Can pfSense's DHCP server (securely) update Microsoft DNS?

chamm

This question has been asked before, but all instances I was able to find were answered with "Why would you want to do that?"

Respectfully, let's assume that I really do want to do that, and I have awesome reasons for wanting to do so. I've got a pretty fair amount of experience with both pfSense and Microsoft DNS, and it seems like the pieces are there to make this happen, but could anyone give any helpful pointers?

I'm fiddling around in the "DNS Resolver" section, and I see "Enable registration of DHCP client names in DNS" which looks pretty promising. There are entries for "DNS Domain key" and "DNS Domain key secret," which hints at maybe something that could be set up as a trust point in Microsoft's DNS server. There are also RFC 2136 settings in the Dynamic DNS menu. Microsoft DNS server allegedly supports RFC 2136.

But I'm having trouble piecing together exactly how to make these pieces work together. pfSense and Microsoft use differing terminology, and the effort I put into this was fruitless.

Am I chasing an impossible dream, or can these things actually be made to talk (securely) with one another?

johnpoz

Lets say you could do it with 1 click..  What would be the point/use case for doing this??

KOM

This exact same discussion from almost a year ago today, also answered by John…

https://forum.pfsense.org/index.php?topic=99558.0

This one's form 3 years ago...

https://forum.pfsense.org/index.php?topic=63280.0

johnpoz

I would for sure be willing to spend time to see if this can be done and even do a write up for future users on how to do it.  If could find an actual use case that makes sense..

I can not think of one reason why I should run dhcp on pfsense, and then register those in MS dns.. It just makes no sense to do that.. But hey maybe I am not thinking of your specific use case where it does make sense..  So lets hear it, and then if makes sense then I will have found a new bone to chew on until it works ;)

You have to be thinking of something to think this is something you should do, so lets hear it.. All ears!

chamm

Thank you for the links - I did see both of those posts, and read them in detail. Both were answered by John with "At a loss to why you would want to do this?" and "Why are you running pfsense dhcp if you have AD..  I don't see the point?" They then go into various ways to not have the DHCP server from pfSense update Microsoft DNS.

I have a single Hyper-V host (Server core) which is running several guest machines, including an AD DS server. The DNS resolver on pfSense has conditional forwarders set for the appropriate zones hosted on the AD server, and everything else resolves outside. I could run Microsoft DHCP on the guest machine, but I really don't want to. On a reboot, the host will come up before the guests, and likely fail to obtain an IP address. Also, not everything on the network is Microsoft. I should be able to shut off the server, and everyone will still be able to get an IP address on their phones and tablets. Given this constraint, I would still really like to be able to have the Microsoft DNS server have mappings for the local devices.

Add to all of this, I am located many hundreds of kilometers from the site, and should something happen with the Hyper-V guest or the host, I don't want to have to make a trip out there.

So my original question stands: Can pfSense's DHCP server (securely) update Microsoft DNS?

chamm

To add further detail: Hyper-V server (the free version) cannot have the DHCP role installed. Otherwise, that would probably be an OK way to go. I'm setting this up for a friend on a shoestring budget, so we can't reasonably pile on another MS Server license.

I've been using pfSense for nearly a decade, and it has proven to be robust and reliable. I have dozens of active installations, so I can handle some pretty heavy lifting. (Although if you tell me to recompile the kernel, you've probably lost me.)

This just seems like something that should be possible.

johnpoz

Why would your host be dhcp??  I can understand why your VMs might be dhcp for the ONLY reason to be able to change info handed to them via dhcp, etc.  I guess same could be said for the host. But why would these not be reservations??  So you will always know what the machine IP, so set them up in your dns..

You sure do not need to do dynamic registration of these sorts of VMs..  Why would their IPs change?

Dynamic registration of IPs are for clients, when you have a LOT of them!!!  And they move between networks, come and go from the network, etc.  So yeah you need to make sure AD knows when then IPs change.  You bring new client machines on all the time, their names change when users get new machines as replacements, etc.  So yeah in this case it would be to much of an issue to manage.

In your scenario VMs IPs should never change, am I missing something on why they should change?  So just create the entries in your DNS and your done..  No need for any registration at all.. How many VMs do you have on this host..  Be you in the time it took you to write the question you could of created the reservations and made the dns entries ;)

To be honest in such a setup why would you even use dhcp to be honest??  What info would be changing that you might want to hand out via dhcp?  Just make everything static, make your dns entries and your done.. Now you have 1 less service to worry about ;)

And I will go back to the previous threads..  Why are you pointing AD clients to pfsense for dns?  Just to send them back to your AD dns?  Why would not just point them to your AD dns..  and now you don't even have to use psfense dns either..  And you don't have to spend any time setting up conditional forwarders, etc.  Do these VMS do a lot of external browsing or sending emails where they just need to query public dns all day long?  If they do more external dns queries than internal might make sense to just cut out AD as a middle man if you don't want it actually talking to roots or forwarding to an ISP, etc.

But pointing to your pfsense and then setting up conditional forwarders is just more work.. As to your non MS boxes, MS dns doesn't care who asks it for stuff ;)

chamm

I've considered static IP addresses, especially for the VM Host. You're correct in saying that there is probably not a need, especially in this installation, to have that on a DHCP reservation. (Which is how it's currently set up.) However, in my day job, I manage much larger networks with dozens of VM hosts, and hundreds, if not thousands, of guests. Even if they are "servers" and not "clients," managing their IP addresses statically would be a fast way to insanity. So I'm just generally in the habit of making everything in the network DHCP. (Excepting the DHCP server, of course.)  ;)

So, if I decided to make the host and AD controller statically assigned, I've worked around one problem. However, if something happens at the site, and the guest machine for the AD controller doesn't come up properly, then nothing within the network can access Internet. They have a VoIP PBX and an alarm system, neither of which care about Windows, that will be non-functional if DNS goes down. So I could statically set their DNS server to the pfSense box, and everything else to the Windows box. Except the cell phones and tablets. And I could definitely do some stuff through Group Policy.

Of course there are many, many ways to work around these problems. I understand that. But having a single DHCP server and a DNS server on a reliable "never-fail" piece of hardware/software, and forwarding only the domain.local, _msdcs.domain.local and 1.1.10.in-addr.arpa zone requests to the Windows server is a simple and elegant way to handle all of these problems.

I'm really not trying to be oppositional here. I'm really just trying to find out if it is something that is technically possible.

I appreciate all of the input so far. Just hoping to find answers. :)

Cheers.

QUICK EDIT: I do have static DNS entries for my VM Host and the AD controller, which correspond to static DHCP entries on pfSense. But the client registrations aren't in DNS, and Active Directory really doesn't like that. I can use Group Policy to force Windows clients to register their DHCP entries with DNS themselves, but this leaves out the non-Windows devices.

YipYip

i just found this link where he goes into detail doing what your after

http://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/

msoultan

I'm also interested in knowing whether dynamic updates of a MS DNS server would be possible from a pfSense DHCP server.

And for those that are curious, we have many site-to-site TUN VPN connections (something outside of my ability to change).  From my reading this type of VPN tunnel does not allow for DHCP broadcasts so instead I wanted to see if it's possible for the client-side pfSense DHCP service to update the remote MS DNS server with the DHCP leases that it hands out.  And yes, MS clients will automatically handle their DDNS registrations, but there are other non-MS clients that would have to rely on the pfSense DHCP server to do that for them.  This would save me a lot of typing from adding DNS entries manually…

thanks,
Mike

Tomahawk

From my view this topic is still unaswered.
All related topics are only targeting at not to register dhcp clients in MS DNS.
But thats exactly what some users seem to need in some situations.

I tried running DNS on pfsense as well, but unbound crashes really often when performing zone transfers. I need unbound and cannot use bind instead because I'm using pfblocker to filter public DNS. So in my environment it makes sense to keep local DNS Zone on the existing AD Servers.

Gertjan

@tomahawk said in Can pfSense's DHCP server (securely) update Microsoft DNS?:

I tried running DNS on pfsense as well, but unbound crashes really often when performing zone transfers. I need unbound and cannot use bind instead because I'm using pfblocker to filter public DNS

Checkout https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software

Bind is capable of doing what you want, as it is designed to be an "Authoritative server" : it can do zone transfers.
Unbound can do some of the tricks of what bind does : resolving, DNS caching (and others), but, as you can see :

Btw : I guess I have to ask this question several times a day : how often does your unbound restart each day (hint : the logs ...).
If some transfer is in progress (dono how that works for unbound) and it gets kicked around(restarted) then yeah, no good.

Keep in mind that unbound was used for pfSense so the 'network' has a centralized, DNSSEC capable DNS cache and resolver. No special settings needs. It works out of the box.
Just perfect for pfSense.
Most probably, Netgate's developers didn't have in mind that interfacing was needed with "AD Servers".

Btw : Unbound is build, designed, maintained and upgraded here : https://www.nlnetlabs.nl/projects/unbound/about/ as Netgate did not write this thing, a project as big as pfSense itself.

bmeeks

@tomahawk said in Can pfSense's DHCP server (securely) update Microsoft DNS?:

From my view this topic is still unaswered.
All related topics are only targeting at not to register dhcp clients in MS DNS.
But thats exactly what some users seem to need in some situations.

I tried running DNS on pfsense as well, but unbound crashes really often when performing zone transfers. I need unbound and cannot use bind instead because I'm using pfblocker to filter public DNS. So in my environment it makes sense to keep local DNS Zone on the existing AD Servers.

If you have a MS DNS server, why not also use the MS DHCP service? MS DHCP can seamlessly update MS DNS in a secure fashion.

So disable DHCP on pfSense and enable it on the MS server, then your LAN clients will use the MS DHCP server which will seamlessly update DNS if you also enable that on the Microsoft side.

As for using pfBlocker and unbound, simply configure your MS DNS server to be a forwarder and to forward external DNS requests (i.e., for zones it is not authoritative for) to unbound on pfSense. Then unbound is configured to resolve (which is its out-of-the-box configuration anyway).

serbus

@tomahawk said in Can pfSense's DHCP server (securely) update Microsoft DNS?:

From my view this topic is still unaswered.

Hello!

https://unix.stackexchange.com/questions/270097/isc-dhcp-with-active-directory-secure-dynamic-dns-updates

John

Volans

@chamm

https://japtaincack.blogspot.com/2018/02/pfsense-dhcp-dynamic-dns-updates-to.html

I think this is what you want.

IamGimli

Here's another use case that the suggestions provided don't address.

pfSense is the main router for a home Internet subscription which has dynamic IP through PPPoE.

There's an FTP server sitting behind the pfSense router which needs the WAN interface IP to properly process passive mode transfers. This can be configured using a host name but the host name has to resolve to the WAN interface address.

The LAN side of the network (where the FTP server sits) is serviced by a MS DNS server, which hosts the same zones as the ones updated by pfSense's Dynamic DNS service on the WAN side. Local clients get local addresses from the local MS DNS server while public clients get the WAN address from public DNS servers. The local MS DNS server forwards requests for zones it doesn't host to public DNS servers but, since the same zones are used internally and externally, it never forwards requests for the zone used to the public DNS servers.

Ideally it would be possible to setup the pfSense Dynamic DNS engine to update a specific host name on the local MS DNS server with the WAN IP. the FTP server could then reference that host name to get the WAN IP and process passive mode requests properly. DHCP is not in use in this use case therefore the solution linked by @Volans doesn't apply.

SteveITS

@IamGimli If I’m following correctly, can a CNAME be set up to point wan.example.com to the dynamic DNS hostname? Or use the latter directly? Which isn’t what you asked but gets to the same place.

There are detection sites like checkip.dyndys.com. I would think a script on the server could detect the IP and create/update an A record in DNS.
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd#dnscmd-recordadd-command

IamGimli

Both internal and external zones have the same name so a CNAME in the internal zone will resolve to the internal IP.

Let's say Dynamic DNS sets WAN.example.com on the outside zones. The internal zone would either resolve WAN.example.com to the local address of an internal system (whatever is set by CNAME) or return a non-existent record. The local DNS server would never forward the request to an external DNS server because it hosts a zone called example.com.

SteveITS

@IamGimli I’m suggesting something like

Dyn: wan.dynprovider.com

Internal: wan.example.com CNAME wan.dynprovider.com

External/public: wan.example.com CNAME wan.dynprovider.com

That needs the third party dyn though.

Alternatively, it should work to create zone wan.example.com on Windows and delegate to public DNS/NS via NS records. Which needs wan.example.com to resolve there as well.

Tomahawk

As there was no option covering all my use cases I decided a full redesign of my DNS setup. (but it is quite komplicated if you want to use all features like I do)

I am now running a BIND on top of PFSENSE as primary server for my internal DNS Zones. The MS DNS gets a copy of it using Zone Transfers.
All MS AD Zones like "_msdcs" or "_tcp" are deligated to the MS DNS server to be the primary and the BIND gets a copy of them using Zone Transfers.
The DHCP is configured to update Subdomain(s) primary hosted by BIND - works well.

As I wanted to use DNS Filtering using PFBlocker I also needed to have Unbound in place.
Unbound is configured to be the primary DNS for all DHCP clients. (this allows per client logging and blocking/unblocking)
It gets a copy of the Internal Zones using Zone transfers (from MS DNS and from BIND.
MS DNS and BIND DNS are forwarding all requests for non-local domains to the unbound. (so they are getting filtered, too)

This setup is running stable since some time.