PfSense DHCP + AD DNS
-
Hi All,
I know this has most likely been asked elsewhere in other wording, however I haven't been able to paint a clear picture from the responses given on those questions.
What I have:
-
pfSense running on a Watchguard Firebox x550e
-
Server 2012 R2 Domain Controller running in a nested ESXi Environment
I want to continue using my Firebox running pfSense as DHCP and DNS (Secondary), but have my 2012 AD VM run primary DNS, this is for the following reasons:
-
For times where I need to take my server down, I need DHCP to stay up so that others in the house have got DHCP still available, hence why I went for a hardware solution instead of virtual
-
I need AD for a number of vSphere Applications I want to run, so I need to be able to resolve local hostnames against my local domain
Taking the above into account, my question is what is required to achieve the following:
- DHCP Running on pfSense (firebox), registering DHCP leases (both dynamic and static) in the DNS server running on the 2012 AD host
Thanks,
Kane. -
-
So you take down this DC for how long exactly? The only thing that happens if your dhcp is down is that new clients wouldn't get an IP. Your other clients will continue to use their lease until it expires. How long are you leases? Keep in mind that pretty much every client should be somewhere above the 50% mark when dhcp goes down.
How exactly do you think your dns is going to work.. So you set AD as primary and pfsense as secondary on your clients. So what happens when your clients decide to ask pfsense for one of your AD hosts? Or will it just send back NX because internet has zero info about our AD domain..
The actual order of dns in windows doesn't mean they ask dns 1, and then ask dns 2 every time you query something. Or if dns 1 doesn't answer, etc. There is a whole algorithm to how the windows client determines which dns to use. What I can tell you for sure is you can not be sure after any amount of up time that this client will still be using dns 1, and has not switched over to dns 2, etc.
If your going to point clients to more than 1 nameserver, you need to make sure that these nameservers can resolve the same stuff. Ie you point to multiple local (that can then resolve public), or you point to multiple public. You don't point 1 at local, and then another at public.. This is going to cause you pain at some point in the future.
So if you want to run multiple dns, then you need to run dns that can share the zone. So for example you could use Bind on pfsense vs unbound or dnsmasq so that can setup actual secondary nameserver to your SOA that would be your windows box.
For your dhcp issue.. Normally as stated dhcp being down for a short time normally is not a big issue. You have to reboot your VM for patches, or actually reboot the host for patches, etc. if your going to have your AD down for an extended period then you could enable a scope running on pfsense. But for this short window there seems to be no reason for it to have to register setting in your AD since to be honest your AD dns is down is it not?
If your going to run AD, and your going to have your devices be members of this AD.. Then you should use the MS dhcp and the DNS.. If you need some failover for these systems having to be up 24/7 then you need to fire up another DC in your AD that can do dns and dhcp for your AD..
-
So you take down this DC for how long exactly? The only thing that happens if your dhcp is down is that new clients wouldn't get an IP. Your other clients will continue to use their lease until it expires. How long are you leases? Keep in mind that pretty much every client should be somewhere above the 50% mark when dhcp goes down.
How exactly do you think your dns is going to work.. So you set AD as primary and pfsense as secondary on your clients. So what happens when your clients decide to ask pfsense for one of your AD hosts? Or will it just send back NX because internet has zero info about our AD domain..
The actual order of dns in windows doesn't mean they ask dns 1, and then ask dns 2 every time you query something. Or if dns 1 doesn't answer, etc. There is a whole algorithm to how the windows client determines which dns to use. What I can tell you for sure is you can not be sure after any amount of up time that this client will still be using dns 1, and has not switched over to dns 2, etc.
If your going to point clients to more than 1 nameserver, you need to make sure that these nameservers can resolve the same stuff. Ie you point to multiple local (that can then resolve public), or you point to multiple public. You don't point 1 at local, and then another at public.. This is going to cause you pain at some point in the future.
So if you want to run multiple dns, then you need to run dns that can share the zone. So for example you could use Bind on pfsense vs unbound or dnsmasq so that can setup actual secondary nameserver to your SOA that would be your windows box.
For your dhcp issue.. Normally as stated dhcp being down for a short time normally is not a big issue. You have to reboot your VM for patches, or actually reboot the host for patches, etc. if your going to have your AD down for an extended period then you could enable a scope running on pfsense. But for this short window there seems to be no reason for it to have to register setting in your AD since to be honest your AD dns is down is it not?
If your going to run AD, and your going to have your devices be members of this AD.. Then you should use the MS dhcp and the DNS.. If you need some failover for these systems having to be up 24/7 then you need to fire up another DC in your AD that can do dns and dhcp for your AD..
@johnpoz, it's too difficult to predict the time that the DC would be down for, take a hardware failure for instance, it could be any number of days until it is fixed. I've got the default lease time set (2 hours) and would like to keep it that way in the event of changes that I'd like to be rolled out fairly quickly without performing a manual refresh on all devices.
It is imperative that during that time DHCP stays up.All of the hosts on the network that would require the AD component to work are within that ESXi server, hence if the server was to be down, it wouldn't be an issue not having AD up because the rest of the devices on the network don't need any form of domain knowledge whatsoever. Having pfsense set as secondary DNS is simply so that devices outside of that ESXi host can still have DNS in the event that my AD host is down, and most likely the entire ESXi host too.
I was going to configure a forward lookup on AD so that if it can't resolve the address, it'll ask for a response from the web, pretty standard stuff.
I've taken onboard what you've said johnpoz, do you have any tips/advice/links on how to:
So if you want to run multiple dns, then you need to run dns that can share the zone. So for example you could use Bind on pfsense vs unbound or dnsmasq so that can setup actual secondary nameserver to your SOA that would be your windows box.
… if your going to have your AD down for an extended period then you could enable a scope running on pfsense ...
and to answer my original question, is it possible for pfsense to register dhcp leases (both static and dynamic) in the AD's DNS table?
Thanks,
Kane. -
Neither unbound nor dnsmasq registers anything in AD DNS. You'd be a whole lot better off replicating the AD DNS to Bind secondary zone and keeping the DHCP server off, just configured in case it's needed.
-
Neither unbound nor dnsmasq registers anything in AD DNS. You'd be a whole lot better off replicating the AD DNS to Bind secondary zone and keeping the DHCP server off, just configured in case it's needed.
@doktornotor, is it not possible to make use of the DNS forwarder and Register DHCP leases in DNS forwarder
and Register DHCP static mappings in DNS forwarder?Sorry for the stupid questions, I'm just having a bit of trouble getting my head around how I can continue to run DHCP from my pfsense box but maintain AD DNS entries based on DHCP leases.
Cheers
-
" I can continue to run DHCP from my pfsense box but maintain AD DNS entries based on DHCP leases."
You Don't, or you let the client register with the dns SOA..
Why do you think you need to run dhcp on pfsense? When you have dhcp on your AD.. Makes zero sense to me..
"the rest of the devices on the network don't need any form of domain knowledge whatsoever. "Then WTF you pointing them at your AD dns for?? Only members of your AD need to point there..
Dude.. Why do you not just point your VMs to your AD, put them on their own segment so they can use their own dhcp. Now you just create forwarders for the domains so that they can resolve each other.
So you have host.pfsense.tld point to pfsense and get dhcp from pfsense, and you have host.ad-domain.tld get their dns and dhcp from AD..
