Forward DNS queries to Active directory DNS Server

fadygh

Hello everyone
I know that this topic might be redundant, I tried to find answer to my question here but no success, my case is very simple in my company all the computers are members of a domain windows server 2012 and all the computers DNS is our domain controllers' IP address, now I'm installing pfsense in my network, what is the best practice for setting up DNS server settings so the computers can still authenticate to active directory while they are using pfsense as default gateway and dns server.
thanks

bepo

@fadygh your clients should keep the domain controller as dns server. The dns server should forward anything he can't resolve to the pfsense. And pfsense should resolve DNS on the internet.

fadygh

In the DC I set forwarders to my ISP, so you mean that I should replace it by PFSENSE IP and in pfsense I set my ISP DNS IP ?

bepo

@fadygh Partially correct. In your DC you should set pfsense as DNS. But pfsense should resolve dns at the root dns servers.

bmeeks

I will take a contrarian view from @bepo. Why not set your AD DNS server (on the domain controller) to resolve instead of forward? You are adding some latency to your DNS lookups by pointing AD to pfSense and then pointing pfSense to your ISP. You remove one latency hop by letting pfSense resolve, but I still would not even do that. I would instead point pfSense to your AD DNS and then configure your AD DNS to resolve. To do this, just enable the Root Hints zone and populate it with the root servers.

This is how I run my AD setup. You always and forever want your Windows domain clients pointing to AD DNS. Doing anything else will break Active Directory. May as well let AD DNS be a resolver as well. Put your AD DNS server's IP address in the box for DNS in pfSense and just use the pfSense Forwarder (disable the Resolver in pfSense).

bepo

@bmeeks This is a valid solution. The important thing is to use the AD DNS at the clients :-)

bmeeks

Another benefit of letting AD DNS resolve and pointing pfSense to AD DNS is that local hostnames will resolve correctly on pfSense. That is a big help when analyzing logs and other information points on the firewall (having your local hosts identifiable by their AD name).

johnpoz

The important thing here is to point the clients to the AD.. What you do after that either letting AD resolve or forward to pfsense that resolves is secondary.

Advantage of forwarding from AD to unbound is you could then leverage pfblocker if you want, etc.

All you need for pfsense to resolve your AD clients is a domain override(s) for your AD domain setup in pfsense so it knows to go ask your AD dns for your domain and your PTRs.. It can still resolve on its own via its unbound setup.

To be honest if your a MS shop and using AD - your clients should really get dhcp and dns from your AD.. Only thing pfsense should be in your case is the gateway. And if you want to leverage pfblocker features in your dns then have your AD forward to pfsense

fibrewire

@johnpoz would you be kind enough to point me to a how-to? I feel like I'm mentally stuck in molasses at the moment.

I have a 2019 DC setup with the interface set static, and have DNS1 pointing local to 127.0.0.1 and DNS2 pointing at pfsense.

On pfsense I edit the DHCP server settings and set the first DNS server to the IP address of the DC.

johnpoz

@fibrewire said in Forward DNS queries to Active directory DNS Server:

DNS1 pointing local to 127.0.0.1 and DNS2 pointing at pfsense.

That is wrong. your AD should only point to itself, and forward - via its config to pfsense or just resolve or where else you might want to forward to.

Your clients should only get your AD dns IP.. be it just the 1 or multiples you might have setup. If you want pfsense to be able to resolve your AD clients for say firewall logs or whatever, then you would setup a domain override pointing your AD dns... I could fire up my AD box and show you some screenshots if so needed.. But its really pretty basic..

Again - you have AD running, why would you not just run dhcp on your AD? Makes zero sense to run it on pfsense.

fibrewire

@johnpoz said in Forward DNS queries to Active directory DNS Server:

AD dns IP.. be it just the 1 or multiples you might have setup. If you want pfsense to be able to resolve your AD clients for say firewall logs or whatever, then you would setup a domain override pointing your AD dns.

Thank you for the update, and yes please for screenshots. I never know when I might be looking back at this thread. These forums have saved my hide countless times, which is why I've had my clients get licenses and support from electric sheep fencing llc since at least 2014. Thank you!

jmiller

@johnpoz I would also like to see your screenshots. After reading your posts in addition to @bmeeks it would appear that both of you are describing a solution that is opposite, yet workable. The main problem I have in my AD is that similarly Pfsense can't resolve anything internally. My setup is as follows;

• AD forwards to Pfsense
• AD is also handling DHCP for the network
• Pfsense DNS general setup points to 9.9.9.9 & 1.1.1.1 (nothing else enabled)
• Pfsense resolver is activated with domain overrides pointing to the ADserver
• Pfsense forwarder is in-active
• All clients point at the AD

AveryFreeman

@bmeeks Why not use forwarders from AD DNS instead of root hints? Root hints are really just meant as a fallback...

bmeeks

@averyfreeman said in Forward DNS queries to Active directory DNS Server:

@bmeeks Why not use forwarders from AD DNS instead of root hints? Root hints are really just meant as a fallback...

Not 100% true. The root hints are in fact the root DNS servers. So they are the true authority. And you can talk to them using DNSSEC. When you forward, you lose the benefit of DNSSEC as you have no control over what the forwarder is doing on your behalf. It may be using DNSSEC, or it may not. (Note: assuming we are talking about an external forwarder here and not unbound on pfSense).

You can certainly forward to another intermediate server, though, if you wish. And there is probably something to be said for being a thoughtful netizen and not overloading the roots. But one thing you get by directly querying the roots and not using a forwarder is you deprive the marketing folks at that forwarder of their data to target ads or otherwise snoop on you.