DNS Resolution



  • I just fired up pfsense instance on Amazon and i'm trying to get everything setup, I'm having a few issues but i'm still learning.

    I can't get LDAP integration to work. I can ping both of my DC's from the shell of the instance and the test page on the netgate interface, dns lookups to things like google.com and hotmail.com resolve just fine. When i try to have it resolve either of my domain controllers hostnames it fails. I don't know linux very well but i made a telnet session from the shell to port 53 and it worked fine.

    I can't figure out what i'm missing but some direction would be most appreciated.


  • LAYER 8 Global Moderator

    Our of the box pfsense using unbound and a resolver.  how would it know about some internal AD domain?

    You would need to setup domain override if you want pfsense or devices using pfsense as dns to resolve stuff that is on some downstream authoritative Name servers.

    But clients on your network that are members of your AD, should be using your AD dns directly and nothing else.  You would then setup your AD dns to forward to pfsense.  The only reason for pfsense to know where to query for ADdomain.tld would be for pfsense to resolve hosts that are listed in your AD.



  • I am sort of confused by your post but i appreciate the response.

    Let me see if i can address your questions and clarify some things.

    You would need to setup domain override if you want pfsense or devices using pfsense as dns to resolve stuff that is on some downstream authoritative Name servers.

    I'm not sure what domain override is but I don't think i communicated what i'm trying to do well enough.

    On the web interface here: System/User Manager/Authentication Servers/Edit I'm trying to get it to see my domain controller which is on the same subnet and a computer that the pfsense server can ping and seemingly communicate with. When i click Select a Container I get this error: "Could not connect to the LDAP server. Please check the LDAP configuration." This is what led me to start digging. I have the dns servers of the pfsense box set as my domain controllers so when i request resolution of a network object in my active directory, it should resolve the local ip, whether it is on the domain or not. It is not doing this which is why i was thinking i can't get this ldap server connection working.

    I hope this clears up what i'm tryinig to accomplish but at times i can be a poor communicator. I appreciate any help you can provide.



  • Ok, so after reading your post i did some digging based on your direction. Under General DNS Resolver settings i checked this checkbox "DNS Query Forwarding" and now the dns tests are resolving the domain controllers host names.

    That said, now i'm back to my original issue, adding an LDAP authentication server. I still get this error "Could not connect to the LDAP server. Please check the LDAP configuration." So now i have no idea why it wouldn't work, i have confirmed communication with my DC and i'm pretty certain i have the settings correct, any ideas?


  • LAYER 8 Global Moderator

    Why would you change to forwarder mode?

    All you need to do is tell pfsense in domain override what your AD domain is and the IP of the NS..

    Now your forwarding to your AD… And how is AD finding stuff for say www.google.com?

    Did you run the LDAP test on pfsense?  When you setup the remote server.. What does it say?



  • Though i am finding it probably wasn't necessary, i like the idea of the pfsense being able to resolve machines on my domain.

    AD dns servers auto-forward to the root servers when you try to resolve a TLD.

    I got LDAP integration working by using creds to authenticate, for some reason i couldn't get anonymous binding to work. Any light you could shed on that would help as i would prefer that method.


Log in to reply