Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Resolver forwarding config question

    Scheduled Pinned Locked Moved DHCP and DNS
    10 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bruor
      last edited by

      Customer has a network configuration where AD uses the public domain name.

      Is there any way to configure unbound so that it will attempt to forward queries for records within the domain to the AD DNS servers first, and if those fail to resolve, fall back to public DNS so there is no need to maintain the public DNS entries in AD DNS as well?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        You could add a domain override to unbound for your company domain and point it to your AD DNS.

        1 Reply Last reply Reply Quote 0
        • B
          bruor
          last edited by

          Doesn't address the question I'm afraid but thanks for trying.

          I basically want to do prioritized overrides. If first fails, attempt the second, for the same domain.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Sorry, I misunderstood you. The default behaviour for forwarded DNS is to query all servers listed under General Setup - DNS Servers and then cache the first valid response. Under your scenario, as long as you have your AD servers listed there along with some public ones, then any failed lookups from your AD server would be ignored and the reply from public servers would be used.

            Is that not what you're seeing?

            B 1 Reply Last reply Reply Quote 0
            • B
              bruor @KOM
              last edited by

              @KOM I haven't tested it yet because I need to set up a similar test environment to do so. What happens when a conflicting record exists?

              AD returns 192.168.x.x but public returns 47.x.x.x

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                First reply wins, I believe. However, your AD DNS shouldn't have any concept of the 47.x.x.x IP so there should never be such a conflict.

                1 Reply Last reply Reply Quote 0
                • B
                  bruor
                  last edited by

                  Sounds like there's not an elegant way to handle split DNS unless I host the internal records on unbound using local data entries. Or using an entirely separate domain for AD.

                  Your suggestion doesn't hold true for this following case:
                  client in inside the network with AD no NAT reflection is set up. Pfsense is the gateway on the network running the resolver.

                  Client attempts to connect to www.domain.com, querying unbound.

                  Unbound on pfsense has 2 domain overrides for domain.com. One that points to AD, one that points to Google where public DNS is hosted.

                  Unbound on pfsense should ideally favor AD to pull the "local" entry for the domain, if it doesn't exist it should return the public one that was found. If it returns the public IP address, the local client connection to www.domain.com will fail.

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    The ideal way to do it is to use pfSense as a forwarder only that forwards to your AD server, which in turn will resolve for your domain and then forward again up the line to either your ISP, or some 3rd-party DNS if required. Then there is never any overlap.

                    1 Reply Last reply Reply Quote 0
                    • B
                      bruor
                      last edited by

                      Yeah, if only AD could fathom the idea that it wasn't authoritative for the AD domain I might be able to convince it to escalate 😂

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        I suppose that's why it's always recommended to not use your public domain for AD.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.