Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense can not resolving DNS records on Microsoft Domain Controller DNS zone.

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 4 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • HermanH
      Herman
      last edited by

      Hi Folks,

      I experience some issues with my pfsense and Microsoft DC environment. I will provide as much information possible. If you need more info then please just ask me to provide it. Hope you guys can help me.

      The environment;

      Domain controller MS Server 2019 (DC19) LAN IP: 10.0.0.100 local domain: mydomain.local
      Router/Firewall pfsense 2.4 (pfsense) LAN IP: 10.0.0.254
      Internet access Cable modem in bridge mode (connected to WAN interface of pfsense)

      Packages running on the pfsense are;

      1. Snort
      2. PfBlockerNG
      3. OpenVPN Client Export

      Configuration so far;

      1. Setup DNS on the Microsoft DC (mandatory for a DC). The forwarders point to the pfsense on 10.0.0.254
      2. On pfsense enabled “Enable DNS resolver”. Network Interfaces and Outgoing Network Interfaces set both to “All”. System Domain Local Zone Type set to “Transparent”. At Host Overrides added Host: DC19, Parent domain of host: mydomain.local, IP to return for host: 10.0.0.100. Other settings left default.

      What works and what doesn’t work;

      So far I have no complaints about the config. It seems that most of the settings work. I experience no problems with the local domain. Except that sometimes the network is slow so started troubleshooting. Found out that pfsense is not able to send email to the mail server when using the DNS hostname (mailserver). When using the IP of the mail server (10.0.0.19) it works like a charm. So tried DNS Lookup in the Diagnostics menu of pfsense. Found out that pfsense is not able to resolve internal DNS records specified on the DNS of DC19. For example when trying to resolve the DNS name “mailserver” pfsense returns “Host "mailserver" could not be resolved.”. When performing a nslookup from clients (no matter which one) it resolves perfectly.

      I hope the above does make some sense to you guys. Would love to get some help with this.

      Many thanks in advance.
      Herman

      Limburg | The Netherlands.
      It is nice to be important. But it is more important to be nice! | Failure, the best teacher it is!

      1 Reply Last reply Reply Quote 0
      • GrimetonG
        Grimeton
        last edited by Grimeton

        It's a difference what service pfSense provides to the clients on its subnets and what pfSense uses for itself to lookup things.

        The problem you run into here is that you cannot differentiate between this via the WebUI.

        On a console I'd just add the DC-DNS to /etc/resolv.conf and run a DNS-resolver on port 53 for anything coming in from the LAN-interface. This way pfSense would itself use the Windows-DNS-servers, while the Windows-DNS-Servers could use pfSense unbound to resolve addresses from the interwebtubez.

        So what can you do? Pretty simple.

        In your DNS-resolver setup, scroll to the bottom. There's a section "DOMAIN OVERRIDES".

        Just add your domains and dns-servers there. Let's say your Windows domain is FOOBAR.LOCAL and the DNS-Server's address would be 10.0.0.19.

        You add as domain "foobar.local" and as Server address 10.0.0.19 there.

        The thing here is, in pfSense's resolv.conf the first server is always 127.0.0.1, so pfSense itself. As long as you configure the resolver correctly, everything should work.

        If you want the reverse lookup to work as well, then just use the in-addr.arpa configuration syntax for this to work.

        If the network is 10.0.0.0/24 and the server is 10.0.0.19 you'd add:
        0.0.10.in-addr.arpa as domain and the server's IP. That's it.

        Also if you have multiple DNS-servers for a domain, just add multiple entries.

        Cu

        1 Reply Last reply Reply Quote 0
        • HermanH
          Herman
          last edited by

          Hello @Grimeton,

          Thank you very much for the detailed explanation and how-to. My appreciation is great.
          Your solution works like a charm. The following I try to resolve from the pfsense after the changes you suggested;

          • DC19 - Host "dc19" could not be resolved.
          • DC19.mydomain.local - Result: A-Record 10.0.0.100
          • 10.0.0.100 - Result: PTR DC19.mydomain.local

          My big question is why resolving just DC19 still not work but only the FQDN?

          Maybe you can also tell me if the following setting are also necessary. They are provided by other users on Reddit to me. Just want to be sure if the settings make sense or not;

          • DNS Query Forwarding: Enable Forwarding Mode  checked (on)
          • Disable DNS ForwarderDo not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall  Unchecked (off)

          Again thank you for the wisdom.

          Regards,
          Herman

          Limburg | The Netherlands.
          It is nice to be important. But it is more important to be nice! | Failure, the best teacher it is!

          GrimetonG 1 Reply Last reply Reply Quote 0
          • kiokomanK
            kiokoman LAYER 8
            last edited by

            dns server only answer to query with FQDN

            check this
            https://forum.netgate.com/post/890192
            https://forum.netgate.com/post/890329

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            1 Reply Last reply Reply Quote 0
            • GrimetonG
              Grimeton @Herman
              last edited by

              @Herman A DNS-Server only answers to a FQDN.

              That's why every OS that can use DNS has a "search" option. On Unix it's usually in /etc/resolv.conf, in Windows it's part of the extended adapter configuration.

              It contains one or more domains in the order you want the system to try and complete a single hostname (no dots) with and try to lookup a FQDN.

              Windows itself usually tries to do a NetBIOS lookup via broadcast before it starts to go for a FQDN search, which can actually be a bit confusing.

              Cu

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                @Grimeton said in pfSense can not resolving DNS records on Microsoft Domain Controller DNS zone.:

                Windows itself usually tries to do a NetBIOS lookup via broadcast before it starts to go for a FQDN search, which can actually be a bit confusing.

                Not according to this
                https://support.microsoft.com/en-us/help/172218/microsoft-tcp-ip-host-name-resolution-order

                Simple enough to test, just sniff while you look for something..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.