Forward unresolved lookups to another DNS server



  • Hi!

    I have a branch office connected to the main office using pf sense and VPN. In the main office we have a Windows DNS server. I'm using DHCP and dns on the branch office PFsense machine. I would like to the pfsense to forward unresolved requests to our windows machine. Is this possible?

    Thanks



  • Your Windows DNS should all be under a specific domain. You could set the DNS forwarder to use your Windows server as the resolver for that domain. If something is returning 'domain does not exist', I don't think there's an easy way to override that and say 'look here instead'.



  • Yes, both offices are under companyname.local. I've tried setting in the DNS forward settings under the description:

    Below you can override an entire domain by specifying an authoritative dns server to be queried for that domain.

    There I've configured

    Domain
    company.local

    IP
    main office dns server IP, but that doesnt seem to work.

    If I run a nslookup on a host in the main office from the branch office it asks the pfsense then fails.



  • You should specify the DNS server within your DHCP server to be your Windows server.

    Then set the Windows server's forwarder to be the pfSense machine.

    Alternatively/additionally, you can install the DNS server on pfSense and add the appropriate NS record for the "company.local" to be the IP of the Windows server.

    Bottom line is, in Active Directory, you should always use the Windows Server(s) for DNS, then use pfSense for non-windows lookups.



  • Thanks for you answer. I have done what you said. I've configured the branch office pfsense firewall DHCP server to give out the main office windows dns server. I've also set the pfsense fw itself to use it as the primary dns server.

    Now it's really strange since I can't do a nslookup on the local machines, but I can ping them using their names. Also cant do a nslookup for the machines on the main office from the branch office without entering the FQDN. Just using the hostname works fine in the main office. The main office can't find the branch office machines so I'm guessing the forward just isn't working :-(



  • Your DNS configuration is broken. You can't use the same domain on two separate networks, and then connect them and expect them to merge to one. As far as Windows (and DNS) is concerned, you have two different domains, they just have the same name. When you're talking to server1, it has no idea of server2's existence and thinks it knows everything about company.local.

    You should have a different domain (use subdomains if you want) at each site. I'm not a Windows guy, but maybe there's a way to merge the two AD domains and then set up the branch office Windows server as a slave instead?



  • Thanks guys, I think I got it working. I created a subdomain for the branch office. so branch.companyname.local points to the brach office. Then I created a ns for branch.companyname.local pointing to the branch pfsensefw.



  • @ktims:

    You can't use the same domain on two separate networks, and then connect them and expect them to merge to one. As far as Windows (and DNS) is concerned, you have two different domains, they just have the same name. When you're talking to server1, it has no idea of server2's existence and thinks it knows everything about company.local.

    You should have a different domain (use subdomains if you want) at each site. I'm not a Windows guy, but maybe there's a way to merge the two AD domains and then set up the branch office Windows server as a slave instead?

    That's simply not true. As long as there's a route between the two networks (I use OpenVPN for site-to-site) then this does work perfectly well, even only using Windows DNS server.

    A real-world example from one of my clients:

    Site A = 192.168.0.0/24
    Site B = 10.0.0.0/8

    All PCs are in the same "company.local"-style domain, regardless of site.

    The Windows server (and therefore DNS server) is on site B and only has IP address 10.0.0.1.
    An OpenVPN site-to-site tunnel exists so that all site A's hosts can ping all site B's hosts and vice-versa.

    There is absolutely nothing about Windows XP, at least, that requires the DNS server to be on the same subnet. So the PCs at site A have 10.0.0.1 as their DNS server. Naturally, all of the PCs at site B have 10.0.0.1 as the DNS server too.



  • @Bern:

    There is absolutely nothing about Windows XP, at least, that requires the DNS server to be on the same subnet. So the PCs at site A have 10.0.0.1 as their DNS server. Naturally, all of the PCs at site B have 10.0.0.1 as the DNS server too.

    Eh? I don't think I ever said it was. The OP seems to be running two completely distinct Windows domains, both called company.local. If he points his boxes at one Windows server, all the stuff running on the other is ignored, and vice versa. DNS relies on each logical domain (in this case Windows AD domains) to have a unique name; if two have the same name but different contents, problems arise.



  • You said:

    "You can't use the same domain on two separate networks, and then connect them and expect them to merge to one. As far as Windows (and DNS) is concerned, you have two different domains, they just have the same name".

    And the OP said:

    "In the main office we have a Windows DNS server"

    with no mention of anything in the branch office. The original message had no mention of a separate AD domain or server at the branch. What I said still stands.



  • My wording was unclear indeed. My intent was that it would be interpreted to mean you can't use the same domain name on two separate networks with different entries in the DNS on each, and then expect them to know about each other and resolve the conflict on their own when you want them to interoperate.

    I just assumed there was another AD box at the branch office. It seemed implied, and it seems that it was indeed the case.

    I still never said anything close to 'the DNS server must be on the same subnet', I'm not sure where you're getting that from.

    But it's a moot point… glad you got it working Zulan.


Locked