Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Forward DNS queries to Active directory DNS Server

    Scheduled Pinned Locked Moved DHCP and DNS
    14 Posts 7 Posters 13.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bepoB
      bepo
      last edited by

      @fadygh your clients should keep the domain controller as dns server. The dns server should forward anything he can't resolve to the pfsense. And pfsense should resolve DNS on the internet.

      Please use the thumbs up button if you received a helpful advice. Thank you!

      1 Reply Last reply Reply Quote 3
      • F
        fadygh
        last edited by

        In the DC I set forwarders to my ISP, so you mean that I should replace it by PFSENSE IP and in pfsense I set my ISP DNS IP ?

        bepoB 1 Reply Last reply Reply Quote 0
        • bepoB
          bepo @fadygh
          last edited by

          @fadygh Partially correct. In your DC you should set pfsense as DNS. But pfsense should resolve dns at the root dns servers.

          Please use the thumbs up button if you received a helpful advice. Thank you!

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by bmeeks

            I will take a contrarian view from @bepo. Why not set your AD DNS server (on the domain controller) to resolve instead of forward? You are adding some latency to your DNS lookups by pointing AD to pfSense and then pointing pfSense to your ISP. You remove one latency hop by letting pfSense resolve, but I still would not even do that. I would instead point pfSense to your AD DNS and then configure your AD DNS to resolve. To do this, just enable the Root Hints zone and populate it with the root servers.

            This is how I run my AD setup. You always and forever want your Windows domain clients pointing to AD DNS. Doing anything else will break Active Directory. May as well let AD DNS be a resolver as well. Put your AD DNS server's IP address in the box for DNS in pfSense and just use the pfSense Forwarder (disable the Resolver in pfSense).

            bepoB A 2 Replies Last reply Reply Quote 1
            • bepoB
              bepo @bmeeks
              last edited by

              @bmeeks This is a valid solution. The important thing is to use the AD DNS at the clients :-)

              Please use the thumbs up button if you received a helpful advice. Thank you!

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                Another benefit of letting AD DNS resolve and pointing pfSense to AD DNS is that local hostnames will resolve correctly on pfSense. That is a big help when analyzing logs and other information points on the firewall (having your local hosts identifiable by their AD name).

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  The important thing here is to point the clients to the AD.. What you do after that either letting AD resolve or forward to pfsense that resolves is secondary.

                  Advantage of forwarding from AD to unbound is you could then leverage pfblocker if you want, etc.

                  All you need for pfsense to resolve your AD clients is a domain override(s) for your AD domain setup in pfsense so it knows to go ask your AD dns for your domain and your PTRs.. It can still resolve on its own via its unbound setup.

                  To be honest if your a MS shop and using AD - your clients should really get dhcp and dns from your AD.. Only thing pfsense should be in your case is the gateway. And if you want to leverage pfblocker features in your dns then have your AD forward to pfsense

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  F 1 Reply Last reply Reply Quote 2
                  • F
                    fibrewire @johnpoz
                    last edited by fibrewire

                    @johnpoz would you be kind enough to point me to a how-to? I feel like I'm mentally stuck in molasses at the moment.

                    I have a 2019 DC setup with the interface set static, and have DNS1 pointing local to 127.0.0.1 and DNS2 pointing at pfsense.

                    On pfsense I edit the DHCP server settings and set the first DNS server to the IP address of the DC.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      @fibrewire said in Forward DNS queries to Active directory DNS Server:

                      DNS1 pointing local to 127.0.0.1 and DNS2 pointing at pfsense.

                      That is wrong. your AD should only point to itself, and forward - via its config to pfsense or just resolve or where else you might want to forward to.

                      Your clients should only get your AD dns IP.. be it just the 1 or multiples you might have setup. If you want pfsense to be able to resolve your AD clients for say firewall logs or whatever, then you would setup a domain override pointing your AD dns... I could fire up my AD box and show you some screenshots if so needed.. But its really pretty basic..

                      Again - you have AD running, why would you not just run dhcp on your AD? Makes zero sense to run it on pfsense.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      J 1 Reply Last reply Reply Quote 0
                      • F
                        fibrewire
                        last edited by fibrewire

                        @johnpoz said in Forward DNS queries to Active directory DNS Server:

                        AD dns IP.. be it just the 1 or multiples you might have setup. If you want pfsense to be able to resolve your AD clients for say firewall logs or whatever, then you would setup a domain override pointing your AD dns.

                        Thank you for the update, and yes please for screenshots. I never know when I might be looking back at this thread. These forums have saved my hide countless times, which is why I've had my clients get licenses and support from electric sheep fencing llc since at least 2014. Thank you!

                        1 Reply Last reply Reply Quote 0
                        • J
                          jmiller @johnpoz
                          last edited by jmiller

                          @johnpoz I would also like to see your screenshots. After reading your posts in addition to @bmeeks it would appear that both of you are describing a solution that is opposite, yet workable. The main problem I have in my AD is that similarly Pfsense can't resolve anything internally. My setup is as follows;

                          • AD forwards to Pfsense
                          • AD is also handling DHCP for the network
                          • Pfsense DNS general setup points to 9.9.9.9 & 1.1.1.1 (nothing else enabled)
                          • Pfsense resolver is activated with domain overrides pointing to the ADserver
                          • Pfsense forwarder is in-active
                          • All clients point at the AD
                          1 Reply Last reply Reply Quote 0
                          • A
                            AveryFreeman @bmeeks
                            last edited by

                            @bmeeks Why not use forwarders from AD DNS instead of root hints? Root hints are really just meant as a fallback...

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks @AveryFreeman
                              last edited by bmeeks

                              @averyfreeman said in Forward DNS queries to Active directory DNS Server:

                              @bmeeks Why not use forwarders from AD DNS instead of root hints? Root hints are really just meant as a fallback...

                              Not 100% true. The root hints are in fact the root DNS servers. So they are the true authority. And you can talk to them using DNSSEC. When you forward, you lose the benefit of DNSSEC as you have no control over what the forwarder is doing on your behalf. It may be using DNSSEC, or it may not. (Note: assuming we are talking about an external forwarder here and not unbound on pfSense).

                              You can certainly forward to another intermediate server, though, if you wish. And there is probably something to be said for being a thoughtful netizen and not overloading the roots. But one thing you get by directly querying the roots and not using a forwarder is you deprive the marketing folks at that forwarder of their data to target ads or otherwise snoop on you.

                              1 Reply Last reply Reply Quote 0
                              • JonathanLeeJ JonathanLee referenced this topic on
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.