Samba4 -> pfSense DNS Resolver



  • I have implemented a small local network. I use pfSense as Firewall and Gateway, I have all my servers inside a DMZ, except the domain controllers that are on the LAN.

    LAN: 10.10.20.0/24
    DMZ: 10.10.30.0/24

    DC1: 10.10.20.2
    DC2: 10.10.20.3

    pfSense:
    LAN: 10.10.20.1
    WAN: x.x.x.x
    DMZ: 10.10.30.1

    In my local network, I have 2 domain controllers with SAMBA4, I would like to find out how to configure SAMBA4 so that all the DNS requests that my clients make to the domain controller ... and that record is not found in the DNS records of the domain controller, then look for them in the DNS resolver service of pfSense.

    For example ... I configure my clients in windows to use them as DNS servers 10.10.20.2 and 10.10.20.3 (Domain Controllers)

    In the SAMBA4 DNS, I do NOT have a created record called xmpp.domain.tld, in the DNS resolver of pfSense, I have a created record called xmpp.domain.tld and it points to an address in my DMZ. How could I achieve that when my client from the LAN makes a request to xmpp.domain.tld, SAMBA4 direct that request to pfSense and respond with the IP assigned to it?


  • LAYER 8 Global Moderator

    And where do your DCs running dns point to for dns that they are not authoritative for, are they resolving from roots..

    You could have them forward to pfsense, so it would resolve this domain.tld, or if they are resolving - then create a conditional forwarder or domain override as called in pfsense to point domain.tld to pfsense IP.



  • Hello Jhon, thank you very much for your interest in my question.

    on my domain controller:

    root@dc1:~# nano /etc/samba/smb.conf
    
    # Global parameters
    [global]
            netbios name = DC1
            realm = domain.tld
            server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
            workgroup = DOMAIN
            server role = active directory domain controller
            idmap_ldb:use rfc2307 = yes
            ldap server require strong auth = No
            dns forwarder = 10.10.20.1
    
    root@dc1:~# /etc/init.d/samba-ad-dc restart
    
    ping: xmpp.domain.tld: Name or service not known
    

    on pfSense:
    Services/DNS Resolver/General Settings
    Enable: true
    Network Interfaces: All
    Outgoing Network Interfaces: All
    DNS Query Forwarding: true

    Host Overrides
    xmpp domain.tld 10.10.30.10 XMPP Server

    When I set up my clients to use pfSense as their DNS server, they answer the queries correctly, but I really want them to use my domain controllers as their DNS server .. and in case a registry does not exist, then also look in the records of the DNS Resolve in pfSense.


  • LAYER 8 Global Moderator

    @leophpx said in Samba4 -> pfSense DNS Resolver:

    dns forwarder = 10.10.20.1

    And is it asking pfsense when you query for host.domain.tld

    You understand that quite often when you forward, that if rfc1918 is returned it would be a rebind - so you need to make sure that your DC forwarding will return the answer to the client, and not hold it back because of rebind protection.

    I am not sure what samba4 does for dns forwarding - have never played with that..



  • Samba Docs says:

    https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

    dns forwarder
    
        This option specifies the list of DNS servers that DNS requests will be forwarded to if they can not be handled by Samba itself.
    
        The DNS forwarder is only used if the internal DNS server in Samba is used.
    
        Default: dns forwarder =
    
        Example: dns forwarder = 192.168.0.1
    

    So, in theory, it should work, that's exactly what I need. I will continue to document. thank you.


  • LAYER 8 Global Moderator

    Do a simple sniff on pfsense, then do a query to your DC for something that should be forwarded to pfsense for dns... Do you see it?



  • Yes, to pfSense the packets are arriving when I try to do for example a ping from DC1.

    DC1:

    root@dc1:~# ping xmpp.domain.tld
    ping: xmpp.domain.tld: Name or service not known
    

    pfSense:

    Diagnostics/Packet Capture
    Host Address: 10.10.20.2
    Protocol: Any
    Packets Captured
    15:56:06.248804 IP 10.10.20.2.60725 > 10.10.20.1.53: UDP, length 51


Log in to reply