[SOLVED] DNS Zone Transfer

johnpoz

@manjotsc said in DNS Zone Tranfer:

I have windows computer that needs to be pointed to windows server dns, but on the rest of devices I am using pfsense as main dns because of pfblockerng

Huh? As others have stated just point ALL your devices to your AD dns.. Then have your AD dns forward to unbound on pfsense - there you go all your devices using pfblocker.. Done! 30 seconds of configuration..

bmeeks

@manjotsc: since we do not know your skill level with DNS, some assumptions were made in our responses.

Do you know the difference between resolving and forwarding DNS servers?

Do you know what a domain override entry is used for in say unbound?

I'm wondering if some of our replies have not been fully understood. Not saying this to impune your ability, just honestly asking. Folks post here with many different skill sets, and sometimes answers can be tweaked for better understanding.

manjotsc

@johnpoz @bmeeks @Derelict @Gertjan Ok I got, I over looked the things a bit, my under standing was that windows server would never forward same domain request to forwarders dns servers. I had to do was delete the manjot.net under Forward DNS Zones and set the primary dns to 127.0.01 and secondary dns to pfsense 192.168.40.1.

Deleted manjot.net

Set DNS Servers on Domain Controller

bmeeks

@manjotsc said in DNS Zone Tranfer:

@johnpoz @bmeeks @Derelict @Gertjan Ok I got, I over looked the things a bit, my under standing was that windows server would never forward same domain request to forwarders dns servers. I had to do was delete the manjot.net under Forward DNS Zones and set the primary dns to 127.0.01 and secondary dns to pfsense 192.168.40.1.

Deleted manjot.net

Set DNS Servers on Domain Controller

Deleting that forward lookup zone is correct. It should never have been there.

However, I'm not sure your DNS Server IP settings are correct. If that 192.168.40.1 IP is your pfSense box, don't do that! Instead, go back to DNS Manager, right-click on the server in the left-hand pane, choose Properties, and enter the pfSense box as the IP of the Forwarding server.

I'm not sure that you fully understand what a Forwarder is. Do a quick search on Google for the diferrence between a Forwarder and a Resolver in DNS. Also check out this link for configuring a Forwarder in Windows DNS: https://technogecko.net/msft/how-to-add-dns-forwarders-in-windows-server-dns/. You should put the IP address of your pfSense box in the Forwarder IP.

manjotsc

@bmeeks Does it looks good?

Thanks,

bmeeks

@manjotsc said in DNS Zone Tranfer:

@bmeeks Does it looks good?

Thanks,

Yes! That should work for you, but you still need to delete that manjot.net zone in the Forward Lookup Zones in the left-hand pane. You don't want to forward lookups for that zone because your AD DNS server is authoratative for that zone (or it should be).

DNS can be a little confusing to the uninitiated, and sometimes when we first get into it, we tend to overestimate what we think we understand ... . Go to Google and do a little research on these DNS terms: resolver, forwarder, and authoratative server. Again, I mean no disrespect as all of us were new to this at some point in our IT career, but your questions and replies indicate that perhaps you do not yet fully understand the critical distinction between those terms I suggested you Google.

manjotsc

@bmeeks It has been deleted,

bmeeks

@manjotsc: that last post looks good on the Windows side. Now over on the pfSense side you need to be sure you have a properly configured domain override in place for manjot.net and the ARPA reverse pointer zones defined in Windows.

For example, here is the Domain Overrides section from my pfSense box for my Windows AD domain:

This tells unbound that for all hosts in "themeeks.net", or that have an IP address in the 192.168.10.0 network, it should ask the DNS server at 192.168.10.4 for the hostname or IP (that's my Windows AD DNS). The only time unbound on pfSense will do this is when I ask it to resolve some IP in the logs that's in my local network, or if I, for instance, view the ARP Table under the DIAGNOSTICS menu.

manjotsc

@bmeeks Thanks, I have configured it in pfsense.

bmeeks

@manjotsc said in DNS Zone Tranfer:

@bmeeks Thanks, I have configured it in pfsense.

That should fix it for you. Now, in the future, if you need to manually create any DNS records for a host, do so over in the Windows DNS server. With the configuration you have in place, your pfSense box will still see them.