DNS Forwarder but with local leases from DHCP server. How?
-
Hello,
I've setup a pfsense box with DHCP Server enable on LAN and DNS Forwarder enable to my Windows AD DNS.
A PC client has the DNS servers configured as the pfsense IP.
Every entry in the Windows AD DNS is resolved correctly from client computers.
But if I try to ping a computer whose lease is in the DHCP pfsense box, the ping can't resolve the name.
I've tried setting the "Resolve DHCP mappings first" option, with no luck.Is it possible to accomplish what I was trying to do? (I mean, a DNS query ask first in the DHCP pfsense leases, if it is not there, then use the DNS forwarders).
Thanks!
-
Uhm… If you are running AD-integrated DNS, you should run DHCP on those Windows machines and let it register the leases in DNS. Also, any of AD-joined machines MUST point to the AD DNS servers and nothing else. Forget about pointing them to the forwarder.
-
^ as stated if a box is member of AD, it should point to your AD dns.. Your AD dns then can lookup other things you want to lookup via either forwarder or root directly.
And if your running AD, its best to run your dhcp on your AD as well, if need be you can setup a dhcp relay on your pfsense to forward to your AD dhcp.
-
I have DHCP from pfSense, but it gives out the AD DNS. That works fine - so you can have DHCP on pfSense and the DNS on the Windows AD Server.
-
I have DHCP from pfSense, but it gives out the AD DNS. That works fine - so you can have DHCP on pfSense and the DNS on the Windows AD Server.
Cannot really see how you get secure DDNS updates working with similar configuration on pfsense….
-
You can hand out the AD dns from your dhcp server on pfsense sure – but what is the point?? You clearly have a box that can run dhcp.. And even has to be authed in AD to do so, etc.. What are the advantages of running dhcp on pfsense other than in your AD setup??
I just don't see a reason to do it. Can you give advantages you see or reasons you run dhcp on pfsense vs your AD infrastructure that your running anyway.
-
You can hand out the AD dns from your dhcp server on pfsense sure – but what is the point??
I just don't see a reason to do it.Pretty much… I've done bind with AD DHCP. It was a geniune PITA. I've done ISC DHCPd with AD DNS. It was tripple PITA to get working with secure DNS updates. (The latter is IMHO impossible with pfSense out of the box since there's no kerberos shipped at all.)
-
:o Wow!!!… I really appreciate all the help you gave me.
I was misunderstanding the Forwarders option. I thought the Forwarder was responsible for informing the Name-IP to the real DNS, and not the client itself.
I like to have pfSense as DHCP because of the CARP ability.
Finally: I'll let DNS on AD, and every client box will point to AD DNS. Then, those DNS will use as forwarders the pfSense who will talk to the root hints.
Thank you everybody.
-
"I like to have pfSense as DHCP because of the CARP ability."
And what does that solve if your DC that does dns is down? Before you could do dhcp in a cluster to provide HA, or you could setup a split scope.. But the 2012 server provides real dhcp failover..
Any of the above options allow for HA in dhcp in microsoft.. So no need for carp for dhcp ha.
btw: the forwarder service in pfsense does not talk to root hints, it talks to whatever dns you have setup.. which might talk to root hints, or might also forward to something else.. Are you running unbound or tinydns on your pfsense box?
-
Well… I've 2 AD-DNS. If one goes down, I trust that the other will serve as well.
I'm trying to reduce the number of Win srvrs, so I'm not seeing the 2012 as an option.
Thanks about the root hints. I thought it was different.
I'm using the default that come with pfSense... it is "dnsmasq", right?Thanks again.
-
"I'm trying to reduce the number of Win srvrs, so I'm not seeing the 2012 as an option."
What??? That makes no sense at all – what does wins have to do with moving to 2012 which supports failover dhcp, or for that matter using dhcp in a cluster of your current version or just using split dhcp.. If what your worried about is HA for your dhcp..
-
Did you interpret "WINS Server"? I mean, "Windows Servers" or "Windows Services", not "WINS Server". :P
-
"I've 2 AD-DNS"
I assume those are Windows – upgrade those to 2012, there you go failover dhcp without increase in your number of windows servers.
