Resolver forwarding config question

  • Customer has a network configuration where AD uses the public domain name.

    Is there any way to configure unbound so that it will attempt to forward queries for records within the domain to the AD DNS servers first, and if those fail to resolve, fall back to public DNS so there is no need to maintain the public DNS entries in AD DNS as well?

  • You could add a domain override to unbound for your company domain and point it to your AD DNS.

  • Doesn't address the question I'm afraid but thanks for trying.

    I basically want to do prioritized overrides. If first fails, attempt the second, for the same domain.

  • Sorry, I misunderstood you. The default behaviour for forwarded DNS is to query all servers listed under General Setup - DNS Servers and then cache the first valid response. Under your scenario, as long as you have your AD servers listed there along with some public ones, then any failed lookups from your AD server would be ignored and the reply from public servers would be used.

    Is that not what you're seeing?

  • @KOM I haven't tested it yet because I need to set up a similar test environment to do so. What happens when a conflicting record exists?

    AD returns 192.168.x.x but public returns 47.x.x.x

  • First reply wins, I believe. However, your AD DNS shouldn't have any concept of the 47.x.x.x IP so there should never be such a conflict.

  • Sounds like there's not an elegant way to handle split DNS unless I host the internal records on unbound using local data entries. Or using an entirely separate domain for AD.

    Your suggestion doesn't hold true for this following case:
    client in inside the network with AD no NAT reflection is set up. Pfsense is the gateway on the network running the resolver.

    Client attempts to connect to, querying unbound.

    Unbound on pfsense has 2 domain overrides for One that points to AD, one that points to Google where public DNS is hosted.

    Unbound on pfsense should ideally favor AD to pull the "local" entry for the domain, if it doesn't exist it should return the public one that was found. If it returns the public IP address, the local client connection to will fail.

  • The ideal way to do it is to use pfSense as a forwarder only that forwards to your AD server, which in turn will resolve for your domain and then forward again up the line to either your ISP, or some 3rd-party DNS if required. Then there is never any overlap.

  • Yeah, if only AD could fathom the idea that it wasn't authoritative for the AD domain I might be able to convince it to escalate 😂

  • I suppose that's why it's always recommended to not use your public domain for AD.

Log in to reply