Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Windows Server 2016 behind pfSense - what's the best way to do DNS?

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 3 Posters 373 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mastiff
      last edited by Mastiff

      On three of the networks from the pfSense box (Netgate SG-3100) I have different other things on different segments (outdoors network, Internet sharing with a few neigbours and so on). On the fourth, on 192.168.1.x, I have one indoors guest network (with a wifi router) and a Windows Server 2016 (Datacenter edition) which has the external address 192.168.1.4. I use several server applications on that one, so dropping the Windows server is not an option. I know that will be suggested, so please don't bother. 😁

      On the inside of that is my private network (internal address 192.168.2.x), with around 20 devices at any given time (cell phones, Sonos speakers, laptops, a few stationary pc's for gaming and HTPC and so on). And I use RRAS for the connection to the external network and beyond. But does anybody with Windows Server experience know what the best way of doing DNS for this is? I have until now let DHCP in the Windows Server use use the server's own DNS server (the server's internal address is 192.168.2.1), but would it be better to let DHCP deal out 192.18.1.1 (the pfSense box) as a DNS Server? I'm running the DNS resolver on that, not the forwarder.

      1 Reply Last reply Reply Quote 0
      • M
        Mats
        last edited by

        Actually the first thing I would like to suggest is to move the networks to the SG3100 and remove the need for RRAS. The 3100 is a good router on it's own and it would simplify the network if I understand your description right (a sketch is always good)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          So your running AD, and have devices as members of your AD? Even if not, since you have windows server there up and running. I would let it be your dns and dhcp.. You can even have it do dhcp for your other segments via dhcp relay on pfsense.

          On pfsense you can setup domain override for your local domain, and reverse zones your running on your windows server. So the firewall itself can resolve any of your local devices. And then on your windows dns, just forward to pfsense for stuff its not authoritative for, and then unbound can resolve that for you.

          As to rras, yeah I would move your vpn stuff to pfsense as well as suggest by @Mats

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • M
            Mastiff
            last edited by

            @Mats, I knew that one was coming, which is why I said "dropping the Windows server is not an option. I know that will be suggested, so please don't bother." I see now that I should have written "not using the Windows server and RRAS is not an option". It's because of a proprietary company application running on the main office's server that has to have an outgoing connection from the main office through my server's IKEv2 to work.

            @johnpoz Thanks! I'll keep it on the server then.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.