DDNS pfSense to Windows AD DNS DHCPv6

bigtfromaz

Re: DHCP on pfSense and DNS on Microsoft Server

I read the above link and see the the topic was never actually answered. I have a situation where my ISP provides me with one dynamic IPv6 64-bit prefix. I want to register all IPv4 and IPv6 host addresses in my Windows DNS server (Active Directory) and it appears I need to dynamically update in order to do that.

Before we rehash the past:

First, I can and do have the Windows machines register themselves and that is working. However, the Linux machines do not self register. Neither do Android, Apple, IoT or pfSense devices.

Second, I could use the Windows DHCP server for IPv4 but to use it for IPv6, Windows would have to be used as my router. That cannot occur because Windows Server (at least through WinServ 2016) cannot issue addresses on the LAN by tracking the WAN for the delegated prefix. Windows DHCPv6 only supports static prefixes. Either way I don't want to use Windows as a router. It's leaves a lot to be desired; not to mention the whole in the bank account. pfSense is my choice.

So...I would like to revisit this question. Is it possible to have pfSense DHCP and DHCPv6 dynamically store/update A and AAAA records to Windows DNS? If so, how? If not, can it be done with BIND, assuming BIND can sync with Active Directory?

Any thought you might have, or useful links I may have missed, would be greatly appreciated.

bmeeks

There are some ways using BIND, but none of them are really all that pretty. Google can be a great resource. Here are some links I found with a 30-second search.

• https://blog.michael.kuron-germany.de/2016/09/using-a-bind-dns-server-in-an-active-directory-environment/
• https://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/
• https://support.microsoft.com/en-us/help/255913/integrating-windows-dns-into-an-existing-dns-namespace (this one is slightly different from what you want, but you might could adapt the idea to your case)

You will probably find that Windows clients don't register their IPv6 address in DNS anyway, especially their private one. I had a totally Windows 2012 AD setup with AD providing DHCP and DNS. The IPv4 clients registered their hostname, but the IPv6 clients did not. I was even using a static IPv6 network obtained from tunnel broker Hurricane Electric.

bigtfromaz

@bmeeks Thanks for the response. To clarify, Windows clients do register both A and AAAA records. You are correct that link-local (fe80::) addresses are not registered. However, ones having the delegated prefix from Cox obtained through auto configuration, do register.

So far, there doesn't seem to be a good answer.

What if I were to create a dummy domain in pfSense DNS? I might be able to write a PowerShell script to pull A and AAAA records from the pfSense DNS server and push them into the Windows DNS server. It's kludge-like but it would be simple and less complex, basically my own dynamic update, using the dummy domain as a sync source rather than having to do something on every client.

bmeeks

What I noticed in my brief experiment with IPv6 and AD was that some of the IPv6 addresses for the client got registered, but not all. IPv6, with the privacy extensions enabled, generates several IPv6 addresses for a client (especially over time as the privacy IP changes).

I've temporarily stopped using my tunnel broker setup because it was causing issues with Netflix for my grandkids when they came to visit. Their Apple iOS devices were favoring my IPv6 addresses and Netflix blocks the Hurricane Electric IPv6 net blocks. So their cartoons and favorite shows would not play ... . Unfortunately my ISP does not currently offer native IPv6 service.

I'm not an IPv6 expert, but in my initial dealings with that technology it seems that DNS registration of clients got very little attention. Maybe that's because in the original vision of IPv6 you had an essentially endless pool of addresses to choose from and they assumed every device would get a statically assigned IPv6 address. That is not now, and probably will never be, reality. IPv6 is used by most ISPs as just IPv4 with more address space.

You can try the custom script approach. I don't see why it wouldn't work provided you can actually write to AD on the Windows side. Never have tried that myself, and be aware that by default AD DNS likes to use the secure updates setting.

bigtfromaz

I am in the software and services business and we have begun running into situations where some client host machines only have IPv6 because their ISPs have run out of IPv4 addresses. That means the only way they can reach my servers is via IPv6. There aren't many and they are non-US but they are important.

It's probably time for the industry to switch to an IPv6-first stance (Apple and Google seem to be there already). Given the absence of vigorous competition in my area, the ISPs are putting themselves before their customers. I am betting it's a common theme.

Thanks for the heads-up regarding the lack of fair play by Netflix. It's probably due to the fact that they have restricted distribution rights for content and can't be sure of your location. You could probably work around that with a guest VLAN having no IPv6. Kids are really good at getting and spreading computer viruses. A guest VLAN would help you minimize your risk.

I am going to see if I can get the addresses registered in a DNS server on the pfSense and replicate to my Windows AD Server. If I write some code that turns out to be useful I'll put it on GitHub and share a link here.

bmeeks

@bigtfromaz said in DDNS pfSense to Windows AD DNS DHCPv6:

I am in the software and services business and we have begun running into situations where some client host machines only have IPv6 because their ISPs have run out of IPv4 addresses. That means the only way they can reach my servers is via IPv6. There aren't many and they are non-US but they are important.

It's probably time for the industry to switch to an IPv6-first stance (Apple and Google seem to be there already). Given the absence of vigorous competition in my area, the ISPs are putting themselves before their customers. I am betting it's a common theme.

Thanks for the heads-up regarding the lack of fair play by Netflix. It's probably due to the fact that they have restricted distribution rights for content and can't be sure of your location. You could probably work around that with a guest VLAN having no IPv6. Kids are really good at getting and spreading computer viruses. A guest VLAN would help you minimize your risk.

I am going to see if I can get the addresses registered in a DNS server on the pfSense and replicate to my Windows AD Server. If I write some code that turns out to be useful I'll put it on GitHub and share a link here.

Yeah, there are several avenues to deal with the IPv6 and Netflix thing, but the kids are only here rarely and I have plenty of IDS/IPS protections for critical stuff. Also, it's only a home network. There are no national defense secrets, Democratic National Committee emails, or documents relating to secret payoffs to porn stars stored here ... LOL.

And yes, Netflix blocks HE IPv6 blocks for precisely the reason you stated: users without strict morals use those to get around geoip blocks that Netflix has in place to enforce their distribution contracts with content owners.

I wish all the ISPs of the world would just start supporting IPv6. Unfortunately that appears to be a very slow process. Even some of those that are supporting it are doing so in strange ways. They seem to be doing their darndest to avoid giving out static IPv6 addresses, for instance.