DNS resolver: SRV record for _vlmcs._tcp



  • Warning: newbie here. I am setting up a private network where clients have access to only some parts of the wider institution's network. The (windows) clients behind the (up to date) pfsense need to be able to volume activate through KMS. I do not want to hardcode the KMS ip address on my clients, nor do i want to hardcode it in a SRV record on the pfSense if i don't have to.

    My institution properly published an SRV record: nslookup -type=srv _vlmcs._tcp returns the correct info on a machine directly connected to the institution's net. When i execute the same command on an almost-default pfsense config from a client which gets its ip from the DHCP server on the pfSense, I get:

    C:\>nslookup -type=srv _vlmcs._tcp
    Server:  pfSense.DigiClassroom
    Address:  192.168.1.30 (note: correct gateway IP)
    *** pfSense.DigiClassroom can't find _vlmcs._tcp: Non-existent domain
    

    I have two questions:

    1. how do i forward or copy this SRV record available on the WAN port side and expose it to clients on the LAN? I don't care if i use DNS resolver (currently) or DNS forwarder. I do not understand this non-existent domain error.
    2. I'll also have to make sure that the firewall actually lets the clients reach the institution's KMS server. Can i pull the destination FQDN from the SRV record somehow when making the rule, or do i have to resort to hardcoding there?

    possibly relevant ipconfig output:

    Ethernet adapter Local Area Connection:
    
       Connection-specific DNS Suffix  . : DigiClassroom
       Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection
       Physical Address. . . . . . . . . : 94-DE-80-A5-95-2C
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Tuesday, December 11, 2018 4:31:24 PM
       Lease Expires . . . . . . . . . . : Tuesday, December 11, 2018 6:31:25 PM
       Default Gateway . . . . . . . . . : 192.168.1.30
       DHCP Server . . . . . . . . . . . : 192.168.1.30
       DNS Servers . . . . . . . . . . . : 192.168.1.30
       NetBIOS over Tcpip. . . . . . . . : Enabled
    

    Thanks!



    1. By default, pfSense runs DNS in resolver mode which means it resolves by asking the root DNS servers who the authoritative host is for that domain and then querying it. You either need to add a host override to pfSense DNS, or you need a forwarder that forwards DNS to your UNI DNS.

    2. You already know the address of the KMS server, _vlmcs._tcp.yourdomain. Use that with a firewall rule to allow access.



  • Thanks a lot! your answer to 2 shows how little i know about this topic, I didn't quite realize that _vlmcs._tcp.yourdomain is a resolvable address in itself.

    So for 1, the problem is that a domain gets appended to _vlmcs._tcp, my domain, but this address doesn't exist in my own domain? I'll check in the logs. So i can add a host override from _vlmcs._tcp.mydomain to _vlmcs._tcp.correctdomain? That would be a nice solution. I have tried to use the DNS forwarder (default settings) instead of the DNS resolver, but that didn't help (guess the request itself is still for an address in the wrong domain?).

    Thanks a lot again, I'm glad to learn as well.



  • @dcnieho said in DNS resolver: SRV record for _vlmcs._tcp:

    but this address doesn't exist in my own domain?

    It doesn't exist in your DNS since you are running Unbound in resolver mode. A host override would fix that with one single entry, but you would have to keep tabs on it and change it every time the school did. Granted, they shouldn't be changing their KMS server on a regular basis.

    Basically, John knows who Sue is but Frank doesn't. You keep asking Frank and Frank doesn't know. You need to either ask John (use school DNS instead of pfSense), or you need to ask Frank to ask John (use pfSense DNS in forwarder mode), or you need to tell Frank what to say when anyone asks him about Sue (Add pfSense host override).

    So i can add a host override from _vlmcs._tcp.mydomain to _vlmcs._tcp.correctdomain?

    Close. You add _vlmcs._tcp as an A record for your yourdomain DNS zone.



  • Hi KOM,

    Thanks for the simple explanation. That made sense.

    I tried adding the A record, but some reading told me i need an IP address on the right side, not a FQDN. I prefer not to go that far in hardcoding the KMS host.

    So i queried the SRV record with a machine directly connected to upstream, and added the following in the custom options field of pfsense DNS resolver, copying what my SRV lookup returned.

    server:
    local-data: "_VLMCS._TCP.DigiClassroom 3600 IN SRV 0 0 1688 wmgm003.hiddenschooldomain."
    

    that works, client can now reach KMS and activate.

    As i can't say i know what i am doing really, is this the right solution? Note it was critical to add .DigiClassroom to the SRV record (the LAN domain/DNS suffix).

    I wonder what is the problem i really solved here? I guess its that querying the .DigiClassroom for that record was never going to work unless i added it manually. Can i instead configure the DNS resolver to rewrite _VLMCS._TCP.DigiClassroom in any query to _VLMCS._TCP.hiddenschooldomain?

    And just so i can see and evaluate the option you suggested, how would I format the A record entry you mentioned?

    Thanks a lot!



  • @dcnieho said in DNS resolver: SRV record for _vlmcs._tcp:

    I tried adding the A record, but some reading told me i need an IP address on the right side, not a FQDN.

    OK, then you use a CNAME record instead of an A record. A CNAME is an alias to an existing FQDN. A records point to an IP address.

    I wonder what is the problem i really solved here?

    You need to ask the right server to get correct information.

    Can i instead configure the DNS resolver to rewrite _VLMCS._TCP.DigiClassroom in any query to _VLMCS._TCP.hiddenschooldomain?

    Bind might have some funky voodoo handler for something like this but I don't think Unbound does.

    You can add host overrides so that you can give a specific custom response to the lookup of a particular host.

    You can add a domain override so that any queries about *.hiddenschooldomain get forwarded to another DNS to respond to.


Log in to reply