Routing DNS query based on client forwarded via domain controll

  • Hi,

    I have an active directory domain running behind my pfSense box, with all domain members using my domain controller for DNS.

    The domain controller has set as a forwarder, for external DNS queries.

    I want one of my internal domain members to route its traffic over my OpenVPN client, including DNS queries, but maintain domain DNS connectivity.

    I can't set the DNS server on the domain member directly to something external, as it break domain connectivity. As I understand DNS forwarding, the domain controller is the machine actually making the external DNS query on behalf of the member machine. I don't want to set the domain controllers DNS traffic to go via the VPN, as then all internal machines will be doing DNS lookups over the VPN rather than directly.

    Is there any way I can configure my network so that all external DNS queries go out over my normal WAN, except for when the initial query is being made by a specific host?
    I don't mind at what level this is done. e.g. something on the specific host, on the DC or on the pfSense box.


  • LAYER 8 Global Moderator

    You could set this client to talk directly to pfsense for dns, with the appropriate domain overrides in place on pfsense to be able to resolve your AD stuff.

    So your client asks for it pfsense forwards/resolve using your vpn how ever you have pfsense set up. If your client is looking for yourdomain.tld pfsense will go ask your AD dns.

    Been awhile since I have played with AD dns directly for anything fancy. What version of windows are you running 2k12, 2k16.. There have been some major changes in dns on windows depending on the version your using. Its possible they allow for conditional forwarding based upon source IP of query (your client) but I doubt it.. But you could look since that wold be a cleaner solution.

  • I thought about this, and gave it a quick test, but didn't quite work.

    I enabled resolver, set a domain override for my internal domain pointing to the LAN IP of my AD domain controller, and set the outgoing interface for the resolver to my VPN interface.

    This I think was working fine for external DNS queries, but would not resolve my internal domain, I assume because it was trying to route to my LAN IP for the DC over the VPN which obviously wouldn't work.

    Is there another way to leave the outgoing interface bound to all, but specify via rules that all DNS traffic from pfSense either must go via the VPN, or is blocked on the WAN?
    For info, the domain controller is 2016. I know you have conditional forwarders, but don't think this can be set on a source by source basis, although I will have a look.


  • LAYER 8 Global Moderator

    You have to allow the resolver to use both your vpn and your lan interface for queries if you want it to talk to your ad dns

    You don't have to just use all or 1 you can pick multiple interfaces. Sure not going to be able to talk outside from your lan interface.

  • Ah thanks, didn't realise you could select multiple.

    Oddly though, if I select LAN and VPN, and drop the VPN, the server cannot ping external IPs but still seems able to resolve the DNS names.
    I tested further by selecting just LAN as the outgoing interface on the resolver, and the server was still able to resolve names.

    This to me suggests pfSense is resolving the DNS names via the WAN interface still which I don't want.

    Resolver config:
    Listen - 53
    Interface - LAN
    Outgoing interface - LAN + VPN
    Zone type - transparent
    DNSSEC - checked
    Query forwarding - unchecked
    Registration - unchecked
    Static DHCP - unchecked
    OpenVPN clients - unchecked

    Domain overrides;
    Domain -
    IP - LAN IP of DC

    Should I turn on DNS forwarding?
    Would that ensure the query is routed to the correct outgoing interface?

    Thanks for all your advice.

  • LAYER 8 Global Moderator

    You sure your not not seeing cached results?

    Well just put a rule on your wan in floating on out, that says outbound from this firewall to dns tcp/udp, quick.

    Since your AD is asking But that prevent pfsense from resolving outside if vpn was down, ie checking for updates and or packages, etc.

  • Yeah pretty sure these aren't cached.

    I cleared the cache on the server, and whilst I didn't clear it on the pfSense box (not sure how to), I was doing lookups for sites with random names that I never would have visited or looked up in the past.

    Is there a way I can easily clear the DNS cache on pfSense? What I will then do is set the resolver back to VPN and LAN only, clear all caches, and run a test.

    Adding a floating block rule on the WAN will work, but as by OpenVPN is connecting using a hostname, and pfSense is also using for DNS, then that would cause me the issue of the tunnel not rebuilding when the firewall restarts as DNS is blocked 👅

  • LAYER 8 Global Moderator

    as said it would be clean if you did conditional forwarder on our AD..

    To clear cache just restart the unbound service, you could do it with unbound-control command but just restart is the easy thing unless your looking to just clear a specific entry

  • One thought I had on doing this, is having pfSense box as primary DNS server, but only bind the resolver to the LAN interfaces, meaning it should not send anything out onto the WAN or VPN interfaces, as it should be bound to those interfaces.
    I could then set an override for my domain, pointing back into the LAN at my DC.

    The secondary server could then just be an external server such as

    Think that would work?
    I don't think there is any way to do anything conditionally within windows.

  • LAYER 8 Global Moderator

    @eds89 said in Routing DNS query based on client forwarded via domain controll:

    I don’t think there is any way to do anything conditionally within windows.

    What version of windows server are you running? You for sure can do conditional forwarders in windows, atleast based on domain name like domain override. But they have made some neat adjustments in 2k16 for dns... I just have not gotten around to playing with any of it yet.

    You could for sure do it with BIND that has very powerful views, you can do some views with unbound but have not been able to forward for specific IP, etc.

  • I am not familiar with BIND, so wouldn't even know where to start.
    Yes conditional forwarders exist, but I don't think you can set the condition based on the client device, so the condition would have to be external domain by external domain, which would involve me maintaining a list of forwarders for domains I use externally.

    It's 2016. I will have another poke around, but really don't know where any more fancy and advanced conditional settings would reside to achieve this.

    I tested my scenario above, and also this:
    DNS resolver enabled.
    Bound to LAN only for requests and outgoing interface.
    No domain overrides.
    Restarted unbound and cleared cache on client device.
    Client device was still able to resolve external names.
    Internal domain name resolved as external address.

    Even though I don't have forwarding on, and the outgoing request should be limited to the LAN, it still seems to be able to resolve DNS queries, which I would expect it to do.
    Using nslookup (possibly incorrectly), if I do a lookup for an external domain name when pfSense is the only DNS server specified, I see references in the debug output to my domain controller.
    Is it possible that pfSense is saying: "I am unable to resolve myself, so I will use hints to find another DNS server"
    Could it then be finding my DC as a DNS server on the LAN which in turn resolves the query?

    Thanks for all your advice.

  • LAYER 8 Global Moderator

    No it wouldn't use a forwarder you setup for a specific domain for other queries. What is happening is its using the lan IP as the source, and talking to roots which gets natted.. You could verify that with simple sniff or even bumping the log up in unbound and watch the log when you do a query for something.

    You can do what I suggested and block outbound in the floating tab for outbound to dns, to stop this out the wan.

    I do not play around a lot with these sorts of scenarios since my tinfoil hat is just slightly cocked on the side of my head about ready to fall out. I don't think my isp is sniffing my traffic looking to find if I go to etc.. ;)

    I run unbound just resolving from roots with dnssec, all my clients just ask it. While I do have a vpn client setup on pfsense, and I do route traffic through it now and then.. Its just a play thing for testing of policy routing, etc. I really don't give two shits if I resolve and my isp might sniff that traffic. I am not asking their dns - I resolve from roots. So to figure out what I am doing they would have to sniff all my dns traffic to all over the globe as dest, etc.

    But I did verify that blocking outbound in floating stops any sort of dns from pfsense if that is what your worried about, but would still allow your AD to forward to

    If your so worried about 1 specific client leaking dns because your doing whatever on it - my suggestion would not do whatever this stuff is on your local network and do it on some vps or seed box in some country that doesn't care what it does ;)

  • Well, I am still a tiny bit confused about its behaviour in a couple of ways.
    I am sure if my knowledge was better, I could do it through pfSense.

    I appreciate all of your help and advice up to this point, and I take your points around "not do whatever this stuff is on your local network" 😉

    In any case, I found that server 2016 does have some filtering capability, but only through powershell. Asked the question over on serverfault here and was able to come up with a solution.
    I now have my DC setup to ignore any DNS queries from this client that are not for my internal domain name. This allows the client to then use the secondary DNS server specified for external resolution, which I already know goes over my VPN.

    So scrapping unbound on pfSense, I am able to do what I need. It just isn't as clean as I would have liked, but as long as I don't make any infrastructure changes, it will continue to work! Happy days!


Log in to reply