How to use multiple DNS Servers within Separate Private Networks
-
So for my home-lab, I've set-up multiple networks (VLANS) to separate my environments. In one network I do not want to use the DNS Resolver from pfSense but a Windows DNS Server. Also I want to make sure that all request on this subdomain are never queried outside of the private network.
Example
-
Public Network
example.com
github.example.com
redmine.example.com -
Private Network
intra.example.com
winlab.example.com -
Private Hosts (intra)
pfsense.intra.example.com
laptop.intra.example.com -
Private Hosts (winlab)
ad.winlab.example.com
win10.winlab.example.com
Because the ad.winlab.* is using the pfsense as DNS Server, I can reach hosts .intra. from the .winlab. network. But because pfsense is not aware of ad.winlab.example.com as a DNS Server, I cannot query any hosts under .winlab..
So I could add .winlab. as a DNS Server under pfsense but it will also send the queries to the other DNS Servers (like google).
How can I set this up properly?
Thanks allot!
-
-
With DNS resolver, you can specify which interfaces it listens on.
-
With DNS resolver, you can specify which interfaces it listens on.
I'm not sure how this will help me to query winlab hosts from the intra DNS Server?
When I enable winlab DNS Resolver to listen on the winlab interface. I can only query intra DNS Server from winlab hosts.
I'm trying to achieve that laptop.intra.example.com can resolve win10.winlab.example.com using the ad.winlab.example.com DNS Server.
-
Anyway, I found out it's a bug in pfsense. So far I think it's not possible to have multiple DNS Servers, but you can have multiple sub domains on each DHCP Server. So it kinda has the same outcome as I want.
The only thing is I will have to change my naming convention to something more like lan.intra.example.com, lab.intra.example.com and winlab.intra.example.com.
My global Domain Name will be intra.example.com and my DNS Resolver System Domain Local Zone Type will be refused
This will keep all the queries above intra.example.com private.
https://redmine.pfsense.org/issues/1819
-
Why do you think it's a bug? Why would you need separate DNS servers, when you can configure one to handle multiple ranges?
-
If you want to be able to resolve host names on one subnet that are not possible to be resolved on a different subnet that might be a use case.
I have not found a way to do this with one resolver. Or did I miss something?
-
Maybe look at modifying this article to meet your needs: Redirecting all DNS Requests to pfSense
So maybe something like:
Interface: [Whatever your Winlab interface is]
Protocol: TCP/UDP
Destination: Invert Match checked, Winlab Address
Destination Port Range: 53 (DNS)
Redirect Target IP: [IP address of Active Directory domain controller that does DNS]
Redirect Target Port: 53 (DNS)
Description: Redirect Winlab DNS
NAT Reflection: Disable -
Also, can't you just set up DHCP to give the IP address of your AD Domain Controller for DNS? This way all Windows clients in your Winlab will send all DNS traffic to the domain controller instead of to pfSense. This is simpler than the port forward option above.