DHCP on pfSense and DNS on Microsoft Server

unguzov · Jun 10, 2013, 9:34 AM

Hi,

I like to use pfSense as a DHCP server and it works great. Bu I have a problem with devices, that are not part of Active Directory - they do not create a DNS A record in Active Directory Server after DHCP registration. So for example I have no problems with workstations - they get IP from pfSense and then they are registered on AD DNS Server, but printers are registered in pfSense DNS only.

How can I make AD DNS server to know about the new hosts from DHCP? Can DHCP Server option "Dynamic DNS" will help me?

johnpoz · Jun 10, 2013, 11:15 AM

Why are you running pfsense dhcp if you have AD.. I don't see the point? Pfsense dhcp is great if you don't have another dhcp server, your not a windows shop, etc. But if your running AD I don't see why you would not just use your AD for both dhcp and dns.. For smooth operation of AD both of these services are easier managed in AD.

unguzov · Jun 12, 2013, 9:05 PM

@johnpoz:

Why are you running pfsense dhcp if you have AD.. I don't see the point? Pfsense dhcp is great if you don't have another dhcp server, your not a windows shop, etc. But if your running AD I don't see why you would not just use your AD for both dhcp and dns.. For smooth operation of AD both of these services are easier managed in AD.

You are right, the best combination is Windows DHCP + DNS. But after years of testing I prefer to use pfSense as DHCP. It is easy to find problems and It is the only choice when I have more than one Windows DC and I want to failover DFS Replication on many servers.

StylusPilot · Oct 11, 2013, 3:49 AM

How did you go with this?

If pfSense can't update DNS records in Windows DNS (Which I assume it can't as would be MS only)

Would it be possible to use pfSense as a relay for a centralised DHCP for many vlans?

let me explain an example

Say you have 3 VLANS

VLAN 11 - 172.16.0.X - Windows Servers (Has AD, DNS and DHCP)
VLAN 12 - 192.168.110.X - Printers
VLAN 13 - 192.168.2.X - Clients

pfSense has 3 interfaces, one on each vlan with an address ending with .254 on each

Which is the better option

1.) Have the DHCP server having 3 interfaces (one on each vlan) giving out DHCP. - This seems like a very bad idea from a security stand point

2.) Have pfSense handing out DHCP for all the VLANs - but then it can't update Windows DNS

3.) Have pfSense forwarding DHCP requests to a windows DHCP? can windows give out multiple scopes across one nic, not sure this is possible?

4.) Have pfSense giving out DHCP and DNS and point all clients at pfSense for DNS, then have pfSense use Windows DNS as a DNS forwards

5.) some better option I havn't thought of here

StylusPilot · Oct 17, 2013, 3:54 AM

Never mind, I'm an idiot.

Just configured pfsense as a DHCP forwarder, forwarded onto MS DHCP

Created the scopes on MS DHCP and bam, worked

not sure why I was thinking it wouldn't

This means my Dynamic DHCP is also working :)

unguzov · Nov 8, 2013, 5:56 PM

@StylusPilot:

Never mind, I'm an idiot.

Just configured pfsense as a DHCP forwarder, forwarded onto MS DHCP

Created the scopes on MS DHCP and bam, worked

not sure why I was thinking it wouldn't

This means my Dynamic DHCP is also working :)

This is a good idea, but when DHCP server is down all networks will be down :) And this is not good for me. I want DHCP to be on pfSense and then I can be safe if some of my servers (I have 4 MS servers on some clients) is down for any reason. This is tested and works good.

EricE · Dec 21, 2013, 11:40 PM

Use dynamic udpates. The clients will update the DNS, not the DHCP server: http://technet.microsoft.com/en-us/library/cc771255.aspx

johnpoz · Dec 22, 2013, 12:17 AM

"This is a good idea, but when DHCP server is down all networks will be down"

Says who? So your dhcp server is going to be down for longer than the lease? Just because dhcp server is down does not mean the network comes to a halt. All it means is leases can not be renew. New clients can not be issued.

You do understand that is the server that serves up dhcp is down, you prob have other issues in your network as well even if you have dhcp working ;) You can always just setup statics, it takes all of 2 seconds to fire up a dchp server if need be.

Windows machines now support dhcp failover.
http://technet.microsoft.com/en-us/library/hh831385.aspx
Step-by-Step: Configure DHCP for Failover

Not sure why anyone would think that pfsense is some magic box that is can not go down?

robertfranz · Oct 2, 2016, 7:50 PM

@johnpoz:

Why are you running pfsense dhcp if you have AD.. I don't see the point? Pfsense dhcp is great if you don't have another dhcp server, your not a windows shop, etc. But if your running AD I don't see why you would not just use your AD for both dhcp and dns.. For smooth operation of AD both of these services are easier managed in AD.

I realize I'm necro'ing, but for the sake of anyone reading this later, there is one significant use case for using pf for dhcp/dns etc.

That would be for segregation of internal users from external users for licensing purposes.

If you have a segment providing a vlan for internal use, and a vlan for public use, you aren't going to want to have all those public users hitting your MS services and increasing your MS License Attack Surface.

johnpoz · Oct 4, 2016, 5:12 PM

Well your not wanting to use MS licensing for these clients, then I have to assume they are not members of your AD anyway. If that is the case then sure you could provide services off pfsense for dhcp and dns for this network/vlan.