DNS settings on an ActiveDirectory domain
-
I think I've got myself a little mixed up, and just looking for some clarification. My goal is to utilize OpenDNS's servers, but I can't figure out where to put those IPs.
I have a domain. All clients point to my internal primary/secondary DNS servers.
My primary/secondary DNS servers both have pfSense as the only Forwarder, and fail-over to Root Hints if the forwarder isn't available.
pfSense > system>general has my internal primary/secondary DNS servers only.
pfSense has DNSForwarder disabled.
pfSense has DNSResolver enabled.
pfSense is also an OpenVPN server using LDAP for authentication, if that has any weight (I don't think it does because LDAP is it's own service, but I'm mentioning it anyway).Currently, everything is working, but we are not using the OpenDNS servers. Currently, I think a client is asking the internal DNS servers, who are asking pfSense, which is asking my AD servers again, who is saying "no idea" and then uses Root Hints.
I think what I have to do is:
1. Disable DNSResolver
2. Enable DNSForwarder
3. From System>General, remove my internal DNS servers and replace with OpenDNS
4. Disable my DNS Server's abilities to use Root Hints.I just don't want to break my VPN authentication. Does this sound like the correct steps?
-
Update:
Hmm, perhaps I need to forget DNSForwarder, as it seems DNSResolver-with-forwarding-enabled is preferred. -
You need either forwarding enabled in Unbound, or use dnsmasq instead. Doesn't matter which. Either way, don't forget about domain overrides for your AD DNS zones, pointing back to your AD DNS servers.
-
That did it. Thanks Dok. Unbound's working (and I noticed that bug is still present that causes unbound to bounce upon every DHCP request due to enabling the resolver). All good!