DNS resolver: SRV record for _vlmcs._tcp

dcnieho

Warning: newbie here. I am setting up a private network where clients have access to only some parts of the wider institution's network. The (windows) clients behind the (up to date) pfsense need to be able to volume activate through KMS. I do not want to hardcode the KMS ip address on my clients, nor do i want to hardcode it in a SRV record on the pfSense if i don't have to.

My institution properly published an SRV record: nslookup -type=srv _vlmcs._tcp returns the correct info on a machine directly connected to the institution's net. When i execute the same command on an almost-default pfsense config from a client which gets its ip from the DHCP server on the pfSense, I get:

C:\>nslookup -type=srv _vlmcs._tcp
Server:  pfSense.DigiClassroom
Address:  192.168.1.30 (note: correct gateway IP)
*** pfSense.DigiClassroom can't find _vlmcs._tcp: Non-existent domain

I have two questions:

1. how do i forward or copy this SRV record available on the WAN port side and expose it to clients on the LAN? I don't care if i use DNS resolver (currently) or DNS forwarder. I do not understand this non-existent domain error.
2. I'll also have to make sure that the firewall actually lets the clients reach the institution's KMS server. Can i pull the destination FQDN from the SRV record somehow when making the rule, or do i have to resort to hardcoding there?

possibly relevant ipconfig output:

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : DigiClassroom
   Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection
   Physical Address. . . . . . . . . : 94-DE-80-A5-95-2C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, December 11, 2018 4:31:24 PM
   Lease Expires . . . . . . . . . . : Tuesday, December 11, 2018 6:31:25 PM
   Default Gateway . . . . . . . . . : 192.168.1.30
   DHCP Server . . . . . . . . . . . : 192.168.1.30
   DNS Servers . . . . . . . . . . . : 192.168.1.30
   NetBIOS over Tcpip. . . . . . . . : Enabled

Thanks!

KOM

1. By default, pfSense runs DNS in resolver mode which means it resolves by asking the root DNS servers who the authoritative host is for that domain and then querying it. You either need to add a host override to pfSense DNS, or you need a forwarder that forwards DNS to your UNI DNS.

2. You already know the address of the KMS server, _vlmcs._tcp.yourdomain. Use that with a firewall rule to allow access.

dcnieho

Thanks a lot! your answer to 2 shows how little i know about this topic, I didn't quite realize that _vlmcs._tcp.yourdomain is a resolvable address in itself.

So for 1, the problem is that a domain gets appended to _vlmcs._tcp, my domain, but this address doesn't exist in my own domain? I'll check in the logs. So i can add a host override from _vlmcs._tcp.mydomain to _vlmcs._tcp.correctdomain? That would be a nice solution. I have tried to use the DNS forwarder (default settings) instead of the DNS resolver, but that didn't help (guess the request itself is still for an address in the wrong domain?).

Thanks a lot again, I'm glad to learn as well.

KOM

@dcnieho said in DNS resolver: SRV record for _vlmcs._tcp:

but this address doesn't exist in my own domain?

It doesn't exist in your DNS since you are running Unbound in resolver mode. A host override would fix that with one single entry, but you would have to keep tabs on it and change it every time the school did. Granted, they shouldn't be changing their KMS server on a regular basis.

Basically, John knows who Sue is but Frank doesn't. You keep asking Frank and Frank doesn't know. You need to either ask John (use school DNS instead of pfSense), or you need to ask Frank to ask John (use pfSense DNS in forwarder mode), or you need to tell Frank what to say when anyone asks him about Sue (Add pfSense host override).

So i can add a host override from _vlmcs._tcp.mydomain to _vlmcs._tcp.correctdomain?

Close. You add _vlmcs._tcp as an A record for your yourdomain DNS zone.

dcnieho

Hi KOM,

Thanks for the simple explanation. That made sense.

I tried adding the A record, but some reading told me i need an IP address on the right side, not a FQDN. I prefer not to go that far in hardcoding the KMS host.

So i queried the SRV record with a machine directly connected to upstream, and added the following in the custom options field of pfsense DNS resolver, copying what my SRV lookup returned.

server:
local-data: "_VLMCS._TCP.DigiClassroom 3600 IN SRV 0 0 1688 wmgm003.hiddenschooldomain."

that works, client can now reach KMS and activate.

As i can't say i know what i am doing really, is this the right solution? Note it was critical to add .DigiClassroom to the SRV record (the LAN domain/DNS suffix).

I wonder what is the problem i really solved here? I guess its that querying the .DigiClassroom for that record was never going to work unless i added it manually. Can i instead configure the DNS resolver to rewrite _VLMCS._TCP.DigiClassroom in any query to _VLMCS._TCP.hiddenschooldomain?

And just so i can see and evaluate the option you suggested, how would I format the A record entry you mentioned?

Thanks a lot!

KOM

@dcnieho said in DNS resolver: SRV record for _vlmcs._tcp:

I tried adding the A record, but some reading told me i need an IP address on the right side, not a FQDN.

OK, then you use a CNAME record instead of an A record. A CNAME is an alias to an existing FQDN. A records point to an IP address.

I wonder what is the problem i really solved here?

You need to ask the right server to get correct information.

Can i instead configure the DNS resolver to rewrite _VLMCS._TCP.DigiClassroom in any query to _VLMCS._TCP.hiddenschooldomain?

Bind might have some funky voodoo handler for something like this but I don't think Unbound does.

You can add host overrides so that you can give a specific custom response to the lookup of a particular host.

You can add a domain override so that any queries about *.hiddenschooldomain get forwarded to another DNS to respond to.

Leon Straathof

@KOM The other record types make it resolve able but the record type is wrong for automatic KMS activation. So i did add the custom option as well to get the correct record type.

So i did the following:

server:
local-data: "_VLMCS._TCP 3600 IN SRV 0 0 1688 kms.dmz.ls.lan"
local-data: "_VLMCS._TCP.ls.lan 3600 IN SRV 0 0 1688 kms.dmz.ls.lan"
local-data: "_VLMCS._TCP.dmz.ls.lan 3600 IN SRV 0 0 1688 kms.dmz.ls.lan"

The first line is to make sure custom lines don't break the DNS resolver. I have 2 networks one (LAN) with the domain name ls.lan and the other (DMZ) with the name dmz.ls.lan i want machines to be able to activate from both networks. Firewall between both networks is oneway traffic only from LAN to DMZ not the other way around.

So the first local-data line is to make sure machine can activate when they are not aware in which network they are in. The other 2 are for the machines that do know that.

On windows machines you can test with nslookup if everything is setup correctly.
In my case all 3 return a service record.
nslookup -type=srv _vlmcs._tcp
nslookup -type=srv _vlmcs._tcp.ls.lan
nslookup -type=srv _vlmcs._tcp.dmz.ls.lan