Unbound DNS / Secondary DNS Zone for AD!!

    I've seen a lot of threads on the topic but nothing screamed "ah ha".

    I want to have pfsense maintain (via zone transfers) a copy of the Active Directory DNS zone for company.local. My thought would be to do this within the native unbound? I realize it won't do Kerberos or the Dynamic DNS updates. All I want is for it to keep a copy of the current AD DNS zone and have it used as a secondary DNS should the DC be down for whatever reason. At least we'd get Internet and some core services that do not rely on AD.

    Can anyone point me in the direction of the unbound/pfsense side of things to setup a secondary dns zone? I know how to do the Windows side of things within DNS, and what to update in DHCP.

    Alternatively I could add some overrides for core services, but that would be static; i'd prefer dynamic (zone transfers).

  • From what I can determine via online research, Unbound (the native DNS resolver in pfSense) does not support being configured as a secondary DNS server that receives zone transfers (in your case that would mean receiving zone transfers from the AD DNS box). So what you want to do can't be done on pfSense unless you disable Unbound and perhaps install the bind package and configure it as a secondary. You then can enable "bind secondaries support" on the AD DNS side.

