• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

dns replication between pfsense and windows server

Scheduled Pinned Locked Moved DHCP and DNS
17 Posts 4 Posters 2.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jmriviere
    last edited by Jan 5, 2021, 1:41 PM

    Hi,
    i'm using pfsense 2.4.5-RELEASE-p1.
    my pfsense is the primary dns server for my active directory.
    I m wondering if it is possible to replicate the dns zone from pfsense to a windows server?
    Can anyone help me.
    Thank in advance

    J 1 Reply Last reply Jan 5, 2021, 2:03 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @jmriviere
      last edited by Jan 5, 2021, 2:03 PM

      @jmriviere said in dns replication between pfsense and windows server:

      my pfsense is the primary dns server for my active directory.

      Why? If your an AD shop - use your MS server as your DNS.. If you want that to forward to pfsense to resolve stuff that is located there, ok or for it to resolve the internet sure.

      But for what reason would you not run dns and dhcp on your AD servers? Really makes no sense to me at all to run such a setup.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      J 1 Reply Last reply Jan 5, 2021, 2:15 PM Reply Quote 0
      • J
        jmriviere @johnpoz
        last edited by Jan 5, 2021, 2:15 PM

        @johnpoz
        hi this is the configuration of my compagny. dns and dhcp on the pfsense.so every time you want to add a pc on the domain i need to change dns setting to point to the DC then switch to the pfsense this is the problem. so i would like to replicate the zone between pfsense and windows server.
        thank you

        J 1 Reply Last reply Jan 5, 2021, 2:34 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @jmriviere
          last edited by Jan 5, 2021, 2:34 PM

          Who's brilliant idea was that? When you have a dns and dhcp server right there on your AD.. Just boggles the mind...

          If you insist on pointing clients to pfsense for dns - then just setup a domain override on pfsense for your AD domain(s)..

          There is no reason to sync anything.. But it would be possible to do zone transfers with bind and MS dns.. Unbound is not going to do zone transfers. Since it is not meant to be an authoritative NS.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          J 1 Reply Last reply Jan 5, 2021, 3:27 PM Reply Quote 0
          • J
            jmriviere @johnpoz
            last edited by Jan 5, 2021, 3:27 PM

            @johnpoz
            we already done this opérations.So do you have an idea to workaround the integration on the domain?
            Because like i said the configured dns for the client point to the pfsense instead of the DC.
            thank

            S 1 Reply Last reply Jan 5, 2021, 3:37 PM Reply Quote 0
            • S
              SteveITS Galactic Empire @jmriviere
              last edited by Jan 5, 2021, 3:37 PM

              Agreed, your network should have turned off DHCP on the pfSense and use the domain. Hindsight, I guess.

              I think it will work if you configure a "Domain Overrides" in the DNS Resolver settings and point that to the Windows Server's IP. Then pfSense will forward queries for that zone there.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              J 1 Reply Last reply Jan 5, 2021, 3:41 PM Reply Quote 0
              • J
                jmriviere @SteveITS
                last edited by Jan 5, 2021, 3:41 PM

                @teamits thank but the problem is the boss doesn't want to use the DC as DNS

                J 1 Reply Last reply Jan 5, 2021, 4:35 PM Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator @jmriviere
                  last edited by johnpoz Jan 5, 2021, 4:40 PM Jan 5, 2021, 4:35 PM

                  No offense, but your Boss is an idiot ;)

                  Again - just setup a domain override in unbound to point whateverADdomain.tld to the IP(s) of the DNS that is running in AD..

                  And whatever other arpa zones you might have on there.

                  To do a domain override to a downstream NS, you will have to let pfsense use your lan interface for outgoing if you have changed that from the default of all. You will also need to setup private domain or you will get rebind issues, or turn off rebind protection completely.

                  https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html

                  Just out of curiosity, if you happen to know - maybe you should ask him. What is the technical reason he wants to do it this way.. Vs the simple, MS best practice and correct solution of pointing clients that are members of the AD to the AD nameserver(s)..

                  If he also has his heart set on sync - then you would need to use the bind package to be able to setup zone transfers..

                  I would be curious to hear what he thinks he gets out of pointing clients to pfsense vs just the AD dns and dhcp?

                  If his goal is to leverage say pfblocker via unbound, you can still use that via clients pointing to AD dns, and then AD dns forwarding to pfsense.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  S 1 Reply Last reply Feb 9, 2021, 12:35 PM Reply Quote 0
                  • S
                    Sweety @johnpoz
                    last edited by Feb 9, 2021, 12:35 PM

                    @johnpoz Hello, I allow myself to ask my question here because I see a connection with the one asked.

                    Currently I have a pfSense and behind it there is: Windows Server 2008 with AD, DNS and DHCP.

                    My config :

                    • Windows Server with AD DNS DHCP : 192.168.0.2
                    • Hyper-V (for another software) : 192.168.0.2
                    • WAN : 192.168.3.2 (gateway : 192.168.3.1)
                    • LAN : 192.168.0.249

                    I recently asked questions on the forum because my SSL filtering is showing nothing except an error message and pfBlocker is not blocking anything and not activating safeSearch.

                    How can I prevent my clients from using pfSense's DNS and not Windows ? Should I make a relay, which option should I use?

                    Thank you in advance.

                    J 1 Reply Last reply Feb 9, 2021, 12:59 PM Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator @Sweety
                      last edited by johnpoz Feb 9, 2021, 1:01 PM Feb 9, 2021, 12:59 PM

                      @sweety said in dns replication between pfsense and windows server:

                      How can I prevent my clients from using pfSense's DNS and not Windows

                      Well for starters how would your clients be pointing to pfsense in the first place for dns. Unless you set them, or set your dhcp server to point there?

                      But to "prevent" clients from using pfsense dns, put in a firewall rule that allow your AD IP 192.168.0.2, and rule below that blocks all access to pfsense IP for dns.

                      Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

                      As to your hyper-V IP sharing your Servers IP - why would you not just bridge your vms to your lan, and let them have their own IPs, .3, .17, .x etc..

                      This way you could either allow or not for them to use pfsense dns as well.

                      As to relay?? Not sure why you would think you need a "dhcp relay"?? If your AD is doing dhcp, then it dhcp should not be enabled on pfsense.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      S 1 Reply Last reply Feb 9, 2021, 3:45 PM Reply Quote 0
                      • S
                        Sweety @johnpoz
                        last edited by Feb 9, 2021, 3:45 PM

                        @johnpoz I actually have a DNS server just behind my pfSense proxy. I want users to use the DNS of pfSense and not that of my Windows Server (I must be explaining myself wrong, I'm starting ^^') Do I need to redirect my DNS ?

                        J 1 Reply Last reply Feb 9, 2021, 3:49 PM Reply Quote 0
                        • J
                          johnpoz LAYER 8 Global Moderator @Sweety
                          last edited by Feb 9, 2021, 3:49 PM

                          Again your clients are going to use whatever dns you tell them too.. Be it on the client directly or via dhcp.

                          If you want client to use NS X, then point them there.. You then just to make sure that NS can look up any local domains via whatever other dns your running say on your AD.

                          If your a AD shop - it just makes no sense to not point your clients directly to your AD..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          S 1 Reply Last reply Feb 9, 2021, 3:55 PM Reply Quote 1
                          • S
                            Sweety @johnpoz
                            last edited by Feb 9, 2021, 3:55 PM

                            @johnpoz So I just have to redirect users by my DHCP, and each user can use my pfSense DNS ?

                            S 1 Reply Last reply Feb 9, 2021, 3:59 PM Reply Quote 0
                            • S
                              SteveITS Galactic Empire @Sweety
                              last edited by Feb 9, 2021, 3:59 PM

                              You will want your Windows PCs using your Server as DNS so they can find the domain.

                              You can set your pfSense as a forwarder in Windows DNS, so Windows sends all queries it receives to the pfSense.

                              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                              Upvote 👍 helpful posts!

                              S 1 Reply Last reply Feb 9, 2021, 4:00 PM Reply Quote 0
                              • S
                                Sweety @SteveITS
                                last edited by Sweety Feb 9, 2021, 4:02 PM Feb 9, 2021, 4:00 PM

                                @teamits Yes that's it !! How can I do that ? Just in the forwarder (redirect) options in Windows Server DNS ? It's working with WS 2008 ? ^^ Thanks u

                                S 1 Reply Last reply Feb 9, 2021, 4:08 PM Reply Quote 0
                                • S
                                  SteveITS Galactic Empire @Sweety
                                  last edited by Feb 9, 2021, 4:08 PM

                                  We don't have any 2008 under management as it's past EOL but here's a screenshot from 2012 R2:

                                  9fa061a5-5da7-4ab0-ba0f-af5235a96551-image.png

                                  If the "Forwarders" icon isn't showing there go into the properties of the server icon in the left pane and it is a tab in there.

                                  There should be plenty of web pages with instructions for 2008.

                                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                  Upvote 👍 helpful posts!

                                  S 1 Reply Last reply Feb 9, 2021, 4:11 PM Reply Quote 1
                                  • S
                                    Sweety @SteveITS
                                    last edited by Feb 9, 2021, 4:11 PM

                                    @teamits Yes, the school does not want to change its Windows Server x)
                                    Thank you for your help have a nice day !!

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                      This community forum collects and processes your personal information.
                                      consent.not_received