Can pfsense DHCP securely (or unsecurely) update windows 2012 R2 DNS?



  • There are post in the past for the same topic however I don't think the question is answered.

    I am in the situation where DHCP is running on pfsense and DNS is windows DNS as part of AD. So I failed to find a way to update the DHCP release in windows DNS.

    Apparently there are a lot of curiosities on why the setup is like this. I will try my best to explain. It is a remote site and many of the device are cell phones and hand held wireless device. Those are the more important devices compare to PCs. The windows server is not that stable because of hardware and environmental issues. Unfortunately that won't chance in the near future. So it is not so good to put DHCP and DNS on windows because if the server is done, as it happened a couple times, all devices won't get IP and they can't connect to the network. Those device (phones, hand held devices, laptops) are from the truck drivers so they are come and go all the times. There are no way to give them static IPs.

    The DHCP server has two DNS entries in the config, one is the local windows server and the other is Google DNS server. In the case the windows DNS is down (could be days until some IT guys come on site), all other devices can still access internet and use VPN. Of course some part of the business are not running as normal but it is bearable.

    Now the challenge is when the Windows DNS is up and running, the DNS missing certain entries for DHCP releases or will have wrong IP addresses.

    All in all, is there documentation about how to make the pfsense DHCP update windows (2012 R2 to be specific) DNS? Secure update is best but unsecure is ok.

    Thanks,

    Thanks,


  • Banned

    No. You shouldn't really run any site on  a single AD controller, let alone broken one.



  • So the answer is no.

    Thanks for the reply and I am on the same page with you. However money talks. The business owner doesn't want to put down any investment on that part and they kind of ok with server down time, as long as the internet and VPN are working.



  • I register the dhcp lease in pfsense dns resolver and set a conditional forwarder in Windows DNS. Works for me.


  • Banned

    @gjaltemba:

    I register the dhcp lease in pfsense dns resolver and set a conditional forwarder in Windows DNS. Works for me.

    Which is the exact opposite of what should be done. :) If you set your clients to use pfSense for DNS, then you should set up domain overrides on pfSense to point back to the AD DNS for the AD zone(s). Doing things the other way round really breaks the AD (unless you have AD DNS replicated to, say, secondary BIND DNS server running on pfSense.)



  • If that is your use case then yes but for my domain computers using Windows DHCP and DNS it seems like the right way to go.


  • Banned

    @gjaltemba:

    If that is your use case then yes but for my domain computers using Windows DHCP and DNS it seems like the right way to go.

    Well yes, obviously… So, what's the place for conditional forwarders there? Must be missing something here.  ???



  • If you want DNS updates then your best bet is to run DHCP on the DC.  However you imply that your DC is regularly broken.

    If I was you I would set pfSense to be the primary DNS server using resolver.  You can put in an override for your internal domain to your local and hopefully another AD DNS server, perhaps up a VPN.

    You could dream up a site subdomain say mysite.adrealm.co.uk and use pfSense as the DHCP server and update mysite.adrealm.co.uk.  By default Windows boxes will walk up the DNS hierarchy and it will all hang together.  You will have to add glue and NS records to your AD based DNS to point at your pfSense resolver for mysite.adrealm.co.uk if you want the complete the exercise properly.


Log in to reply