Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound and Microsoft DNS

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Snakiej
      last edited by

      Hi all,

      Some info first:

      pfSense: 192.168.2.1
      Its DNS Server: 192.168.2.10 (this is important for later)
      Unbound enabled, Forwarding mode is off.

      I've got a domain that I own:

      foobar.com

      And on the inside of my network I have an Active Directory set on home.foobar.com

      That server is hosted on 192.168.2.10, and ALSO includes the DNS server (from Microsoft) for the Active Directory.

      I would like to use this DNS server for my whole network.

      So steps I've taken:

      1. the DHCP on the LAN to server 192.168.2.1 as the DNS server (which should then ask 192.168.2.10 for addresses).
      2. I've tested on pfSense the following:
        home.foobar.com points correctly to 192.168.2.10
        However on any client that receives dhcp responses from pfSense home.foobar.com resolves to the catch-all on *.foobar.com

      I know I can fix this by adding a Domain Override in Unbound, 'home.foobar.com' -> 192.168.2.10, but it doesn't feel like the correct solution here, since Unbound is supposed to query my own DNS server, but it seems that there's a conflict there between how Unbound asks: 'who is home.foobar.com' and pfSense itself using the DNS.

      The Microsoft DNS server is configured to forward requests that it doesn't know to the Google DNS servers.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        unbound is resolver not forwarder it does not forward anything it walks down from roots until it talks to the authoritative server for the record your trying to query.

        Normally when running AD, all your boxes should use your AD for dhcp and dns.. So why do you not just do that?  Then you can either have your MS dns forward to whatever you want, or just have it forward to pfsense to have it resolve what your looking for and get dnssec support, etc.  And could even use the pfblocker feature of blocking ads, etc.

        This is the simple solution if you ask me.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          Snakiej
          last edited by

          johnpoz, thanks for the swift reply,

          The thing is, I have the checkbox 'Enable Forwarding Mode' disabled.

          Can I achieve what I want with Unbound WITHOUT adding a domain override?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Again what I would suggest you do is not point your clients to pfsense, use your AD for dns, and even use it for dhcp.  I don't see any reason to run dhcp and dns services off your pfsense box when you have AD setup.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.