DNS for WAN, LAN, AD Domain
-
Sorry, I am not sure if I follow.
I have DNS running on the Windows domain controller to only keep DNS entries for internal systems/devices. IP 192.168.1.2
It was a simple setup. Install Windows Server, enable as Domain Controller and run DHCP and DNS services for the domain.In System > General Setup, In the DNS Server fields, I have 8.8.8.8 and 8.8.4.4 (Google) with Gateway set to WAN.
Is there somewhere in pfSense that I need to specify the internal DNS server as well?
Additionally, I have confusion with understanding how clients on the LAN know when to use the external DNS (internet) over using the local DNS for internal systems.
-
Additionally, I have confusion with understanding how clients on the LAN know when to use the external DNS (internet) over using the local DNS for internal systems.
It's a dns server job, when requests are not locally or on cache it goes to internet,find the answer, cache and return to user.
-
That helps, thank you.
Any input on the following would be greatly appreciated!
I have DNS running on the Windows domain controller to only keep DNS entries for internal systems/devices. IP 192.168.1.2
It was a simple setup. Install Windows Server, enable as Domain Controller and run DHCP and DNS services for the domain.In System > General Setup, In the DNS Server fields, I have 8.8.8.8 and 8.8.4.4 (Google) with Gateway set to WAN.
Is there somewhere in pfSense that I need to specify the internal DNS server as well?
-
Is there somewhere in pfSense that I need to specify the internal DNS server as well?
If you want pfSense to have access to the internal name <-> IP address maps then Yes, on System -> General Setup, in the DNS Server fields. (Google DNS won't know your internal name <-> IP address maps.)
-
1. If I understand correctly, the I have it configured is only providing the Google DNS servers in the General Setup page.
If the router itself wants to resolve internal hostnames for it's own purposes, then I add the internal DNS server in the General Setup section.
Correct?
2. Internally, DHCP only provides the internal DNS server, as defined in the DHCP scope for that network.
Say a client on the LAN is given the following, IP, 192.168.1.100, GW, 192.168.1.1, Sub Mask 255.255.255.0, DNS 192.168.1.2. I don't understand how it knows to talk to the router and say, "Okay, I can't resolve this name to an IP address, let's try the Google DNS servers".
Many thanks in advance for your patience and guidance!
-
"I don't understand how it knows to talk to the router and say, "Okay, I can't resolve this name to an IP address, let's try the Google DNS servers". "
Because it would never do that! With AD, all your member machines need to point to the DNS on your AD, normally a DC. This is the ONLY NAME SERVER it should point to!
Now on your AD dns - you set it up to go ask either the roots directly or whatever other dns you want to forward to, say opendns - or could just be your forwarder on your pfsense box.
A member machine of your AD should never go ask dns on pfsense anything. But your dns on your AD might, if the fqdn the client asked it about is not local, or you have no zones for it, etc.
Set up forwarding on your AD dns - point all your AD member machines toward it = done.
Not really picturing a situation where pfsense would need to ever resolve internal names? So just point pfsense to whatever you want, be it your ISP dns, be it opendns, googledns, 4.2.2.2, whatever. Then if you want since pfsense will be able to resolve public internet domains.. You could set your AD dns to forward to it for zones it is not authoritative for.
-
Thank you for this awesome reply!
-
So here's what I have now.
Domain Controller ADS DHCP and DNS
I did not define the public DNS names in the forwarding configuration of the DC. Left it as it was "out-of-the-box" so to speak.
See screenshot.
pfSense box Router and Firewall
Interfaces > WAN > Static IP Set (Provided by ISP), Blocking Private and Bogon networks
System > General Setup, Public DNS servers only defined (OpenDNS). Checked "Do not use the DNS Forwarder as a DNS server for the firewall".
Services > DNS Forwarder, Enabled DNS Forwarder, added my Domain Name in Domain Override.
This is my crude understanding of how this works:
-Device obtains IP address by DHCP. Device given IP of local DNS server, of the router and of the domain name.
-When device needs to resolve an unknown address, it first asks the local DNS on the DC, then moves to the router which then forwards it to the public DNS provided in the General Setup tab.I am missing an understanding of how the DC knows to forward the request to the router, without defining the IP of the router in the forwarding (see screenshot above). I'd appreciate some input on that.
Any suggestions on changes or optimization on the router or DC?
You folks rock by the way!
-
"it first asks the local DNS on the DC, then moves to the router which then forwards it to the public DNS provided in the General Setup tab."
NO NO NO NO!!!
Client dns never ever does this!
A member of an active directory domain should point to is the AD DNS - period!
You NEED to setup your AD to FORWARD unknown requests to a Name Server that can look it up, or just let your AD DNS look it up directly from the roots.
Here is what happens.. Your member of AD client has 1 OPTION for dns, that is your AD dns – it never goes and asks the router, it never goes and asks googledns, it never goes and asks opendns.. It ONLY ASKS your AD DNS!! PERIOD!! The only time a member machine in your active directory should have more than 1 dns server listed is if you have more than 1 AD DNS (even then you don't normally do it). You don't point it to your router, you don't point it to googledns, you don't point it to 4.2.2.2 or your isp dns, you ONLY Point it to your AD DNS!
If you client wants to know the ip for www.google.com -- its ASKS your AD DNS! PERIOD!!
Your AD DNS goes and looks up www.google.com for the client. This is the way active directory works.
Now either AD DNS looks it up directly for the client via the root hints, or in the forwarders tab you listed but have blank you put some dns you want the AD DNS to ask when it does not have a zone for the domain your looking up, like googledns, etc. You can put in your pfsense IP in that is want you want. But pfsense is just is going to forward it again. So that is kind of pointless if you ask me.. Unless you don't want AD dns to make connections outside your network, etc. You can put in googledns, you can put in 4.2.2.2 you can put in opendns, etc.
Now you client wants to know ip for www.somedomain.tld – the dns of your client says hey I don't have that cached, I need to go ask my dns.. So it asks your AD DNS. AD DNS, say oh your looking for www.somedomain.tld, let me check - nope I do not have that cached either, nor do I have any zones telling me I own that somedomain.tld.
So let me go ask my "forwarder" for that -- maybe he knows. Then either the forwarder returns what he has in his cache, or he goes and asks his forwarder, etc. At some point if not cached a name server that has no forwarder listed will have to go ask the root servers for who owns, .tld -- it will then go ask one of the owning servers of .tld for the name servers of somedomain. It will then go ask that name server for the A record WWW.
If you do not have forwarder(s) setup in your AD dns -- and your AD DNS does not have zone for somedomain.tld if you have it allowed to use root hint, it will ask roots, then ask authoritative for your .tld of domain your looking up, and then go ask somedomain.tld ns it got from the tld ns, etc.
Does this make it clearer? ;)
-
Ah hah! johnpoz, I can't thank you enough for explaining this in such detail.
So, if I understand correctly, the reason why the devices have been able to reach out to the internet without a forwarder setup in AD DNS, is because it was using Root Hints, correct?
Lastly, from a best practice perspective, I am unsure what to use as the forwarder, the Public DNS servers, or the router which would forward the requests.
-
There is nothing saying you have to use a forwarder.. The roots are fine, I prefer that setup myself.
To me, if your going to use a forwarder (which you don't have too - I don't) Or won't again once unbound is working on pfsense again. Is to point to one that gets lots of traffic from other clients.. So that it has a large cache! This is the one advantage of using a forwarder vs roots, is with lots of clients using the same dns it should have most things your looking for already looked up and cached for you.
But unless you have some security concern and don't want your dns box making connections to the internet, pointing to your router that is just going to forward it again is just adding an unneeded hop - going to slow things down is all.
Your router sure and the hell is not going to have a large cache of anything - so why ask it anything about dns? Just an extra hop that adds time to the lookup and possible link in the chain that could break, etc.
Now if you want some filtering features - point to opendns for example. If you don't feel google gets enough info about you, point to googledns so they can have all your dns queries as well <joke>;)
I have always liked 4.2.2.2 - its open to the public, does not do weird shit with your queries like opendns atleast use too ;) Or just use your isp provided dns if it doesn't blow chunks as some do.
But there is nothing saying you can not just have your box do the lookups directly via the root hints. This way your sure your getting the info directly from the horses mouth so to speak, since you will go and query the owning servers directly when looking up www.somedoming.tld. This can be a tiny fraction of ms slower, and will generate more dns traffic since you wont have a large cache to draw from. Only clients building up your cache will be your own clients, not all the clients of your isp dns or all the users of opendns, etc.</joke>