Win 2016 DNS to PfSense DNS resolver problem



  • Dear Guys,
    I have a headache for a few days I can't find where's the problem and have no idea what to do. We have 2 sites, a main site and a remote site. Every site has a DC with DNS, the main site has the main DC with Win Server 2016 and the remote has a Server 2012 installed. As the remote site has only a few workers and the server is old there, we would like to demolish that system, so in first step I tried to set the remote site's PfSense firewall as DHCP and DNS server. There is an IpSec site-to-site VPN connection between the two sites, allowing all traffic in and out, so I had configured remote PfSense's DNS resolver with domain overrides to make it suitable to resolve .local addresses in the domain and reverse DNS as well. Any other DNS queries are forwarded directly to the ISP's DNS servers. (This kind of configuration is working fine at another customer's system for years.) In this system, it is not working. Also main site's PfSense FW and remote site's PfSense is not able to resolve names by the main site's DNS server. If I configure the remote site's DNS resolver to forward queries to the old Win 2012 DNS server at the remote site it is working, but with main site's DNS it is not. I tried main site's PfSense with this DNS, not working. I have tried many other Win 2016 servers and Win 10 client at the main site by nslookup and ping and every query was working on the main site's DNS server. It looks like it's only not working if the client is a PfSense system.

    So what I've tried in nslookup:
    DNS query to the main site's DNS from the remote site's PfSense - no servers could be reached
    DNS query to the main site's DNS from the main site's PfSense - SERVFAIL
    DNS query to the remote site's DNS from the remote site's PfSense - Works
    DNS query to the remote site's DNS from the main site's PfSense - no servers could be reached
    and DNS query to main site's DNS from the remote site's Win Server - Works

    If I try a port test for port 53 from either host to any DNS servers it is always successfull, so it's not a firewall related problem. I tried to disable Windows firewall for a quick test, nothing had changed. There's no other FW softwares installed.

    I'll try to set one of the clients DNS directly to main site's DNS to see what happens but I'm sure it can work. The only problem with this configuration that every DNS request will be forwarded through IPSec VPN, not just local queries. If I can try it on a workstation I'll update this post but it's 99,9% that it is working, the main question is why it is not through PfSense DNS forwarding?



  • PfSense version: 2.4.4-RELEASE-p2 at both side.


Log in to reply