Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can pfSense's DHCP server update Microsoft DNS?

    DHCP and DNS
    4
    16
    7.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      "Windows DNS as primary DNS, and Google DNS (8.8.8.8) for secondary DNS."

      That is not how you would do it.. if your machines are members of your AD.. then the ONLY dns they should point to should be to your AD DNS..  google at 8.8.8.8 has no clue to anything to do with your AD.

      Be it your setting up AD in production, home lab whatever.. if a box is a member of AD then the only dns it should point to is AD DNS - period!!!  Now you can have more than 1 dns server listed if they are both your AD dns..  What your going to do is borked from the get go.

      If you want your machines to join your AD, then they should point to your AD for dns, and dhcp for that matter makes it easy for your AD to keep track of its members and when their IPs change, etc..  Now you setup your AD dns to forward to 8.8.8.8 if you want or have it look up from roots, or forward to pfsense..  But having 2 different dns servers 1 public and one AD on a client that is joined to AD is not good setup.

      If you want to run AD and are worried about hardware failure, then you should have 2 DCs etc.. To be honest I see no reason to run AD in the home, other than play and test - and you can do that with a vms, etc..

      To be honest who is to say that pfsense doesn't have a hardware failure, and now nothing works til you get home anyway.  I run pfsense in VM, I have a domain as well - but my actual machines and laptops are not joined to it because there is no real use of that sort of setup in a home.  I have other vms joined to the domain for when I have to test something or want to play with something, lab it etc..

      I have had power outages in my home - but then again I have my esxi box on a UPS, and also have my modem and switch and since my AP are poe - even when there is a power outage my internet works for 20 to 30 minutes before everything starts shutting down ;)

      So get UPS or 2 if your worried about power outages ;)

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • S
        sofakng
        last edited by

        Yeah, I think that AD might be overkill but my goal was to be able to synchronize UIDs and GIDs across my different VM servers.

        Here's a list of my machines:

        Windows PC (gaming, physical machine)
        MacBook (physical machine)
        Router (pfSense, physical machine)
        ESXi (physical machine)

        On my ESXi box, I have lots of virtual machines:

        File Server (VT-d passthrough of HBA cards and 16x HDDs, shares using NFS and SMB)
        Media Server (Plex, AirVideo, etc)
        Download Server (Nzbget, etc)
        Web Server (Nginx)
        Build Server (OSX project building)

        I thought that Active Directory might be nice to synchronize my username/password across all machines but should be looking at something else maybe?

        Should I maybe look into FreeIPA or something even simpler?

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          what user names are you going to sync?  How are you going to sync say username on pfsense to your AD?  Might be simpler to just setup a radius or ldap server and use that login to your different devices.  Freeipa might be a solution for you sure.

          I do believe freeipa can have window machines auth with use of ksetup on the windows machine.  You could use pGina on your windows machine as well to point to different auth methods vs just local accounts so you could use something that all your devices support.

          Not sure about esxi, while it does support AD login I do believe you need the non free license to do that, since you would have to use vserver vs just the client to manage your host.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • L
            layla @sofakng
            last edited by

            @sofakng said in Can pfSense's DHCP server update Microsoft DNS?:

            Inside pfSense under the DHCP Server options, it looks like it's able to send a dynamic DNS update to a DNS server.

            It has the following options (in pfSense's DHCP server):

            
Enable registration of DHCP client names in DNS.
Enter the dynamic DNS domain which will be used to register client names in the DNS server.
Enter the primary domain name server IP address for the dynamic domain name.
Enter the dynamic DNS domain key name which will be used to register client names in the DNS server.
Enter the dynamic DNS domain key secret which will be used to register client names in the DNS server.

            Can anybody point me in the right direction on how to get this working so pfSense's DHCP registers the hostnames in a Microsoft DNS server?

            I'd like to know the exact answers to these questions, and I hate that this thread goes off topic about a whole different way of solving the problem instead of at a bare minimum, answering the question.

            There are reasons to want to have external DCHP servers (e.g. you have many networks distributed across the country, and not all of them are Microsoft networks, and some of them have local DHCP servers, but you still want all of that feeding back into your centralized MS AD DS and DNS.

            Anyway, this time, somebody please answer the question instead of trying to talk me out of what I'm doing. Which key(s) are supposed to be used in this scenario? The KSK? The ZSK? Some other key(s)? Thanks in advance for any help!

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @layla
              last edited by

              @layla

              The answer is NO.. Is that direct enough for you..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              L 1 Reply Last reply Reply Quote 0
              • L
                layla @johnpoz
                last edited by

                @johnpoz It's a pretty dickish way to say it, but yes, it's the answer you should have posted 5 years ago if that's indeed the case.

                The rest of the internet is not clear about this. Microsoft DNS supports RFC 2136, and even supports unsecure updates, so it should be possible. It seems dhcpd won't even try if the update is not secure? This is also unclear from the documentation, but may be the case.

                johnpozJ L 2 Replies Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @layla
                  last edited by

                  Your clients will update the SOA of the domain.. Have them do that..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  L 1 Reply Last reply Reply Quote 0
                  • L
                    layla @layla
                    last edited by layla

                    @johnpoz Though, you STILL didn't answer the actual other question about "which keys are supposed to be used in this approach" I'll answer that here for future people on the internet, since this forum is supposed to be useful and provide answers:

                    This page answers the question of where the key comes from (e.g. on Linux with bind9) and how to generate it and apply it:
                    https://archyslife.blogspot.com/2018/02/dynamic-dns-with-bind-and-isc-dhcp.html

                    And this page answers the question w.r.t. PowerDNS:
                    https://doc.powerdns.com/authoritative/dnsupdate.html

                    Even if Microsoft DNS doesn't support the secure key, it should still support insecure updates, so I'm going to keep trying to understand what is needed to make dhcpd and Microsoft DNS communicate in that scenario. Unfortunately here be dragons because it seems either not documented or nearly impossible to find with a google/duckduckgo search.

                    1 Reply Last reply Reply Quote 0
                    • L
                      layla @johnpoz
                      last edited by layla

                      @johnpoz Linux clients don't do that by default. I presume you suggest that I should join all of my Linux clients to the domain? But that's part of the thing - I don't want to join hundreds of Linux servers to the AD DS domain (first and foremost because it's a pain to do, and not easily scalable, and second because it involves installing a lot of extra software [samba, kerberos, etc.] on the linux machines which I don't really want them to have). I just want DNS to know about them, but for them to stay otherwise in a separate Linux universe.

                      See the issue? It should be solvable via RFC 2136 via a DHCP server - but it does not seem documented how (unless you're using an Microsoft DNS server, and then it is documented how - at this link: https://ephemeralelectrons.wordpress.com/2017/07/19/dynamic-registration-of-dns-for-linux-devices-in-an-active-directory-environment-with-windows-dns-server/).

                      L 1 Reply Last reply Reply Quote 0
                      • L
                        layla @layla
                        last edited by

                        https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-ddns

                        @layla This article from Azure documents how to do secure updates with bind9 and MS DNS using the linux version of nsupdate (the using -g with the keys mentioned above for bind9 and -k with kerberos for MS DNS (though again, this goes back to basically enrolling into the domain for the MS DNS case.)

                        It also talks about insecure updates from linux directly with nsupdate during ifup/ifdown via scripting. This could sort of work, but it's so much less elegant to modify hundreds of linux machines (particularly where they need to be changed in different ways because e.g. Ubuntu 18.04 LTS does things differently than Ubuntu 20.04 LTS, etc.)...

                        So again, if nsupdate can do it (insecurely), why can't dhcpd? It sure seems like it should be possible. But does seem not documented... :/

                        1 Reply Last reply Reply Quote 0
                        • slmS
                          slm
                          last edited by

                          This tutorial seems like pretty much what you're looking for with an external DNS server being told about DHCP lease IPs + names - https://freeipa-users.redhat.narkive.com/xJVbXRdO/pfsense-dhcp-to-ipa-s-bind-dynamic-updates-success.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.