dns replication between pfsense and windows server
-
No offense, but your Boss is an idiot ;)
Again - just setup a domain override in unbound to point whateverADdomain.tld to the IP(s) of the DNS that is running in AD..
And whatever other arpa zones you might have on there.
To do a domain override to a downstream NS, you will have to let pfsense use your lan interface for outgoing if you have changed that from the default of all. You will also need to setup private domain or you will get rebind issues, or turn off rebind protection completely.
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html
Just out of curiosity, if you happen to know - maybe you should ask him. What is the technical reason he wants to do it this way.. Vs the simple, MS best practice and correct solution of pointing clients that are members of the AD to the AD nameserver(s)..
If he also has his heart set on sync - then you would need to use the bind package to be able to setup zone transfers..
I would be curious to hear what he thinks he gets out of pointing clients to pfsense vs just the AD dns and dhcp?
If his goal is to leverage say pfblocker via unbound, you can still use that via clients pointing to AD dns, and then AD dns forwarding to pfsense.
-
@johnpoz Hello, I allow myself to ask my question here because I see a connection with the one asked.
Currently I have a pfSense and behind it there is: Windows Server 2008 with AD, DNS and DHCP.
My config :
- Windows Server with AD DNS DHCP : 192.168.0.2
- Hyper-V (for another software) : 192.168.0.2
- WAN : 192.168.3.2 (gateway : 192.168.3.1)
- LAN : 192.168.0.249
I recently asked questions on the forum because my SSL filtering is showing nothing except an error message and pfBlocker is not blocking anything and not activating safeSearch.
How can I prevent my clients from using pfSense's DNS and not Windows ? Should I make a relay, which option should I use?
Thank you in advance.
-
@sweety said in dns replication between pfsense and windows server:
How can I prevent my clients from using pfSense's DNS and not Windows
Well for starters how would your clients be pointing to pfsense in the first place for dns. Unless you set them, or set your dhcp server to point there?
But to "prevent" clients from using pfsense dns, put in a firewall rule that allow your AD IP 192.168.0.2, and rule below that blocks all access to pfsense IP for dns.
Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
As to your hyper-V IP sharing your Servers IP - why would you not just bridge your vms to your lan, and let them have their own IPs, .3, .17, .x etc..
This way you could either allow or not for them to use pfsense dns as well.
As to relay?? Not sure why you would think you need a "dhcp relay"?? If your AD is doing dhcp, then it dhcp should not be enabled on pfsense.
-
@johnpoz I actually have a DNS server just behind my pfSense proxy. I want users to use the DNS of pfSense and not that of my Windows Server (I must be explaining myself wrong, I'm starting ^^') Do I need to redirect my DNS ?
-
Again your clients are going to use whatever dns you tell them too.. Be it on the client directly or via dhcp.
If you want client to use NS X, then point them there.. You then just to make sure that NS can look up any local domains via whatever other dns your running say on your AD.
If your a AD shop - it just makes no sense to not point your clients directly to your AD..
-
@johnpoz So I just have to redirect users by my DHCP, and each user can use my pfSense DNS ?
-
You will want your Windows PCs using your Server as DNS so they can find the domain.
You can set your pfSense as a forwarder in Windows DNS, so Windows sends all queries it receives to the pfSense.
-
@teamits Yes that's it !! How can I do that ? Just in the forwarder (redirect) options in Windows Server DNS ? It's working with WS 2008 ? ^^ Thanks u
-
We don't have any 2008 under management as it's past EOL but here's a screenshot from 2012 R2:
If the "Forwarders" icon isn't showing there go into the properties of the server icon in the left pane and it is a tab in there.
There should be plenty of web pages with instructions for 2008.
-
@teamits Yes, the school does not want to change its Windows Server x)
Thank you for your help have a nice day !!
