Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    dns replication between pfsense and windows server

    Scheduled Pinned Locked Moved DHCP and DNS
    17 Posts 4 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jmriviere
      last edited by

      Hi,
      i'm using pfsense 2.4.5-RELEASE-p1.
      my pfsense is the primary dns server for my active directory.
      I m wondering if it is possible to replicate the dns zone from pfsense to a windows server?
      Can anyone help me.
      Thank in advance

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @jmriviere
        last edited by

        @jmriviere said in dns replication between pfsense and windows server:

        my pfsense is the primary dns server for my active directory.

        Why? If your an AD shop - use your MS server as your DNS.. If you want that to forward to pfsense to resolve stuff that is located there, ok or for it to resolve the internet sure.

        But for what reason would you not run dns and dhcp on your AD servers? Really makes no sense to me at all to run such a setup.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        J 1 Reply Last reply Reply Quote 0
        • J
          jmriviere @johnpoz
          last edited by

          @johnpoz
          hi this is the configuration of my compagny. dns and dhcp on the pfsense.so every time you want to add a pc on the domain i need to change dns setting to point to the DC then switch to the pfsense this is the problem. so i would like to replicate the zone between pfsense and windows server.
          thank you

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @jmriviere
            last edited by

            Who's brilliant idea was that? When you have a dns and dhcp server right there on your AD.. Just boggles the mind...

            If you insist on pointing clients to pfsense for dns - then just setup a domain override on pfsense for your AD domain(s)..

            There is no reason to sync anything.. But it would be possible to do zone transfers with bind and MS dns.. Unbound is not going to do zone transfers. Since it is not meant to be an authoritative NS.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            J 1 Reply Last reply Reply Quote 0
            • J
              jmriviere @johnpoz
              last edited by

              @johnpoz
              we already done this opérations.So do you have an idea to workaround the integration on the domain?
              Because like i said the configured dns for the client point to the pfsense instead of the DC.
              thank

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @jmriviere
                last edited by

                Agreed, your network should have turned off DHCP on the pfSense and use the domain. Hindsight, I guess.

                I think it will work if you configure a "Domain Overrides" in the DNS Resolver settings and point that to the Windows Server's IP. Then pfSense will forward queries for that zone there.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                J 1 Reply Last reply Reply Quote 0
                • J
                  jmriviere @SteveITS
                  last edited by

                  @teamits thank but the problem is the boss doesn't want to use the DC as DNS

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @jmriviere
                    last edited by johnpoz

                    No offense, but your Boss is an idiot ;)

                    Again - just setup a domain override in unbound to point whateverADdomain.tld to the IP(s) of the DNS that is running in AD..

                    And whatever other arpa zones you might have on there.

                    To do a domain override to a downstream NS, you will have to let pfsense use your lan interface for outgoing if you have changed that from the default of all. You will also need to setup private domain or you will get rebind issues, or turn off rebind protection completely.

                    https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html

                    Just out of curiosity, if you happen to know - maybe you should ask him. What is the technical reason he wants to do it this way.. Vs the simple, MS best practice and correct solution of pointing clients that are members of the AD to the AD nameserver(s)..

                    If he also has his heart set on sync - then you would need to use the bind package to be able to setup zone transfers..

                    I would be curious to hear what he thinks he gets out of pointing clients to pfsense vs just the AD dns and dhcp?

                    If his goal is to leverage say pfblocker via unbound, you can still use that via clients pointing to AD dns, and then AD dns forwarding to pfsense.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    SweetyS 1 Reply Last reply Reply Quote 0
                    • SweetyS
                      Sweety @johnpoz
                      last edited by

                      @johnpoz Hello, I allow myself to ask my question here because I see a connection with the one asked.

                      Currently I have a pfSense and behind it there is: Windows Server 2008 with AD, DNS and DHCP.

                      My config :

                      • Windows Server with AD DNS DHCP : 192.168.0.2
                      • Hyper-V (for another software) : 192.168.0.2
                      • WAN : 192.168.3.2 (gateway : 192.168.3.1)
                      • LAN : 192.168.0.249

                      I recently asked questions on the forum because my SSL filtering is showing nothing except an error message and pfBlocker is not blocking anything and not activating safeSearch.

                      How can I prevent my clients from using pfSense's DNS and not Windows ? Should I make a relay, which option should I use?

                      Thank you in advance.

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @Sweety
                        last edited by johnpoz

                        @sweety said in dns replication between pfsense and windows server:

                        How can I prevent my clients from using pfSense's DNS and not Windows

                        Well for starters how would your clients be pointing to pfsense in the first place for dns. Unless you set them, or set your dhcp server to point there?

                        But to "prevent" clients from using pfsense dns, put in a firewall rule that allow your AD IP 192.168.0.2, and rule below that blocks all access to pfsense IP for dns.

                        Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

                        As to your hyper-V IP sharing your Servers IP - why would you not just bridge your vms to your lan, and let them have their own IPs, .3, .17, .x etc..

                        This way you could either allow or not for them to use pfsense dns as well.

                        As to relay?? Not sure why you would think you need a "dhcp relay"?? If your AD is doing dhcp, then it dhcp should not be enabled on pfsense.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        SweetyS 1 Reply Last reply Reply Quote 0
                        • SweetyS
                          Sweety @johnpoz
                          last edited by

                          @johnpoz I actually have a DNS server just behind my pfSense proxy. I want users to use the DNS of pfSense and not that of my Windows Server (I must be explaining myself wrong, I'm starting ^^') Do I need to redirect my DNS ?

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @Sweety
                            last edited by

                            Again your clients are going to use whatever dns you tell them too.. Be it on the client directly or via dhcp.

                            If you want client to use NS X, then point them there.. You then just to make sure that NS can look up any local domains via whatever other dns your running say on your AD.

                            If your a AD shop - it just makes no sense to not point your clients directly to your AD..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            SweetyS 1 Reply Last reply Reply Quote 1
                            • SweetyS
                              Sweety @johnpoz
                              last edited by

                              @johnpoz So I just have to redirect users by my DHCP, and each user can use my pfSense DNS ?

                              S 1 Reply Last reply Reply Quote 0
                              • S
                                SteveITS Galactic Empire @Sweety
                                last edited by

                                You will want your Windows PCs using your Server as DNS so they can find the domain.

                                You can set your pfSense as a forwarder in Windows DNS, so Windows sends all queries it receives to the pfSense.

                                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                Upvote 👍 helpful posts!

                                SweetyS 1 Reply Last reply Reply Quote 0
                                • SweetyS
                                  Sweety @SteveITS
                                  last edited by Sweety

                                  @teamits Yes that's it !! How can I do that ? Just in the forwarder (redirect) options in Windows Server DNS ? It's working with WS 2008 ? ^^ Thanks u

                                  S 1 Reply Last reply Reply Quote 0
                                  • S
                                    SteveITS Galactic Empire @Sweety
                                    last edited by

                                    We don't have any 2008 under management as it's past EOL but here's a screenshot from 2012 R2:

                                    9fa061a5-5da7-4ab0-ba0f-af5235a96551-image.png

                                    If the "Forwarders" icon isn't showing there go into the properties of the server icon in the left pane and it is a tab in there.

                                    There should be plenty of web pages with instructions for 2008.

                                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                    Upvote 👍 helpful posts!

                                    SweetyS 1 Reply Last reply Reply Quote 1
                                    • SweetyS
                                      Sweety @SteveITS
                                      last edited by

                                      @teamits Yes, the school does not want to change its Windows Server x)
                                      Thank you for your help have a nice day !!

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.