[SOLVED] DNS Zone Transfer

manjotsc

@gertjan @pete35 @bmeeks Let's say if bind is not the best way to go. Is is possible to make unbound listen on 192.168.40.4 on port 53 and on 1.1.1.1 at port 853?

bmeeks

@manjotsc said in DNS Zone Tranfer:

@gertjan @pete35 @bmeeks Let's say if bind is not the best way to go. Is is possible to make unbound listen on 192.168.40.4 on port 53 and on 1.1.1.1 at port 853?

The official unbound documentation is here: https://nlnetlabs.nl/documentation/unbound/unbound.conf/.

It appears you can configure unbound to listen on multiple interfaces, and with a different listening port on each interface. However, I'm not sure you can do that within the pfSense GUI. You might can pull something like that off using the Custom Options section, but I'm doubtful because the settings you need there are also put into the configuration file by the GUI code (interfaces and port). You could wind up with duplicate settings in the configuration file and unbound may not like that.

The GUI lets you choose multiple interfaces to listen on, but when you choose a port (either 53 or 853), it uses that port for all interfaces.

What exactly are you trying to accomplish? Are you after redundancy for your Windows DNS server, or something else? I'm having trouble understanding how zone transfers figure into listening on different ports (and, I assume, using TLS on the 853 port).

manjotsc

@bmeeks The problem I am running into is that, I have windows computer that needs to be pointed to windows server dns, but on the rest of devices I am using pfsense as main dns because of pfblockerng. I want use pfsense dns on all devices so they can resolve the domain I have in windows server.

Gertjan

It seems that unbound can consult (local) zone information , even do XFERs.
See https://nlnetlabs.nl/documentation/unbound/unbound.conf/

bmeeks

@manjotsc said in DNS Zone Tranfer:

@bmeeks The problem I am running into is that, I have windows computer that needs to be pointed to windows server dns, but on the rest of devices I am using pfsense as main dns because of pfblockerng. I want use pfsense dns on all devices so they can resolve the domain I have in windows server.

Then I would do this.

1. Set up unbound and pfBlockerNG-devel/DNSBL as normal.
2. Within unbound, set up a Domain Override for your local Windows AD domain. Don't forget to also include a reverse pointer look-up zone as part of the override. This domain override tells unbound to ask your Windows DNS server for any lookups from that zone. This would normally be when resolving hosts or IPs from logs or maybe the ARP Table display in pfSense.
3. On your Windows AD DNS server, configure it for forwarding and point it to your pfSense box (where unbound is running) as the forwarding server.
4. Point all of your internal hosts to the Windows DNS server for DNS.

This setup is actually what I use for my personal system. This way Windows clients can get all the AD stuff they need, but all queries for non-local stuff will be forwarded to unbound on pfSense which will resolve via the DNS roots. And if you ask unbound for anything relating to your Windows AD, then unbound will forward those queries to the Windows AD DNS server because of the configured domain override.

manjotsc

@bmeeks This what I had as config, the problem with this is, if a create a static mapping in pfsense for example test.manjot.net, but since devices are pointed to windows server, it will not resolve test.manjot.net unless i manully create that record on windows server.

bmeeks

@manjotsc said in DNS Zone Tranfer:

@bmeeks This what I had as config, the problem with this is, if a create a static mapping in pfsense for example test.manjot.net, but since devices are pointed to windows server, it will not resolve test.manjot.net unless i manully create that record on windows server.

What is the issue of creating the static mapping over in Windows? Really, for a Windows AD domain, you want your DHCP and DNS all handled by Windows anyway (usually all on a domain controller box).

In terms of effort, logging in and creating the mapping in Windows versus doing the same on pfSense seems the same. Maybe I'm missing something critical in what you want to do.

manjotsc

@bmeeks I looking for some automation between pfsense and windows server to sync DNS A records from pfsense static mapping.

Derelict

@manjotsc Again, why not just put the static DNS mapping on the windows DNS server? Why the insistence on using pfSense for DNS? You already have fully-functional DNS servers on Windows.

bmeeks

While unbound can do a lot of things on its own, doing all of them within the pfSense GUI is not so easy. Here is the official documentation for unbound: https://www.nlnetlabs.nl/documentation/unbound/.

What most of us replying to this thread are saying is that things will be easier for you to just use the Windows AD environment completely for DHCP and DNS with it forwarding to unbound for external lookups so you can take advantage of the DNSBL feature of pfBlockerNG-devel. And put any static mappings in Windows. With the domain override properly configured in unbound within the pfSense GUI, any statically-mapped host will resolve just fine from either a Windows machine or the pfSense machine (or any other local host pointing to the Windows DNS server).

johnpoz

@manjotsc said in DNS Zone Tranfer:

I have windows computer that needs to be pointed to windows server dns, but on the rest of devices I am using pfsense as main dns because of pfblockerng

Huh? As others have stated just point ALL your devices to your AD dns.. Then have your AD dns forward to unbound on pfsense - there you go all your devices using pfblocker.. Done! 30 seconds of configuration..

bmeeks

@manjotsc: since we do not know your skill level with DNS, some assumptions were made in our responses.

Do you know the difference between resolving and forwarding DNS servers?

Do you know what a domain override entry is used for in say unbound?

I'm wondering if some of our replies have not been fully understood. Not saying this to impune your ability, just honestly asking. Folks post here with many different skill sets, and sometimes answers can be tweaked for better understanding.

manjotsc

@johnpoz @bmeeks @Derelict @Gertjan Ok I got, I over looked the things a bit, my under standing was that windows server would never forward same domain request to forwarders dns servers. I had to do was delete the manjot.net under Forward DNS Zones and set the primary dns to 127.0.01 and secondary dns to pfsense 192.168.40.1.

Deleted manjot.net

Set DNS Servers on Domain Controller

bmeeks

@manjotsc said in DNS Zone Tranfer:

@johnpoz @bmeeks @Derelict @Gertjan Ok I got, I over looked the things a bit, my under standing was that windows server would never forward same domain request to forwarders dns servers. I had to do was delete the manjot.net under Forward DNS Zones and set the primary dns to 127.0.01 and secondary dns to pfsense 192.168.40.1.

Deleted manjot.net

Set DNS Servers on Domain Controller

Deleting that forward lookup zone is correct. It should never have been there.

However, I'm not sure your DNS Server IP settings are correct. If that 192.168.40.1 IP is your pfSense box, don't do that! Instead, go back to DNS Manager, right-click on the server in the left-hand pane, choose Properties, and enter the pfSense box as the IP of the Forwarding server.

I'm not sure that you fully understand what a Forwarder is. Do a quick search on Google for the diferrence between a Forwarder and a Resolver in DNS. Also check out this link for configuring a Forwarder in Windows DNS: https://technogecko.net/msft/how-to-add-dns-forwarders-in-windows-server-dns/. You should put the IP address of your pfSense box in the Forwarder IP.

manjotsc

@bmeeks Does it looks good?

Thanks,

bmeeks

@manjotsc said in DNS Zone Tranfer:

@bmeeks Does it looks good?

Thanks,

Yes! That should work for you, but you still need to delete that manjot.net zone in the Forward Lookup Zones in the left-hand pane. You don't want to forward lookups for that zone because your AD DNS server is authoratative for that zone (or it should be).

DNS can be a little confusing to the uninitiated, and sometimes when we first get into it, we tend to overestimate what we think we understand ... . Go to Google and do a little research on these DNS terms: resolver, forwarder, and authoratative server. Again, I mean no disrespect as all of us were new to this at some point in our IT career, but your questions and replies indicate that perhaps you do not yet fully understand the critical distinction between those terms I suggested you Google.

manjotsc

@bmeeks It has been deleted,

bmeeks

@manjotsc: that last post looks good on the Windows side. Now over on the pfSense side you need to be sure you have a properly configured domain override in place for manjot.net and the ARPA reverse pointer zones defined in Windows.

For example, here is the Domain Overrides section from my pfSense box for my Windows AD domain:

This tells unbound that for all hosts in "themeeks.net", or that have an IP address in the 192.168.10.0 network, it should ask the DNS server at 192.168.10.4 for the hostname or IP (that's my Windows AD DNS). The only time unbound on pfSense will do this is when I ask it to resolve some IP in the logs that's in my local network, or if I, for instance, view the ARP Table under the DIAGNOSTICS menu.

manjotsc

@bmeeks Thanks, I have configured it in pfsense.

bmeeks

@manjotsc said in DNS Zone Tranfer:

@bmeeks Thanks, I have configured it in pfsense.

That should fix it for you. Now, in the future, if you need to manually create any DNS records for a host, do so over in the Windows DNS server. With the configuration you have in place, your pfSense box will still see them.