New Setup - DNS Resolver with Local DNS Server
-
Hey everyone,
We are replacing our 6100 with a new 8200 and since that setup we have added an active directory server on site with DNS setup. So the network has multiple VLAN networks, I have setup DNS Resolver pretty much the same way but what I want to do is any client on our our network that resides on the server network be able to resolve DNS thru the server locally. Right now the cameras, phones, guest all have a firewall rule to direct DNS requests to DNS resolver but what is the correct method for the server network. All DHCP server setup have no specified DNS, with the exception of this server network, where I have one single entry as the server's IP address. Do I need to also add a Host Override under DNS Resolver and a firewall rule that points DNS to this server's address as well? Bit confused how to get this local DNS on one network locally resolve but then use DNS Resolver for external queries. Hope that makes sense. The current 6100 does have local DNS issues with client PC's so want this new device setup with the server now in place, i made no changes to anything after the server. I should also mention one big issue i have is not being able to configure and test locally, I'm in a another country , setting this up and will ship out for them to plug in and replace.
-
@StormGate why would you not just point all your clients to your AD dns.. Then have it forward to pfsense to resolve public stuff or anything that might still be a resource on pfsense.
No need for any redirection or anything.
-
@johnpoz Easy answer, security. Having guest IoTs, voip or cameras accessing a critical server would not be wise in my opinion for any type of service.
-
@StormGate its dns, but point your iot such device directly to pfsense, or just some outside. Why would iot device need to resolve any local resources?
Your iot device I would assume are in their own network and would have different dhcp - so set them to use pfsense or external vs your AD dns.
-
@johnpoz What you are mentioning is exactly what my question is asking, I only want my Active Directory network to access the active directory server for its local DNS queries. I have all the other networks already set up to use pfsense thru DNS Resolver.
-
@StormGate well then set your dhcp for to point to your AD dns.. Set your AD dns to forward to pfsense.. Do you not know how to change the nameserver in a dhcp scope on AD? Do you not know how to set it up to forward?
-
@StormGate Normally I'd set up a domain override for each Windows AD DNS server, so queries for it are forwarded to Windows.
If you really prefer to not do that, then as mentioned have the Windows network use Windows as DNS, and have other networks use pfSense as DNS.
@StormGate said in New Setup - DNS Resolver with Local DNS Server:
and a firewall rule that points DNS to this server's address as well?
Firewall rules block or allow. You might be thinking of https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html which uses NAT rules, and NAT rules can have a source. I don't think that's necessary though, unless blocking third party DNS is also a goal.
-
@johnpoz Thanks, so our DHCP is all handled by Pfsense but good call on the adding forwarding within AD. Yes under the properties on DNS are the Forwarders tab.
-
@StormGate at a loss to why an AD shop wouldn't leverage dhcp and dns of the AD.. It's deeply integrated into AD.
Are the user machines not actually members of the Domain?
-
@johnpoz We find that if IPv6 is enabled, devices get the router as IPv6 DNS server and that breaks AD. So we set the domain override for if/when that gets enabled by us or the ISP.
(We also find a lot of clients we onboard have set ISP/public DNS as "secondary" DNS which also breaks AD since Windows doesn't process in order)
-
@SteveITS said in New Setup - DNS Resolver with Local DNS Server:
ISP/public DNS as "secondary
Have seen this going back forever really.. Have seen some otherwise pretty good techs not really have a clue how dns works..
You can for sure hand over your AD dns in your RA.. So clients via IPv6 point to the right AD dns.
Same goes for IPv6 - techs in the biz for long time, not have a clue about IPv6 either..
-
@johnpoz said in New Setup - DNS Resolver with Local DNS Server:
Have seen this going back forever really.. Have seen some otherwise pretty good techs not really have a clue how dns works..
+1000 to this !!
The below response is directed at the general public who may drop by and read. It's not for @johnpoz because he absolutely already knows how DNS works
.It seems to me there are two major DNS client myths (or at least major misconceptions) going around. I keep seeing examples of them in post after post here on the forums in the last couple of years.
MYTH 1: A client configured with multiple DNS servers will always try them in the order they are listed.
FALSE! The client may do that, or it more likely will randomly choose one of the servers you have listed. In that event, all the listed DNS servers better be able to resolve the same host to the same IP or you are going to have confusing issues! If one is a local DNS server and is authoritative for your internal IP space and the other is a public DNS server like 1.1.1.1 or 8.8.8.8, that's a disaster waiting to happen.
MYTH 2: A client configured with multiple DNS servers will try each one of them when looking up a host IP. If the first one fails to find the host IP, it will try the next one and so on until it either finds the host IP or runs out of configured DNS servers --
FALSE! The client will only try another configured DNS server if the first one it uses does not respond at all (as in totally fails to return any packet). If the server returns NXDOMAIN for the host (which means non-existent domain or host), then the client takes that as the "final answer" and will not ask another DNS server for a different answer. And back to Myth #1 above, since that server answered the client's query, the client will now continue to exclusively use that DNS server for any future queries.
Best Practice in Active Directory Shops
In Active Directory, DO NOT give your AD clients multiple DNS servers to choose from unless each listed DNS server is an authoritative DNS server for that Active Directory domain. Giving clients the AD DNS server as one DNS server and say Google or Cloudflare as the second DNS server is a recipe for confusion. When that client chooses to use the Google or Cloudflare server (because Windows will randomly do that), nothing in AD can then be resolved because Google and Cloudflare have no idea about your internal AD resources.The proper way to do this is give your AD clients only your AD DNS server to use. Then configure your AD DNS servers to either resolve external queries themselves (they are capable when the roots are loaded) or forward them to another DNS server such as the DNS Resolver on pfSense or a public DNS server. And on the pfSense side (if you use the DNS Resolver or DNS Forwarder), configure a domain override for your Active Directory domain that points back to your AD DNS server(s). That way pfSense can also resolve local AD hosts if necessary.
-
@StormGate Well the network I am on that is how we setup DHCP but when the original 6100 was setup there was no DC , this was added a year ago and I am in another country so without physically being there and no IT staff, it isn't something I wanted to do since it most likely would break my connection in some form trying to make these changes. The main network clients, yes are domain connected clients. All the other networks are independent.
-
@bmeeks Thanks what confuses is me is when to use a Host override or Domain override, on paper they seem to do the same thing, I'm obviously missing the interpretation.
-
Just wanted to thank everyone so far with their expertise and suggestions, I wasn't expecting to have such quick responses so everyone's help is greatly appreciated.
-
@StormGate said in New Setup - DNS Resolver with Local DNS Server:
@bmeeks Thanks what confuses is me is when to use a Host override or Domain override, on paper they seem to do the same thing, I'm obviously missing the interpretation.
Host override says, for one host (name), answer with a specific IP.
Domain override says, for *.example.com forward this request to that name server.
-
@SteveITS Thanks.
So what I have added:
- DHCP DNS - Domain DNS Server IP only (only on the AD network client DHCP)
- DNS Resolver - Added Domain Override to domain server
- Domain Server DNS Forward - Will be done once 8200 is on site
- Did not add and DNS explicit firewall rule yet to the active directory network.
I see mention of iPv6, we don't use this addressing at all should i be disabling, I know on the 6100 I actually had blocking rules in place iPv6.
-
@StormGate said in New Setup - DNS Resolver with Local DNS Server:
@bmeeks Thanks what confuses is me is when to use a Host override or Domain override, on paper they seem to do the same thing, I'm obviously missing the interpretation.
A host override returns the specific IP you want returned when the DNS server is queried for a specific fully qualified hostname. So, for example, if you want your DNS server to return some specific internal IP of your choosing when a client queries for "www.cnn.com" instead of resolving that via the DNS root servers or forwarding to any forwarder you have configured, then that's a host override. Only that specific FQDN (fully qualified domain name, or specific hostname if you prefer) will be treated specially. In the case of a host override for "www.cnn.com", if your client asked for just "cnn.com", then that query would get resolved to the real public IP of "cnn.com" because the host override is only for "www.cnn.com" and thus does not completely match "cnn.com".
A domain override tells the DNS Resolver (or DNS Forwarder, if configured instead) to refer all queries for the specified domain to a specific DNS server. Don't try to resolve it, just immediately forward it to the DNS server listed in the domain override. So, as an example, if I put in a domain override for "myAD.net" (for my local Active Directory domain name) I would list my internal AD DNS server as the target for any queries for a host in the "myAD.net" domain. So, if pfSense wanted to perform a lookup of say the IP of one of your AD servers by fully-qualified domain name, it would ask the DNS Resolver on pfSense. The Resolver would see that the host being queried resides in your AD domain and the domain override tells the Resolver to go ask your AD DNS server for the IP of the host. Without the domain override, the DNS Resolver in pfSense would either try to resolve the hostname on its own via the root servers or it would forward the request to say 8.8.8.8 or 1.1.1.1 if you had those configured as forwarders (or whatever IP you had configured for forwarding). Obviously 8.8.8.8 will have no idea about your local AD domain and it would return NXDOMAIN for the result.
In practice I could create individual host overrides for every single host in my AD domain and put those in pfSense, but that's a lot of work. Much easier in the case of AD to use a domain override. That tells the pfSense DNS Resolver to go ask the target DNS server listed with the domain override when querying any host from that domain name.
-
@StormGate said in New Setup - DNS Resolver with Local DNS Server:
@StormGate Well the network I am on that is how we setup DHCP but when the original 6100 was setup there was no DC , this was added a year ago and I am in another country so without physically being there and no IT staff, it isn't something I wanted to do since it most likely would break my connection in some form trying to make these changes. The main network clients, yes are domain connected clients. All the other networks are independent.
I understand your trepidation of making a DHCP change if you are remote, but I would eventually plan to make the trip to the necessary site or sites and get it done. With Active Directory, everything is much more seamless with DHCP provided by Windows. The Windows DHCP server can seamlessly update AD DNS with hostname IPs. If you use pfSense for DHCP, then the AD DNS server does not get updated and host lookups within AD can fail (or worse, resolve to the wrong "old" IP).
Microsoft is almost like Apple when it comes to Active Directory. You are sort of locked into using all things Windows when doing AD. And to be honest, it works pretty darn well! In an AD shop, let Windows do DCHP and DNS. You can choose to let AD DNS either resolve external hosts on its own, or you can have it forward queries for external hosts to another DNS server (maybe Pi-Hole for ad blocking/filtering, maybe Cloudflare or another filtering DNS, etc.).
-
@bmeeks So how exactly would I make such a change, I would turn off DHCP on the Pfsense for the active directory network. Pfsense is new to me to begin with so this type of split DNS/DHCP setup must have a few moving parts.
