AD DNS resolve clients behind pfSense Ipsec tunnel



  • I currently have a windows shop runing ADDS. All my windows offices run DHCP and DNS on the windows servers. One remote location (my home office) has no need for a windows server, but I would like to be able to resolve the home office clients (my pc and file server) from the windows offices. I tried putting the pfsense ip address as a new name server record but it never validates. I'm wondering if i'm missing something in my firewall rules.

    Connected via IPsec tunnel with a meraki MX84. nslookup works from my home office to work, but not from work (adds environment) to home. pfSense is running DNS forwarder with my work DC in the domain override.

    pfSense Rule
    Action: Pass
    IF: IPsec
    Address family: IPv4
    Protocol TCP

    Source: Single Host or Alias (4 /24 networks)
        Ports: any
    Destination: Single Host or Alias (2 /24 networks)
        Ports: any

    Meraki side: VPN rules allow all



  • To clarify:

    You have an "office AD" and "Home PC" and "Home FS."  You want the machines on the "office AD" to be able to resolve hostnames to your "Home PC" and "Home FS"?

    Does the DNS server in the active directory contain the IP number of the "Home PC" and "Home FS"?  Those office machines, if they are on the AD, should only use the AD DNS Servers…

    If your home PC and Home FS are part of the domain, try to manually set the DNS server on one of them (Home PC) to the IP address of the AD DNS server, and then, on the Home PC, from an admin cmd prompt, run "ipconfig /registerdns".  That should register your Home PC to the domain server's DNS, and allow the office machines to resolve it's hostname (though they might have to use the FQDN if the domain name portion of the FQDN is different from theirs.)



  • You have an "office AD" and "Home PC" and "Home FS."  You want the machines on the "office AD" to be able to resolve hostnames to your "Home PC" and "Home FS"? Yes

    Does the DNS server in the active directory contain the IP number of the "Home PC" and "Home FS"?  No

    Those office machines, if they are on the AD, should only use the AD DNS Servers…  They do

    If your home PC and Home FS are part of the domain, try to manually set the DNS server on one of them (Home PC) to the IP address of the AD DNS server, and then, on the Home PC, from an admin cmd prompt, run "ipconfig /registerdns".  That should register your Home PC to the domain server's DNS, and allow the office machines to resolve it's hostname (though they might have to use the FQDN if the domain name portion of the FQDN is different from theirs.) Would manual registration update if the leases renew to different addresses? The domain of my home network is different.



  • If the "home" machines aren't part of the AD, they couldn't update the AD DNS anyway (assuming it's configured properly - which means securely.)

    So, the next question becomes:  What DNS server knows the hostname and IP address of your home machines?

    This starting to become an IPSec specific thing, I think, so it's going to be outside of the realm where I can help.  I haven't played with IPSec on pfsense, so I'm not sure if your two home machines would be getting IP addresses from pfSense's IPSec configuration, or if there's only one address coming from IPSec and a route created, or what.

    If the "home" machines are static IP addresses (or DHCP reservations) it might be easiest to just create static entries in the AD DNS Server.

    **However, at this point, I'm only taking guesses.  You'd be much better off waiting for someone with more knowledge of how the IPSec stuff works in terms of IP address assignment (and routing) to notice this thread and help out. **



  • @garyd9:

    If the…

    **However, at this point, I'm only taking guesses.  You'd be much better off waiting for someone with more knowledge of how the IPSec stuff works in terms of IP address assignment (and routing) to notice this thread and help out. **

    I guess I'm not really wanting the AD DNS to specifically get updated with my home network's DHCP entries. If it worked like the domain override in dns forwarder (which is what I have running on pfSense for lcoal dns) that would be ideal.  Thank you for taking the time to respond to my issue. I appreciate the effort!


Log in to reply