How to handle DNS with pfSense onsite + DC inside of a AWS VPC
-
Hi friends,
I wonder what the best solution for my project would be. With the whole concept in mind, I didn't actually think of how DNS will be handled.
As of now, pfSense is handling DNS inside of my network with the DNS Resolver (Forwarding disabled).
Now I'm setting up a site-to-site vpn between pfSense and our VPC where a new Domain Controller shall handle domain auth.
So something like: Office -> pfSense -> IPSec ->VPC -> Domain Controller
I already figured I have to somehow forward DNS queries pointing to ad.mydomain.com towards the domain controller. But I have yet to figure out how to achieve this and also how I need to configure the DNS on the DC side for this kind of setup.
Or of course, if this is even the best solution. I would like pfSense keeps handling DNS inside of my network as the main DNS Server.
Thanks for any suggestions!
 -
set a domain override in the resolver setup page, pointing to your domain controller.
Set lan + localhost as outbound interface of unbound as workaround for use an ipsec tunnel
-
set a domain override in the resolver setup page, pointing to your domain controller.
Set lan + localhost as outbound interface of unbound as workaround for use an ipsec tunnel
Hi Fabio,
what exactly does that do?
-
On the DNS Resolver setup page you add a domain override. Put the domain name of your AD and the ip address of your VPC domain controller.
On the DNS Resolver setup page you can select "outgoing network interfaces".
Default is all but with the default the ipsec tunnel does not work for DNS. Setting LAN and localhost is a workaround to allow the pfsense resolver to contact your domain controller DNS server. -
You've explained how to do it, not what it does…
The domain override tells unbound to send all queries for the requested domain to the specified host listed in the override. So you would override ad.mydomain.com and point it to the IP address of your AD server. Then when someone goes to resolve mycomputer.ad.mydomain.com, unbound on pfSense will go to the AD server to resolve that, rather than trying to do it through its normal rDNS process.
-
@virgiliomi:
You've explained how to do it, not what it does…
The domain override tells unbound to send all queries for the requested domain to the specified host listed in the override. So you would override ad.mydomain.com and point it to the IP address of your AD server. Then when someone goes to resolve mycomputer.ad.mydomain.com, unbound on pfSense will go to the AD server to resolve that, rather than trying to do it through its normal rDNS process.
Thanks :D
-
On the DNS Resolver setup page you add a domain override. Put the domain name of your AD and the ip address of your VPC domain controller.
On the DNS Resolver setup page you can select "outgoing network interfaces".
Default is all but with the default the ipsec tunnel does not work for DNS. Setting LAN and localhost is a workaround to allow the pfsense resolver to contact your domain controller DNS server.Thank you! This worked!
But help me to understand this: By setting Outgoing Network Interfaces to LAN+Localhost, pfSense would not be able to forward DNS Requests to external DNS Servers like google dns anymore? Or how does it work?
-
It works since it uses the default gateway to exit. The LAN interface ip can go out routed and natted like any other lan host ip.
https://forum.pfsense.org/index.php?topic=115870.0
