return rf1918 address
You can view your unbound.conf in /var/unbound
I validated that my ns on 192.168.9.10 actually resolves a record looking for.. that dig @192.168.9.10 for host.mydomain.tld you can see it returned 192.168.9.42 which is the A record I set in that ns.
I validate that pfsense can indeed resolve that fqdn in dns lookup under diagnostics.
And last you can see that if I ask unbound on pfsense IP of 192.168.9.253 I get the response.
So you will want to make sure unbound treats this domain as private if its going to return rfc1918 addresses. You will also want to make sure that unbound is set to use an interface that can talk to that ns on for outgoing interfaces.
If you have changed it from the default all setting.
-
@johnpoz i changed the outgoing interface to all & now its working it was set to wan previously
-
@rasithapr I like using localhost personally, it will nat when goes out the wan. But locallhost isn't going to work for a domain override to a NS on your local networks ;)
Glad you got it sorted.
-
@johnpoz I don't know if I can bump this topic, because it's kind old, if I can't, you can delete it.
I have the same problem. I have an Active Directory (Windows 2019) as my local network DNS server. I set the IP of that server in "Domain Overrides" of the DNS Resolver and I changed the Outgoing interface to "ALL" (it was in WAN), but it still doesn't work.
In "Diagnostics > DNS Lookup" it works perfectly. But on my PC, it doesn't work. It gives the following error: "Ping request could not find host test.domain.com. Please check the name and try again."
What could it be?
-
@guile said in domain override not working:
I have an Active Directory (Windows 2019) as my local network DNS server. I set the IP of that server in "Domain Overrides" of the DNS Resolver
Why domain override?
Is the Windows server not purposed to do your whole DNS lookups?If so, you should rather state it as DNS on all clients, you can push it via DHCP. Or forward all DNS requests to it on pfSense.
-
@viragomann The problem is that I use pfBlocker, so I need pfSense (DNS Resolver) to be the main DNS. Currently my network looks like this: DHCP distributes the Active Directory IP as DNS. And in the Active Directory forwarder, I configured the pfSense IP.
Like that:
DHCP > Active Directory > pfSense.
Everything works perfectly fine, but I need to make some NAT rules and the way it is, it's conflicting with some rules.
-
@guile said in domain override not working:
The problem is that I use pfBlocker, so I need pfSense (DNS Resolver) to be the main DNS.
So enter the DNS server in System > General Setup as the only one.
And in the Resolver settings check "DNS Query Forwarding".
-
@viragomann that worked!
But I still have a problem. I need to use OpenDNS (208.67.222.222) as the outgoing DNS. How to configure DNS Resolver to forward to OpenDNS?
-
@guile
Now what? OpenDNS or the Windows server?You can use one or the other, or even the other if the primary fails.
Or you can configure the Windows server to use OpenDNS for lookups.Not clear, what you try to achieve.
-
@viragomann I need to use OpenDNS as the outgoing (WAN) DNS. I just set it in the Active Directory forwarder and everything is working fine now.
Thank you!
-
@guile There are two ways to accomplish this, to use AD DNS and pfBlocker:
Set PCs to use Windows DNS as their DNS
Set Windows DNS to forward to pfSense (uncheck the option to use root servers)or
2)
Set PCs to use pfSense as their DNS
Add a domain override for the Windows AD domain name to point to one or more Windows AD DNS servers (domain=example.lan, IP=Windows_DNS_IP)Note if you have IPv6 from your ISP you essentially need to use option 2 because pfSense will send itself as the IPv6 DNS by default.
Sounds like you got it working but a screenshot would probably help next time.
-
@SteveITS I used the second option you mentioned.
But the problem is that the "domain override" was not working. As @viragomann mentioned, I needed to set the Active Directory DNS in "General Setup" and activate forward option in the DNS Resolver.
After that, I configured the OpenDNS IP (208.67.222.222) in the Active Directory forwarder.
Everything is working now, including the NAT rules that were conflicting.
