DNS Fowarder Or DNS Resolver
-
And why does pfsense need to resolve your ad clients? And no that is not what that means..
What do you think happens when it asks 200.13.249.101 or itself running the resolver for something.yourADdomain.tld and gets back a NX? Do you think it moves on to the next one? That is not how dns works..
Even if you were asking in parallel on how the forwarder use to work.. It would ask all of those at the same time and first answer wins, etc.
Where is your AD dns forwarding too or resolving? If you want pfsense to be able to resolve stuff in your AD, then point pfsense to your AD dns - period!
Or in the forwarder/resolver put in a over ride for your AD that points to your AD server.. What exactly do you want to happen, and how is your DNS in AD setup.. Does it forward - to where, or does it asks roots?
-
Allright sorry for the late reply i was having some DNS troubles with the AD. Anyways i would set the AD DNS forwarders to use pfSense and then let Unbound do the DNSBL blocking. Correct?
-
What are you using in pfsense that does DNSBL blocking?
Are you going to create local over rides for stuff you don't want to resolve?
-
im using DNSBL Feeds to block ads and malware domains ;D
-
And how does that block dns query.. Or replace the query, that is just a firewall rule your creating with pfblocker?
Unbound has no method of using that feed that I am aware of. So why do you have to have your AD point to pfsense - just have it forward to public say your isp or do direct from roots? Only reason I could see to forward to pfsense resolver would be to have dnssec support.
-
I have pretty much the same setup here: All clients use the AD DNS which forwards the requests to pfsense that takes care of ads and malware (DNSBL). For pfBlockerNG I had to move over to unbound (DNS resolver). Before DNS forwarder provided an option to query the DNS servers under system -> general setup sequentially. Unfortunately for DNS resolver I cannot find a setting like this. What is the default behavior of querying the DNS servers using unbound?
-
Again what does a firewall rule blocking access to specific IPs have to do with what dns you query??
Please show how your using dnsbl in pfsense to block it is you want to block.. Unbound or the forwarder have no connection with any sort of dnsbl list AFAIK.. So you have a firewall rule using some list to block stuff - this has NOTHING to do with dns query be from forwarder, resolver or your AD..
-
Well ask the OP. :) My question was simply how unbound queries the DNS servers (parallel / sequiential) as there is no option to set this.
-
"I have pretty much the same setup here: All clients use the AD DNS which forwards the requests to pfsense that takes care of ads and malware (DNSBL)"
You just stated you have the same setup.. WTF are you in the thread for if you have a question about something else - start your OWN thread..
Unbound is meant to be a RESOLVER.. If you want to forwarder mode and use sequential or parallel mode use dnsmasq - if your using unbound in forwarder mode, to be honest your using it wrong ;) Just use the older forwarder. Why would you think you need to move to the resolver/unbound to use pfblockerNG?? pfblocker downloads lists of IPs, and put them in firewall rules/aliases - why would it freaking care if you use a forwarder/resolver be it dnsmasq, unbound, bind, tiny, etc. etc..
So I just installed pfblockerNG.. Where is it ask anything about what dns your using or have any integration with dnsbl??
-
So I just installed pfblockerNG.. Where is it ask anything about what dns your using or have any integration with dnsbl??
This is in non-public -dev version; totally off-topic here.
-
Ok how do I install this -dev version?
How does it integrate with unbound? pfblocker has been nothing more than a list downloader that you put into rules/aliases.. What you use for dns should have nothing to do with that - other than the dns you do use needs to be able to resolver where you grab the list of IPs.
-
Ok how do I install this -dev version?
PM BBcan17.
How does it integrate with unbound? pfblocker has been nothing more than a list downloader that you put into rules/aliases.. What you use for dns should have nothing to do with that - other than the dns you do use needs to be able to resolver where you grab the list of IPs.
It's redirecting the requests to 1x1px image on webserver run on pfSense's virtual IP instead of blocking.
-
@johnpoz: You should watch your language and learn to read the posts properly! killmasta93 wrote he is using DNSBL (pfblockerNG dev) just like me.
And DNSBL requires unbound (dns resolver) to work - if you believe or not.
Also nonsense that DNS resolver is used in "wrong" way if you enable forwarding mode; the official FAQ for Unbound DNS Resolver tells you to have it enabled for multi-WAN configurations.
The configuration of the AD DNS is pretty simple: all clients use the AD DNS IP address, no secondary DNS. In the DNS settings ("forwarders") enter the IP of your pfsense box and uncheck "use root hints…". In pfsense unter system -> general setup you can set the DNS servers of your ISP, Google, OpenDNS etc. Do not add your AD DNS here. -
Watch my language?
Sorry but the OP did not state he was running a DEV only version - nor did you..
"So currently im using DNS Resolver (Unbound) for PfblockerNG 2.0 works great"
Where does it say that is DEV version.. Sorry if I don't keep up with the version numbers of all the packages available.
"pfsense that takes care of ads and malware (DNSBL). For pfBlockerNG"
Where did you state that you using DEV version..
As to wrong way – yeah you are IMHO.. As I stated but you clearly didn't read if you want the forwarder function where you can do seq or parallel use dnsmasq the old forwarder. Unbound has no functionality this -- if you want that sort of functionality maybe there is another DEV version you can try ;)
-
@johnpoz Thank you for a detailed response. Now i get it. So my testing setup should have no conflict, If I have DHCP Server disabled on pfSense and enabled on windows server, DNS on windows server with AD, And DNS resolver(unbound) block ads with DNSBL (pfblockerNG dev). :D
-
Whatever dude that was post 5 in the thread already and the last word in the post..
I now have this dev version. So setup your AD to forward to your pfsense.. Since to use pfbng with dnsbl you need unbound, we are done. If using unbound I don't see why you would not use it resolver mode with dnssec support.
Your question is not related fraglord.. But if your going to be using unbound, if you turn on forwarder mode it will ask them roundrobin fashion.. Verified this via sniff
-
Thanks for verifying, I will start another thread about this to not confuse here.
-
This answer have not so much to do with ad blocker but with dns and ad.
I have win2008 with AD and dns (ad requires dns)
The clients get's their ip from pfsense dhcp .
In the resolver I have made a override on domain.win to win2008 ad.
Then win2008 ask pfsense for dns lookup on clients
Why you ask ??
I'm have been feed up with this ridiculous mas cals and the ms hunt for bills over license and what not.
Aiming to move the hole company to a ad sitting on freenas.
In the resolver I have also made a override for domain.freenas to freenas.
One thing that I'm a bit pusseled over is that ping domain.win takes about 2 seek for starting responding but ping domain.freenas it's instantly.
With this setup I can slowly take department after department and move them over to domain.freenas.
The only thing that will left on the win2008 is the MPS system. All the share will be on freenas.
Several clients in the shop is only interested in the shares. When the times come when 2008 is abandom by MS hopefully our MPS will be ported to *nix enviroment or it will sit on some win7 machine.
