DNS Settings For Active Directory at a remote site

McMurphy

@bmeeks
Fantastic, thank you!

McMurphy

@bmeeks

As I am no longer specifying DNS servers in pfSense and using the resolver however can I see what DNS servers pfSense is using?

bmeeks

@McMurphy said in DNS Settings For Active Directory at a remote site:

As I am no longer specifying DNS servers in pfSense and using the resolver however can I see what DNS servers pfSense is using?

@McMurphy, you don't seem to understand how resolving works. There is no specifically set or configured server pfSense will use other than itself (technically, the unbound service which is called DNS Resolver in the menus). When you leave all the DNS settings in the GENERAL SETTINGS tab blank, that automatically tells pfSense to use its internal resolver process, unbound.

Go back and read my post above that describes both Forwarding and Resolving. Read the Resolving section very carefully and be sure you understand what's happening there. Don't try to skim it, and don't assume you know how it works already .

Once you fully understand what Resolving is, you will see that your question is moot. Out of the box pfSense will operate in the resolve mode using the built-in unbound DNS resolver service.

McMurphy

@bmeeks

ok ok ok... I did skim a it :)

I understand that the resolver uses a predefined list of root DNS servers:
https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-modes.html

I think I am getting my wires crossed here so please correct me if I am wrong:

• pfSense will disregard the ISP DNS servers unless checked in System => General Setup
• pfSense itself will us the resolver function for internal purposes, such as checking for updates.
• clients will only use the pfSense resolver if they are set to use the pfSense IP for DNS (DHCP or manual)
• AD server is it's own DNS server
• AD server has it's own DNS forwarders so it will totally disregard pfSense's resolver

How does that sound?

bmeeks

@McMurphy said in DNS Settings For Active Directory at a remote site:

@bmeeks

ok ok ok... I did skim a it :)

I understand that the resolver uses a predefined list of root DNS servers:
https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-modes.html

I think I am getting my wires crossed here so please correct me if I am wrong:

• pfSense will disregard the ISP DNS servers unless checked in System => General Setup
• pfSense itself will us the resolver function for internal purposes, such as checking for updates.
• clients will only use the pfSense resolver if they are set to use the pfSense IP for DNS (DHCP or manual)
• AD server is it's own DNS server
• AD server has it's own DNS forwarders so it will totally disregard pfSense's resolver

How does that sound?

All of the above is correct. The only small clarification is that the DNS server on a Windows AD DC can be configured to forward or to resolve. You can tick a box in the DNS server properties to change that behavior. In recent Windows Server versions the root hints servers are automatically populated, so the DNS server would resolve unless you explicitly provided a forwarder IP address. By default, your AD DNS server will not have a forwarder configured, so it would resolve. Only if you manually add the IP address for a forwarding server would it use one.

And to muddy the waters a bit more, you could configure the Windows AD DNS server to forward to pfSense any domains it is not authoritative for. And then use the default pfSense DNS Resolver configuration which would resolve the query and send it back to the Windows AD DNS server. Why would someone do it this way? For say ad blocking using the DNSBL features of pfBlockerNG. The AD DNS server would do all the local Active Directory lookups, but anything external to the local AD domain would be forwarded to the DNS Resolver in pfSense. And if you were to configure the DNSBL option in pfBlockerNG, then the DNS Resolver would not go "resolve" domain names for ads and thus block them.

And just to close the loop in this long discussion -- ultimately the only way to look up an IP address for a hostname is to "resolve" using the resolver process I described earlier. Even a forwarder will actually go resolve the request, then send it back to the client that sent it originally to the "forwarder". While inefficient, a forwarder server could in turn forward to some other server and so on, but at some point in the chain a DNS server would have to actually resolve the request starting by querying the root servers to get the server for the TLD, then working down to the final authoritative DNS server for the domain being looked up.

In the old and early days of the Internet, there was no collection of DNS resolver applications you could install on clients. So, the only option was to point the DNS client on your Windows or Mac machine to a DNS forwarder typically provided by your ISP. The ISP wanted you to use their forwarder, so that's the DNS server IP they gave you. They wanted this originally to minimize DNS traffic on their external links. Their internal server could go do the resolving for something once, then cache the returned IP locally and then quickly serve it to the ISP's customers until the TTL on the record expired. But over time lots of DNS resolver apps have become available, and the need to rely on the ISP's DNS servers has waned.

McMurphy

@bmeeks

Does this mean the settings below only apply to DNS Forwarder mode and are totally ignored by DNS Resolver mode?

System => General Setup => DNS Server Settings

https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-modes.html

McMurphy

@bmeeks

p.s. And just when I thought understood what a resolver was I found this...

bmeeks

@McMurphy:

There are DNS clients and DNS servers. Let's examine the difference between them.

DNS clients are small applications that have existed as mostly an embedded part of an operating system. For example, Windows, Linux, and MacOS all ship with a DNS client. The only thing a DNS client does is ask a DNS server to tell it what IP address it should go connect to in order to access a given hostname. DNS clients only talk to a DNS server. So, when a Windows client workstation or server wants to connect to www.microsoft.com, it will use its DNS client app to query a configured DNS server to find the IP address for that domain or hostname. A DNS client can only ask a DNS server for that info. The DNS client itself cannot resolve. You could sort of say it "forwards", but not exactly using the same process as a DNS server would use for forwarding.

A DNS server is an application that can either resolve the query on its own by starting with those 13 DNS root servers and working its way up the chain until it finds the server that is authoritative for the domain being queried. There it obtains the IP for the queried hostname and then returns it to the DNS client that asked for it. A DNS server can also be configured to simply forward requests to another DNS server and let that other DNS server do the footwork of resolving.

pfSense is a full FreeBSD operating system install. It has a built-in DNS client just like every other operating system has had forever (at least since networking was a standard component of operating systems). The settings on the GENERAL SETTINGS tab for DNS servers are telling the DNS client in pfSense what it should do. It has two choices, it can ask the DNS Resolver component that now ships as part of pfSense to find the IP, or if the admin has configured external DNS servers it will go ask them and ignore the local DNS Resolver component. When you put 127.0.0.1 (local host) in the box, that tells the client to use the local resolver component (the unbound daemon). If you put Google's or Cloudfare's DNS server IP addresses in there, the DNS client will use those instead. But the DNS client is only used to find an IP address for pfSense itself. Nothing the DNS client on pfSense does ever gets sent to some other device on the network. There is a drop-down selector in that section that has some other choices about how the DNS client should behave regarding looking up IP addresses for pfSense itself.

The only time the DNS client on pfSense will get used is when pfSense is looking for something just for local use such as how to find the Netgate package/firmware update servers, or how to find the IP for some NTP server's hostname you enter under the NTP Settings tab, or when you click the option under DIAGNOSTICS to view the ARP table, or when you click one of the little icons in the firewall log view to display the hostname for a logged IP address.

Several years back pfSense began including the unbound package as part of the core install. That package is a limited DNS server. It can resolve hostnames using the DNS root servers, it can be configured to simply forward queries to an external DNS server (a forwarder) and let that external server do the work, and it can on a very limited basis store CNAME, A, and AAAA host records and behave similar to a full-blown DNS server. The DNS Resolver part of pfSense is the unbound daemon.

That last screenshot you provided with the Enable Forwarding Mode option is used should you wish to switch the unbound daemon (the DNS Resolver) from its default resolver mode of operation over to forwarding mode. There is really no good reason for doing this, but a few admins seem passionate about switching over to TLS and using that protocol along with this option to send all their queries to Cloudfare or someone similar for resolution instead of letting the pfSense DNS Resolver do the resolving. Several of us old guys on here really do not see the need for that. But it's an option that is available. The default for that checkbox is "not checked", which means the unbound service (the built-in DNS Resolver on pfSense) will behave as a resolver. One use case for that forwarding mode option is if you want to take advantage of a large DNS provider's filtering option. An example would be using Cloudfare's option to filter adult/porn sites.

So, why I would configure my network to have clients ask pfSense's DNS Resolver for IP lookups, but then configure the pfSense DNS Resolver to just turn around and forward that query to an external DNS server? One reason is that the DNS Resolver on pfSense cannot natively filter results. It can't block adult/porn sites from resolving (without use of an aditional third-party package such as pfBlockerNG and its DNSBL option). If I forward to a service like Cloudfare, they do offer such filtering if I send my queries to a particular DNS server (1.1.1.1, for example). In my mind, that's really the only good reason to enable the forwarding mode of the pfSense DNS Resolver. Of course you could just as easily configure your clients to go straight to Cloudfare and take out the pfSense middle man, and that is another valid configuration option. One reason to leave the pfSense middle man in place would be if you needed to make use of domain overrides such that lookups for certain domains go to a specific DNS server for resolution. You can't do that at the DNS client level, so you would have to utilize the pfSense middle man to do that.

Last remark -- prior to the inclusion of the unbound core package, pfSense offered no way to resolve. It could only forward using a package called dnsmasq. That package is still available and can be configured under the DNS Forwarder menu under the SERVICES section of pfSense. It is considered a legacy and deprecated package. If you enable it, you must NOT enable the DNS Resolver under SERVICES. Those two cannot co-exist because they want to listen on the same port. If you enable the DNS Forwarder component under the SERVICES menu, then you must provide it with the IP addresses of the DNS servers it should send the queries to. Do not confuse the DNS Forwarder component in pfSense with the DNS forwarder option available in the DNS Resolver configuration. In the DNS Resolver component, "forwarding" is an optional mode of operation for the resolver.

bmeeks

@McMurphy said in DNS Settings For Active Directory at a remote site:

@bmeeks

Does this mean the settings below only apply to DNS Forwarder mode and are totally ignored by DNS Resolver mode?

System => General Setup => DNS Server Settings

https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-modes.html

Yes, except these do impact how the DNS client component of pfSense operates. See my long post describing clients and servers for DNS.

bmeeks

@McMurphy said in DNS Settings For Active Directory at a remote site:

@bmeeks

p.s. And just when I thought understood what a resolver was I found this...

I created a rather long post above this one to explain this screenshot.

The short version is the parameter highlighted in the red rectangle changes the mode of operation for the DNS Resolver over to forwarding mode instead of the default resolving mode. There are not many good reasons for doing that in the opinion of many of us seasoned admins. If you enable Forwarding Mode, then you must provide the DNS servers to forward the queries to under the DNS Servers section of GENERAL under the SYSTEM menu.

Also note that if you enable this DNS Resolver option to switch it to forwarding mode, you should NOT enable DNSSEC. The server you forward to either does DNSSEC or it does not, but it will not do it just because you check that box. In fact, some external DNS servers will not work correctly if you enable DNSSEC when forwarding (Quad9 being an example, see this: https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-dnssec-validation). That checkbox really only applies to resolver mode operation.