Windows Server 2016 behind pfSense - what's the best way to do DNS?

  • On three of the networks from the pfSense box (Netgate SG-3100) I have different other things on different segments (outdoors network, Internet sharing with a few neigbours and so on). On the fourth, on 192.168.1.x, I have one indoors guest network (with a wifi router) and a Windows Server 2016 (Datacenter edition) which has the external address I use several server applications on that one, so dropping the Windows server is not an option. I know that will be suggested, so please don't bother. 😁

    On the inside of that is my private network (internal address 192.168.2.x), with around 20 devices at any given time (cell phones, Sonos speakers, laptops, a few stationary pc's for gaming and HTPC and so on). And I use RRAS for the connection to the external network and beyond. But does anybody with Windows Server experience know what the best way of doing DNS for this is? I have until now let DHCP in the Windows Server use use the server's own DNS server (the server's internal address is, but would it be better to let DHCP deal out (the pfSense box) as a DNS Server? I'm running the DNS resolver on that, not the forwarder.

  • Actually the first thing I would like to suggest is to move the networks to the SG3100 and remove the need for RRAS. The 3100 is a good router on it's own and it would simplify the network if I understand your description right (a sketch is always good)

  • LAYER 8 Global Moderator

    So your running AD, and have devices as members of your AD? Even if not, since you have windows server there up and running. I would let it be your dns and dhcp.. You can even have it do dhcp for your other segments via dhcp relay on pfsense.

    On pfsense you can setup domain override for your local domain, and reverse zones your running on your windows server. So the firewall itself can resolve any of your local devices. And then on your windows dns, just forward to pfsense for stuff its not authoritative for, and then unbound can resolve that for you.

    As to rras, yeah I would move your vpn stuff to pfsense as well as suggest by @Mats

  • @Mats, I knew that one was coming, which is why I said "dropping the Windows server is not an option. I know that will be suggested, so please don't bother." I see now that I should have written "not using the Windows server and RRAS is not an option". It's because of a proprietary company application running on the main office's server that has to have an outgoing connection from the main office through my server's IKEv2 to work.

    @johnpoz Thanks! I'll keep it on the server then.

Log in to reply