Errors transferring zone between Windows Server and pfSense Plus
-
It never fails. Complain about something, and it suddenly starts working!
Resolved for now.
For future Googlers' sake: I turned DNS over HTTPS on in pfSense, then I had to change my upstream DNS server to one that supports DNS over HTTPS, and disable allowing my ISP's DHCP server to override the box's DNS server selection.
-
Looks like I spoke too soon.
Issue is intermittent. One moment I get DNS Resolution for internal sites, the next I do not. Very strange!
Only happens on my laptop and 2 Servers - the only 3 machines where Windows server is set to my DNS server.
nslookup reports no such domain, but strangely ping works fine from a command prompt on my Windows 11 laptop.
The 2 servers are setup with my Netgate 4200 as forwarders.
-
If you have a Windows Active Directory environment, the only proper way to configure DNS is to let your Windows AD handle that task by installing the DNS Role on an AD server. Depending on the size of your AD network, the most common place to put the DNS role is on the Domain Controller.
Point ALL of your Windows servers and clients to the AD DNS server. Otherwise, AD stuff will not work reliably. Windows AD writes a lot of weird records into the DNS database. That's why it can't ever work properly with your ISP's DNS server unless your ISP surrenders control of their server to you and allows you to write DNS records directly into their DNS. Unlikely they would ever allow that. If you have your own external leased DNS server that you have a secure control panel for administering, then you might could set it up to receive zone updates from AD. But at that point why not just keep the AD DNS internal?
You can, if desired, enable Forwarding in the Windows AD DNS server and point it to either pfSense (where you should have the DNS Resolver configured in its default setup), or you could point it to an external DNS forwarder such as Cloudflare, Google, etc. You will want a domain override configured in the DNS Resolver on pfSense that points back to your Windows AD DNS server for your AD domain. And don't forget to create the proper domain override for reverse pointer lookup.
And, in a Windows AD environment, you should run DHCP on a Windows server and NOT on pfSense. That way DNS will be automatically updated with dynamic Windows client information. With smaller AD networks, it is fine to run the DHCP Role on your domain controller.
Trying to use an external DNS server (including the DNS Resolver on pfSense) as your primary DNS server in a Windows Active Directory network is not ever going to work well (if it works at all). I speak from experience having managed such networks in the corporate world for many years. If you are a Windows AD shop, don't try to be cute -- just configure primary DHCP and DNS services on a Windows AD server.
Later Edit: I am assuming in my reply above that you configured an Active Directory domain when you set up Windows in home lab. If that is true, then what I said above holds. But if you did NOT choose to configure an Active Directory domain, then you can have Windows servers and workstations work perfectly well with pfSense and its built-in DNS Resolver. This is the setup I currently run in my home network. I have Windows client PCs that use pfSense Plus 24.11 with DNS Resolver and Kea (as the DHCP server). Of course with this arrangement I do NOT have an Active Directory domain and all my workstations have local accounts only (no AD domain accounts and no SSO (single-sign-on feature).
-
I see. My internal DNS records are currently on my pfSense box with DNS Resolver. I am taking a crash course (self-taught) in Windows Server setup and configuration. Yes, I have DNS service installed, but also yes, I am running AD. I have 2 servers for redundancy - one each among 2 different Proxmox hosts, for what I hope are obvious reasons.
Windows 2022 has a setup wizard that has an option to select whether it will hold the master DNS records, or whether my ISP holds them and Windows has a "Read-Only copy". I tried it both ways (even though it's not technically hosted by my ISP) but ended up with the same issue.
Both Windows Server boxes have the pfSense box setup as the upstream forwarder, and pfSense is using Cloudflare as it's DNS forward destination, and each server's Ethernet params point DNS first at localhost, and then the other server.
When selecting the option to use my ISP's DNS (technically my pfsense box, not hosted by ISP), it tries to do something called a "zone transfer", whatever that is. This fails.
I understand the basic concepts of DNS, but advanced config is still a bit over my head. I am mostly self-taught.
FWIW: Until I get this working, only my laptop is using Windows Server for DNS, as I have domain logins setup for it. That said, it sounds like this won't work, so I suppose I'll have to manually add all of my DNS records inside Windows and then remove from pfSense. darn!
-
@bmeeks said in Errors transferring zone between Windows Server and pfSense Plus:
You can, if desired, enable Forwarding in the Windows AD DNS server and point it to either pfSense (where you should have the DNS Resolver configured in its default setup), or you could point it to an external DNS forwarder such as Cloudflare, Google, etc. You will want a domain override configured in the DNS Resolver on pfSense that points back to your Windows AD DNS server for your AD domain. And don't forget to create the proper domain override for reverse pointer lookup
I'm just re-reading this again, slower this time. I'm not sure how to setup a "domain override configured in the DNS Resolver pfSense that points back to your Windows AD DNS server for your AD domain". I already have a forwarder setup on each server.
Update: I found the setting in pfSense, however, it seems this requires setting Windows Server as the authoritative DNS Server for my domain, however, pfSense is currently the authoritative server. Can there be 2 authoritative DNS Servers in the same domain?
Epiphany: I'm pretty sure I know my issue! I am experiencing a DNS namespace collision! Not sure if that's what it is called, but I hope you all understand what I mean.
Saw this once at a job site and had to change one side to a subdomain of the other. I was setting up a pfSense box at another office, and initially tried to setup the internal network with a Domain name the company had bought from their registrar, but then from inside the firewall I couldn't access the company web site or emails. I found and fixed that issue before the workers came in the next morning.
-
@aaronouthier said in Errors transferring zone between Windows Server and pfSense Plus:
Can there be 2 authoritative DNS Servers in the same domain?
If they both contain the exact same records for the domain, then yes. Although typically they are treated as primary and backup servers, respectively.
@aaronouthier said in Errors transferring zone between Windows Server and pfSense Plus:
FWIW: Until I get this working, only my laptop is using Windows Server for DNS, as I have domain logins setup for it. That said, it sounds like this won't work, so I suppose I'll have to manually add all of my DNS records inside Windows and then remove from pfSense. darn!
The correct way to handle this with AD is to let AD DNS be the sole DNS server for all the Windows machines. You can add a domain override for your AD domain to the DNS Resolver in pfSense that points to the IP address of your Windows AD DNS server (typically the domain controller in small networks). That way, the DNS Resolver on pfSense knows which server to ask for information about your AD domain.
-
@bmeeks Check my second message above. After the one you quoted.
All Windows systems are already using the 2 AD DCs as DNS providers, but they are basically caching servers, with pfSense as the DNS forwarder for each. My Linux boxes and Android phone are using pfSense directly.
However, I forgot to make the AD Domain name different from the pfSense domain. I will remedy this in the coming days.
-
@aaronouthier pfSense doesn’t host zones. Maybe if you install the BIND package but I’ve never used that.
A zone transfer is when one DNS server pulls the entire zone (records) from another server. Not relevant for pfSense so I’m not following how you got there.
Override: https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-domain-overrides.html
Since pfSense doesn’t know what your “windowsdomain” is it can’t resolve pc.windowsdomain. An override tells pfSense to send that request to the Windows DNS server.
The domain set on pfSense itself is not relevant, we often set it to the windowsdomain.
Windows PCs do not necessarily process DNS servers in order. They all need to resolve the AD domain somehow. Don’t also set public DNS.
Windows DNS can forward to pfSense or not.
pfSense should have an override for windowsdomain as pfSense used for IPv6 DNS unless otherwise configured.
-
@aaronouthier said in Errors transferring zone between Windows Server and pfSense Plus:
However, I forgot to make the AD Domain name different from the pfSense domain. I will remedy this in the coming days.
That's not necessarily a problem. But with a Windows AD network, the only DNS server provided to any Windows machine MUST be the AD DNS server. You cannot assign any other DNS server to the Windows machine lest they lose the ability to locate critical Active Directory DNS records.
What I've seen novice users do- and later post about here after having problems- is make the mistake of putting their AD DNS server and then one or more public DNS servers (or their pfSense box) in the configuration handed out to clients (especially Windows clients). That's not going to work reliably because you can't control which server the clients may chose to ask first for a DNS record. And if the server they ask replies with NXDOMAIN for their query (non-existent domain, or "record not found"), then the client stops asking any other server for the record. For Windows AD machines, that means they may not be able to locate needed DNS records for communicating with the domain controller and certain authentication services.
-
@SteveITS Thank you for the info on Zone transfers, etc. The only reason I mentioned that is because my Windows Servers were failing to perform said transfers. It now makes sense as to why. I reset the servers to not attempt zone transfers any more.
@bmeeks So, all 3 Windows boxes are already using the 2 AD DNS servers as primary and secondary DNS. pfSense is only used as a forwarder address for the 2 servers. There are only the 2 test servers and one test laptop running windows here. All OTHER (read: non-windows) devices are using the pfSense box as their only DNS server.
The local device records are all being stored on the pfSense box. There are no custom records in place on the Windows Servers, only built-in ones.
0/3 Windows boxes are able to resolve local records at this time. However, all other devices are. I can connect directly via IP address on machines without issue. Only DNS is borked, and only on Windows.
IPv6 is disabled on pfSense, Windows, and everything else on my network.
I will try setting the domain override as requested.
Thank you all, and good night for now.
-
@aaronouthier said in Errors transferring zone between Windows Server and pfSense Plus:
The local device records are all being stored on the pfSense box.
What do you mean by this statement?
And where is the DHCP service configured? Is it on a Windows AD server or pfSense? If pfSense, then no dynamic DNS information about Windows clients is going to be recorded in a place where the AD members (servers and workstations) can find it as they will be looking solely at the Windows AD DNS server, and that server will not be getting local client IP address info from pfSense and its DHCP service.
I will repeat -- in a Windows AD network, run DHCP and DNS for the local network on a Windows AD machine (for smaller networks this is typically the domain controller box). Configure the Windows AD DNS server to forward lookups for domains which it is not authoritative for to an external upstream box if desired, but I would choose to let the Windows DNS server resolve everything unless you want to incorporate filtering of some sort.
On pfSense, configure a domain override entry for your AD domain so that pfSense knows where to go asking for DNS records it might need to resolve for that domain.
