DNS resolving question
-
Since you have a domain controller, you have a domain. In order for clients in that domain to work properly, they need to use the domain controller DNS. This part is correct.
The domain controller needs to forward queries to the internet for those domains that it is a) not authoritative for and b) does not have a cached response already in place for. You have two ways to configure this portion…
The domain controller DNS can forward its queries to an upstream system - pfSense - and subsequent queries will be forwarded on from there if necessary. This MAY add a very slight delay to the initial response coming back, but it should no be noticeable to the client. And, once the response is cached, there should be no perceptible delay of any kind.
The domain controller can also be configured to be root-nameserver-aware and make its queries directly out to the Internet to understand the structure. This MAY produce a very slightly quicker initial response, and may also not work with some ISPs (they want you using THEIR DNS servers as forwarders).
There is a third option, but it makes no sense... You could point through to the ISPs DNS servers as forwarders, but this tacks on packets being NAT'ed just to get a cached response. This process will likely be quicker overall if you just let the pfSense do this.
-
Since you have a domain controller, you have a domain. In order for clients in that domain to work properly, they need to use the domain controller DNS. This part is correct.
The domain controller needs to forward queries to the internet for those domains that it is a) not authoritative for and b) does not have a cached response already in place for. You have two ways to configure this portion…
The domain controller DNS can forward its queries to an upstream system - pfSense - and subsequent queries will be forwarded on from there if necessary. This MAY add a very slight delay to the initial response coming back, but it should no be noticeable to the client. And, once the response is cached, there should be no perceptible delay of any kind.
The domain controller can also be configured to be root-nameserver-aware and make its queries directly out to the Internet to understand the structure. This MAY produce a very slightly quicker initial response, and may also not work with some ISPs (they want you using THEIR DNS servers as forwarders).
There is a third option, but it makes no sense... You could point through to the ISPs DNS servers as forwarders, but this tacks on packets being NAT'ed just to get a cached response. This process will likely be quicker overall if you just let the pfSense do this.
Hi Embder thank you for your answer,
you mean configuring the DNS to use name server as the external DNS, and Pfsense will use Domain controller as it DNS forwarder?
in the configuration is my Pfsense who is doing the forward.
on my current configuration, i've notice that the DNS respond is a bit slow.so to configure this :
on the Pfsense DNS i will use my Domain controller IP,
and on the forward of my Domain controller need to use my ISP DNS,is this what you are refering to ?
much appreciate it
-
Hi Embder thank you for your answer,
you mean configuring the DNS to use name server as the external DNS, and Pfsense will use Domain controller as it DNS forwarder?
in the configuration is my Pfsense who is doing the forward.
on my current configuration, i've notice that the DNS respond is a bit slow.so to configure this :
on the Pfsense DNS i will use my Domain controller IP,
and on the forward of my Domain controller need to use my ISP DNS,is this what you are refering to ?
much appreciate it
No.
I thought I had laid it out pretty clearly already, but let me see if I can add detail that will help.
Clients use domain controller. Domain controller forwards to pfSense. pfSense either forwards to ISP or is root-nameserver-aware.
You had commented about needing the fastest responses possible for DNS. I pointed out a couple of potential increases / reductions in response time based on certain configurations, but overall you will be perfectly fine using the method I just laid out. Do not consume yourself with getting "the fastest response" for DNS… Clients are built to tolerate small delays and will be just fine.
-
Hi Embder thank you for your answer,
you mean configuring the DNS to use name server as the external DNS, and Pfsense will use Domain controller as it DNS forwarder?
in the configuration is my Pfsense who is doing the forward.
on my current configuration, i've notice that the DNS respond is a bit slow.so to configure this :
on the Pfsense DNS i will use my Domain controller IP,
and on the forward of my Domain controller need to use my ISP DNS,is this what you are refering to ?
much appreciate it
No.
I thought I had laid it out pretty clearly already, but let me see if I can add detail that will help.
Clients use domain controller. Domain controller forwards to pfSense. pfSense either forwards to ISP or is root-nameserver-aware.
You had commented about needing the fastest responses possible for DNS. I pointed out a couple of potential increases / reductions in response time based on certain configurations, but overall you will be perfectly fine using the method I just laid out. Do not consume yourself with getting "the fastest response" for DNS… Clients are built to tolerate small delays and will be just fine.
thank you for your answer,
the way you mentioned is exactly how its configure,
pfsense doesn't has it nameserves just send the packet to the ISP DNS.
using one of the 2 senarios you've posted gonna have the same result, ?thank you
-
There are a few different ways it can be set up. They will all have roughly the same sort of responsiveness to look up a "new" host (one that is not already in the cache since the last time it was restarted) but your current configuration offers you the best reliability and stability for your clients.
-
There are a few different ways it can be set up. They will all have roughly the same sort of responsiveness to look up a "new" host (one that is not already in the cache since the last time it was restarted) but your current configuration offers you the best reliability and stability for your clients.
thank you for sharing your idea's with me,
much appreciate it !
one more questions,
on the DNS forwarder on my PFsense should i use the gatewat of my pfsense or not ?
in the currently settings there is no gateway.
if i have to use the Gateway can you tell me why ?
much appreciate it . -
why would you put a gateway on a LAN interface?? There is no setting in dns forwarder section asking for a gateway?
-
why would you put a gateway on a LAN interface?? There is no setting in dns forwarder section asking for a gateway?
hi John
i referred to this settings,
https://forum.pfsense.org/index.php?action=dlattach;topic=82987.0;attach=50469;image
i see the settings gateway are not selected and i was curious if it should be selected, and why not ?
i believe those are WAN not LAN settings ? -
You would only select those if you needed a specific gateway to get to those dns servers - normal setup pfsense would use its default route, or routing tables to get to those servers.
-
You would only select those if you needed a specific gateway to get to those dns servers - normal setup pfsense would use its default route, or routing tables to get to those servers.
thank you John.
