pfSense can not resolving DNS records on Microsoft Domain Controller DNS zone.

Herman · Feb 9, 2020, 5:49 PM

Hi Folks,

I experience some issues with my pfsense and Microsoft DC environment. I will provide as much information possible. If you need more info then please just ask me to provide it. Hope you guys can help me.

The environment;

Domain controller MS Server 2019 (DC19) LAN IP: 10.0.0.100 local domain: mydomain.local
Router/Firewall pfsense 2.4 (pfsense) LAN IP: 10.0.0.254
Internet access Cable modem in bridge mode (connected to WAN interface of pfsense)

Packages running on the pfsense are;

Snort
PfBlockerNG
OpenVPN Client Export

Configuration so far;

Setup DNS on the Microsoft DC (mandatory for a DC). The forwarders point to the pfsense on 10.0.0.254
On pfsense enabled “Enable DNS resolver”. Network Interfaces and Outgoing Network Interfaces set both to “All”. System Domain Local Zone Type set to “Transparent”. At Host Overrides added Host: DC19, Parent domain of host: mydomain.local, IP to return for host: 10.0.0.100. Other settings left default.

What works and what doesn’t work;

So far I have no complaints about the config. It seems that most of the settings work. I experience no problems with the local domain. Except that sometimes the network is slow so started troubleshooting. Found out that pfsense is not able to send email to the mail server when using the DNS hostname (mailserver). When using the IP of the mail server (10.0.0.19) it works like a charm. So tried DNS Lookup in the Diagnostics menu of pfsense. Found out that pfsense is not able to resolve internal DNS records specified on the DNS of DC19. For example when trying to resolve the DNS name “mailserver” pfsense returns “Host "mailserver" could not be resolved.”. When performing a nslookup from clients (no matter which one) it resolves perfectly.

I hope the above does make some sense to you guys. Would love to get some help with this.

Many thanks in advance.
Herman

Grimeton · Feb 9, 2020, 11:40 PM

It's a difference what service pfSense provides to the clients on its subnets and what pfSense uses for itself to lookup things.

The problem you run into here is that you cannot differentiate between this via the WebUI.

On a console I'd just add the DC-DNS to /etc/resolv.conf and run a DNS-resolver on port 53 for anything coming in from the LAN-interface. This way pfSense would itself use the Windows-DNS-servers, while the Windows-DNS-Servers could use pfSense unbound to resolve addresses from the interwebtubez.

So what can you do? Pretty simple.

In your DNS-resolver setup, scroll to the bottom. There's a section "DOMAIN OVERRIDES".

Just add your domains and dns-servers there. Let's say your Windows domain is FOOBAR.LOCAL and the DNS-Server's address would be 10.0.0.19.

You add as domain "foobar.local" and as Server address 10.0.0.19 there.

The thing here is, in pfSense's resolv.conf the first server is always 127.0.0.1, so pfSense itself. As long as you configure the resolver correctly, everything should work.

If you want the reverse lookup to work as well, then just use the in-addr.arpa configuration syntax for this to work.

If the network is 10.0.0.0/24 and the server is 10.0.0.19 you'd add:
0.0.10.in-addr.arpa as domain and the server's IP. That's it.

Also if you have multiple DNS-servers for a domain, just add multiple entries.

Cu

Herman · Feb 10, 2020, 8:38 PM

Hello @Grimeton,

Thank you very much for the detailed explanation and how-to. My appreciation is great.
Your solution works like a charm. The following I try to resolve from the pfsense after the changes you suggested;

DC19 - Host "dc19" could not be resolved.
DC19.mydomain.local - Result: A-Record 10.0.0.100
10.0.0.100 - Result: PTR DC19.mydomain.local

My big question is why resolving just DC19 still not work but only the FQDN?

Maybe you can also tell me if the following setting are also necessary. They are provided by other users on Reddit to me. Just want to be sure if the settings make sense or not;

DNS Query Forwarding: Enable Forwarding Mode  checked (on)
Disable DNS ForwarderDo not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall  Unchecked (off)

Again thank you for the wisdom.

Regards,
Herman

kiokoman · Feb 10, 2020, 9:36 PM

dns server only answer to query with FQDN

check this
https://forum.netgate.com/post/890192
https://forum.netgate.com/post/890329

Grimeton · Feb 11, 2020, 10:08 AM

@Herman A DNS-Server only answers to a FQDN.

That's why every OS that can use DNS has a "search" option. On Unix it's usually in /etc/resolv.conf, in Windows it's part of the extended adapter configuration.

It contains one or more domains in the order you want the system to try and complete a single hostname (no dots) with and try to lookup a FQDN.

Windows itself usually tries to do a NetBIOS lookup via broadcast before it starts to go for a FQDN search, which can actually be a bit confusing.

Cu

johnpoz · Feb 11, 2020, 10:13 AM

@Grimeton said in pfSense can not resolving DNS records on Microsoft Domain Controller DNS zone.:

Windows itself usually tries to do a NetBIOS lookup via broadcast before it starts to go for a FQDN search, which can actually be a bit confusing.

Not according to this
https://support.microsoft.com/en-us/help/172218/microsoft-tcp-ip-host-name-resolution-order

Simple enough to test, just sniff while you look for something..