DNS configuration tip request



  • Good morning.
    I have a pfSense as a perimeter firewall. I have 4 internet links. Two of them I use for navigation of my clients (half goes out for one and the other half for the other).
    I don't use Multi-WAN or Load Balance Gateways.
    I want my pfSense to correctly resolve the DNS names of my local computers, while resolving the navigation queries of my LAN clients.
    How do you advise me to configure the DNS options of my pfSense?

    Thank you very much for your experience.

    Regards

    Gabriel



  • For example, do I need to have a DNS configured for each WAN gateway in System / General setup ? Or only my local DNS's ?



  • More detail required.

    How many clients are you talking about? Are they all on the same LAN network? Is there an existing DNS for internal use, like a Microsoft AD controller? Are your clients using static IP or DHCP?



  • Of course.
    Two AD servers whit DNS server each. One DHCP on one DC. Around 300 client PCs. All on the same LAN using DHCP server for IP assigment.



  • Since your LAN clients will use the AD DNS via DHCP (I assume since that's the default), what is the point of having pfSense resolve the LAN clients?? Usually people use AD DNS and skip pfSense DNS altogether, or you have one pointing to the other depending on what you're trying to accomplish.

    Disable the Resolver and enable the Forwarder, or tick the box that configures Resolver as a forwarder. Give it your AD DNS as the upstream DNS under System - General Setup. Now pfSense will resolve first and forward to your AD DNS.


  • LAYER 8 Global Moderator

    What is your AD dns doing for external FQDN, say google.com - does it resolve it, does it forward?

    If it forwards to pfsense and then pfsense either forwards and or resolves. If you want it to be able to resolve your local clients both forward and reverse. Then setup a domain override for your local domain and point it to your AD dns IPs. Same for your PTR zones.

    You will also need to make sure that unbound can use your lan side interface for outbound queries, and you will also want to set your local domain as private. Or you will have rebinding issue.



  • @kom Thanks. I only need that pfSense resolve local DNS hosts for use on DNS names based rules. Nothing more.



  • @johnpoz Currently my AD/DNS are configured like this:
    DC1:
    Default gateway: pfSense IP
    DNS1: 127.0.0.1
    DNS2: second AD/DNS IP

    DC2:
    Default gateway: pfSense IP
    DNS1: 127.0.0.1
    DNS2: first AD/DNS IP

    So external DNS queries are resolved by my pfSense.
    What I did now for testing is to assign a DNS to each of my WAN Gateways at System > General Setup. And I also loaded my internal DNS there (without WAN Gateway obviously)
    And then I enabled Enable Forwarding Mode in Services > DNS solve

    I'll see how it works that way.


  • LAYER 8 Global Moderator

    @_neok said in DNS configuration tip request:

    So external DNS queries are resolved by my pfSense.

    Where did you get that idea from.. Out of the box MS dns would resolve not forward so pfsense would have zero to do with your AD resolving google.

    Did you have forwarder setup in your AD dns?


Log in to reply