Active Directory Server and pfsense pfblockerNG

kjemison1966

Good evening,

I am looking for articles or advice on how to configure AD / pfsense so I can utilize pfblockerNG

AD requires a DNS server that is part of the install and located on the Windows server .. my AD DNS server is on IP: 192.100.50.11

My pfsense router is on the 192.100.50.1

I need my local workstations to use the AD DNS of 192.100.50.11 when logging into the server ( at least that is how I have always known to do it)

But, I want to have my local clients use the pfsense DNS when traveling outside the local network. I need this so I can use the pfBlocker NG to use block lists to help stop malware, ads, etc..

Looking for help on how to configure the DNS server on the windows box or pfsense to handle this... any help is greatly appreciated!

Thank you
Kell

kjemison1966

So.. I need my AD DNS on my Windows box to only resolve local network names and have pfsense resolve all outside addresses ... I am thinking DNS forwarder on the Windows box to point to the pfsense DNS...
Thoughts?
Thank you in advance
Kell

heper

might work, might not, try it.

also: you should change your lan subnet. its invalid

rfahey

I have a similar issue:

2 active directory domain controllers, pfSense box with pfblockerng installed/configured.

DC1 dns is pointing to DC2 as primary dns, DC1 as secondary
DC2 dns is DC1 primary, DC2 secondary

Both DCs dns server settings have use root hints disabled (even cleared the root hints list) and pointing to pfSense box as forwarder.

By all accounts this should work, and internal DNS queries work great. DNS queries to outside the network (google.com, some malware domains from the pi-hole lists) are returning their actual ip's instead of the 10.10.10.1 of the DNSBL server.

In a testing environment where pfSense handles both DHCP and DNS, pfblocker is working perfectly.

nodau

Add pfsense as a forwarding dns on both of your dc. this will force all non internal traffic to pass pfsense.

rfahey

Thanks for the reply; I don't think that I explained that I have done this. Both DCs have the pfSense IP set in the forwarding tab of their DNS server settings. All other forwarders were removed and the "use root hints" box has been unchecked. I then restarted both DCs, and it still appears that the servers aren't using forwarders properly.

I've also checked that the clients connecting have gotten the DNS settings properly from DHCP.

rfahey

As a test I pointed a machine directly to the pfSense box for DNS and I'm still able to access a site that I think should be blocked. I'll go back to checking that pfblocker is configured properly.

nodau

a simple tracert from the dc would have shown if pfsense is used as a forwarder

rfahey

Really? I thought that'll just follow the route out of the gateway. is there an option that I'm missing?

nodau

tracert will follow the configured dns servers.

btw. leave the root hints checked if no forwarders are available if you have a pfsense ha cluster.