dns replication between pfsense and windows server
-
Hi,
i'm using pfsense 2.4.5-RELEASE-p1.
my pfsense is the primary dns server for my active directory.
I m wondering if it is possible to replicate the dns zone from pfsense to a windows server?
Can anyone help me.
Thank in advance -
@jmriviere said in dns replication between pfsense and windows server:
my pfsense is the primary dns server for my active directory.
Why? If your an AD shop - use your MS server as your DNS.. If you want that to forward to pfsense to resolve stuff that is located there, ok or for it to resolve the internet sure.
But for what reason would you not run dns and dhcp on your AD servers? Really makes no sense to me at all to run such a setup.
-
@johnpoz
hi this is the configuration of my compagny. dns and dhcp on the pfsense.so every time you want to add a pc on the domain i need to change dns setting to point to the DC then switch to the pfsense this is the problem. so i would like to replicate the zone between pfsense and windows server.
thank you -
Who's brilliant idea was that? When you have a dns and dhcp server right there on your AD.. Just boggles the mind...
If you insist on pointing clients to pfsense for dns - then just setup a domain override on pfsense for your AD domain(s)..
There is no reason to sync anything.. But it would be possible to do zone transfers with bind and MS dns.. Unbound is not going to do zone transfers. Since it is not meant to be an authoritative NS.
-
@johnpoz
we already done this opérations.So do you have an idea to workaround the integration on the domain?
Because like i said the configured dns for the client point to the pfsense instead of the DC.
thank -
Agreed, your network should have turned off DHCP on the pfSense and use the domain. Hindsight, I guess.
I think it will work if you configure a "Domain Overrides" in the DNS Resolver settings and point that to the Windows Server's IP. Then pfSense will forward queries for that zone there.
-
@teamits thank but the problem is the boss doesn't want to use the DC as DNS
-
No offense, but your Boss is an idiot ;)
Again - just setup a domain override in unbound to point whateverADdomain.tld to the IP(s) of the DNS that is running in AD..
And whatever other arpa zones you might have on there.
To do a domain override to a downstream NS, you will have to let pfsense use your lan interface for outgoing if you have changed that from the default of all. You will also need to setup private domain or you will get rebind issues, or turn off rebind protection completely.
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html
Just out of curiosity, if you happen to know - maybe you should ask him. What is the technical reason he wants to do it this way.. Vs the simple, MS best practice and correct solution of pointing clients that are members of the AD to the AD nameserver(s)..
If he also has his heart set on sync - then you would need to use the bind package to be able to setup zone transfers..
I would be curious to hear what he thinks he gets out of pointing clients to pfsense vs just the AD dns and dhcp?
If his goal is to leverage say pfblocker via unbound, you can still use that via clients pointing to AD dns, and then AD dns forwarding to pfsense.
-
@johnpoz Hello, I allow myself to ask my question here because I see a connection with the one asked.
Currently I have a pfSense and behind it there is: Windows Server 2008 with AD, DNS and DHCP.
My config :
- Windows Server with AD DNS DHCP : 192.168.0.2
- Hyper-V (for another software) : 192.168.0.2
- WAN : 192.168.3.2 (gateway : 192.168.3.1)
- LAN : 192.168.0.249
I recently asked questions on the forum because my SSL filtering is showing nothing except an error message and pfBlocker is not blocking anything and not activating safeSearch.
How can I prevent my clients from using pfSense's DNS and not Windows ? Should I make a relay, which option should I use?
Thank you in advance.
-
@sweety said in dns replication between pfsense and windows server:
How can I prevent my clients from using pfSense's DNS and not Windows
Well for starters how would your clients be pointing to pfsense in the first place for dns. Unless you set them, or set your dhcp server to point there?
But to "prevent" clients from using pfsense dns, put in a firewall rule that allow your AD IP 192.168.0.2, and rule below that blocks all access to pfsense IP for dns.
Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
As to your hyper-V IP sharing your Servers IP - why would you not just bridge your vms to your lan, and let them have their own IPs, .3, .17, .x etc..
This way you could either allow or not for them to use pfsense dns as well.
As to relay?? Not sure why you would think you need a "dhcp relay"?? If your AD is doing dhcp, then it dhcp should not be enabled on pfsense.
-
@johnpoz I actually have a DNS server just behind my pfSense proxy. I want users to use the DNS of pfSense and not that of my Windows Server (I must be explaining myself wrong, I'm starting ^^') Do I need to redirect my DNS ?
-
Again your clients are going to use whatever dns you tell them too.. Be it on the client directly or via dhcp.
If you want client to use NS X, then point them there.. You then just to make sure that NS can look up any local domains via whatever other dns your running say on your AD.
If your a AD shop - it just makes no sense to not point your clients directly to your AD..
-
@johnpoz So I just have to redirect users by my DHCP, and each user can use my pfSense DNS ?
-
You will want your Windows PCs using your Server as DNS so they can find the domain.
You can set your pfSense as a forwarder in Windows DNS, so Windows sends all queries it receives to the pfSense.
-
@teamits Yes that's it !! How can I do that ? Just in the forwarder (redirect) options in Windows Server DNS ? It's working with WS 2008 ? ^^ Thanks u
-
We don't have any 2008 under management as it's past EOL but here's a screenshot from 2012 R2:
If the "Forwarders" icon isn't showing there go into the properties of the server icon in the left pane and it is a tab in there.
There should be plenty of web pages with instructions for 2008.
-
@teamits Yes, the school does not want to change its Windows Server x)
Thank you for your help have a nice day !!