Unbound and Microsoft DNS
-
Hi all,
Some info first:
pfSense: 192.168.2.1
Its DNS Server: 192.168.2.10 (this is important for later)
Unbound enabled, Forwarding mode is off.I've got a domain that I own:
foobar.com
And on the inside of my network I have an Active Directory set on home.foobar.com
That server is hosted on 192.168.2.10, and ALSO includes the DNS server (from Microsoft) for the Active Directory.
I would like to use this DNS server for my whole network.
So steps I've taken:
- the DHCP on the LAN to server 192.168.2.1 as the DNS server (which should then ask 192.168.2.10 for addresses).
- I've tested on pfSense the following:
home.foobar.com points correctly to 192.168.2.10
However on any client that receives dhcp responses from pfSense home.foobar.com resolves to the catch-all on *.foobar.com
I know I can fix this by adding a Domain Override in Unbound, 'home.foobar.com' -> 192.168.2.10, but it doesn't feel like the correct solution here, since Unbound is supposed to query my own DNS server, but it seems that there's a conflict there between how Unbound asks: 'who is home.foobar.com' and pfSense itself using the DNS.
The Microsoft DNS server is configured to forward requests that it doesn't know to the Google DNS servers.
-
unbound is resolver not forwarder it does not forward anything it walks down from roots until it talks to the authoritative server for the record your trying to query.
Normally when running AD, all your boxes should use your AD for dhcp and dns.. So why do you not just do that? Then you can either have your MS dns forward to whatever you want, or just have it forward to pfsense to have it resolve what your looking for and get dnssec support, etc. And could even use the pfblocker feature of blocking ads, etc.
This is the simple solution if you ask me.
-
johnpoz, thanks for the swift reply,
The thing is, I have the checkbox 'Enable Forwarding Mode' disabled.
Can I achieve what I want with Unbound WITHOUT adding a domain override?
-
Again what I would suggest you do is not point your clients to pfsense, use your AD for dns, and even use it for dhcp. I don't see any reason to run dhcp and dns services off your pfsense box when you have AD setup.