DNS Dynamic Host Updates in Resolver/Forwarder?



  • pfSense is my DHCP and local DNS server. On my LAN: a variety of Windoze, Linux, etc boxen.
    (I transferred from using fancy DD-WRT router for everything... it worked but was overloaded.)
    I run my LAN as a private subnet of one of my publicly known domains. Let's say sub.example.com

    An issue I can't resolve: all Windows boxes attempt to perform DNS Dynamic Updates on renewal of DHCP (you can force using "ipconfig /registerdns")... and it always fails with pfSense Forwarder/Resolver.

    My diagnostic skills are very limited in DNS, but here's what I see so far (Wireshark is your friend ;) )

    • Windows seeks SOA for sub.example.com from pfSense
      -> This always returns nothing from pfsense... i.e. success but blank, NOT authoritative
    • Then it seeks SOA for example.com -- which succeeds (ie it gets the external public primary DNS server of the domain)
    • Then it seeks to do DNS Dynamic Update to the DNS server for example.com -- which of course fails as these are private addresses on my local LAN

    Assuming the above is true/real, I can simplify this: in pfSense, "dig SOA sub.example.com" -- always returns blank, not authoritative.

    QUESTIONS

    1. How do I fix this?
    2. Can either the Forwarder (dnsmasq) or Resolver (unbound) be configured as authoritative, updateable, DNS server for a local subnet?

    I would have thought this would be a very common, basic thing... yet lots of googling finds zero information at all.

    HELP!!! :-D


  • LAYER 8

    afaik no, both are only recursive, you need the bind package



  • After a bunch of googling:

    • unbound is not ever authoritative
    • dnsmasq CAN be authoritative. I'm working on it...