Samba4 -> pfSense DNS Resolver
-
I have implemented a small local network. I use pfSense as Firewall and Gateway, I have all my servers inside a DMZ, except the domain controllers that are on the LAN.
LAN: 10.10.20.0/24
DMZ: 10.10.30.0/24DC1: 10.10.20.2
DC2: 10.10.20.3pfSense:
LAN: 10.10.20.1
WAN: x.x.x.x
DMZ: 10.10.30.1In my local network, I have 2 domain controllers with SAMBA4, I would like to find out how to configure SAMBA4 so that all the DNS requests that my clients make to the domain controller ... and that record is not found in the DNS records of the domain controller, then look for them in the DNS resolver service of pfSense.
For example ... I configure my clients in windows to use them as DNS servers 10.10.20.2 and 10.10.20.3 (Domain Controllers)
In the SAMBA4 DNS, I do NOT have a created record called xmpp.domain.tld, in the DNS resolver of pfSense, I have a created record called xmpp.domain.tld and it points to an address in my DMZ. How could I achieve that when my client from the LAN makes a request to xmpp.domain.tld, SAMBA4 direct that request to pfSense and respond with the IP assigned to it?
-
And where do your DCs running dns point to for dns that they are not authoritative for, are they resolving from roots..
You could have them forward to pfsense, so it would resolve this domain.tld, or if they are resolving - then create a conditional forwarder or domain override as called in pfsense to point domain.tld to pfsense IP.
-
Hello Jhon, thank you very much for your interest in my question.
on my domain controller:
root@dc1:~# nano /etc/samba/smb.conf# Global parameters [global] netbios name = DC1 realm = domain.tld server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN server role = active directory domain controller idmap_ldb:use rfc2307 = yes ldap server require strong auth = No dns forwarder = 10.10.20.1root@dc1:~# /etc/init.d/samba-ad-dc restartping: xmpp.domain.tld: Name or service not knownon pfSense:
Services/DNS Resolver/General Settings
Enable: true
Network Interfaces: All
Outgoing Network Interfaces: All
DNS Query Forwarding: trueHost Overrides
xmpp domain.tld 10.10.30.10 XMPP ServerWhen I set up my clients to use pfSense as their DNS server, they answer the queries correctly, but I really want them to use my domain controllers as their DNS server .. and in case a registry does not exist, then also look in the records of the DNS Resolve in pfSense.
-
@leophpx said in Samba4 -> pfSense DNS Resolver:
dns forwarder = 10.10.20.1
And is it asking pfsense when you query for host.domain.tld
You understand that quite often when you forward, that if rfc1918 is returned it would be a rebind - so you need to make sure that your DC forwarding will return the answer to the client, and not hold it back because of rebind protection.
I am not sure what samba4 does for dns forwarding - have never played with that..
-
Samba Docs says:
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
dns forwarder This option specifies the list of DNS servers that DNS requests will be forwarded to if they can not be handled by Samba itself. The DNS forwarder is only used if the internal DNS server in Samba is used. Default: dns forwarder = Example: dns forwarder = 192.168.0.1So, in theory, it should work, that's exactly what I need. I will continue to document. thank you.
-
Do a simple sniff on pfsense, then do a query to your DC for something that should be forwarded to pfsense for dns... Do you see it?
-
Yes, to pfSense the packets are arriving when I try to do for example a ping from DC1.
DC1:
root@dc1:~# ping xmpp.domain.tld ping: xmpp.domain.tld: Name or service not knownpfSense:
Diagnostics/Packet Capture
Host Address: 10.10.20.2
Protocol: Any
Packets Captured
15:56:06.248804 IP 10.10.20.2.60725 > 10.10.20.1.53: UDP, length 51