Using pfSense as firewall and Windows Server as DHCP and DNS server

thyewah

Hello to everyone.

This is my first post. I am new to pfSense.

I am a home user, I've managed to set up pfSense without any issue. I intend to install Windows Server, set it up as the Domain Controller (DC) and host DHCP and DNS servers. I would like to dedicate pfSense just for firewall and VPN.

Internet
|
pfSense
|
Switch
|
-> DC
-> PCs/Laptops
-> Access Point -> WiFi devices

I am familiar in setting up DHCP and DNS servers in Windows Server.

I was able to locate the DHCP server page in pfSense. However, I do not know where can I point the DNS server to the DC handling the DHCP and DNS roles. I am also not sure if there are any other settings to be changed.

I am overwhelmed with all the granuity of the settings in pfSense. Appreciate if any kind souls that can guide me along.

Thank you.

viragomann

@thyewah said in Using pfSense as firewall and Windows Server as DHCP and DNS server:

However, I do not know where can I point the DNS server to the DC handling the DHCP and DNS roles. I am also not sure if there are any other settings to be changed.

You want use the Windows DNS on pfSense itself? Go to System > General Setup and enter the DNS server IP there.
This step is part of the initial setup, so pfSense should already have guided you though this setting.

The DNS settings for the DHCP clients have to be done on the Windows DHCP server, as you should know.

If all your internal devices are within the same subnet, there are no further settings necessary.
If you have segmented your subnet on pfSense you have to enable the DHCP relay on the network interfaces you want to provide the DHCP (Services > DHCP Relay resp. Services > DHCPv6 Relay) and allow DHCP and DNS access by adding proper firewall rules.

Tzvia

@thyewah First step is to configure DHCP correctly. Your clients will be getting their DNS settings and default gateway information from the DHCP lease so hand out your server IP in the DHCP SCOPE options. Then in the Windows server DNS settings, set forwarding to PFSense or set internet servers there or use root hints. I've been forwarding to the PFSense box from my servers for quite a few years and it works well as PFSense is set to resolve using the internet root servers by default. I also set the Windows DNS server to use root hints if PFSense Unbound service stopped functioning, so that it could go directly to the internet for DNS as a fallback.

Also remember, that a lot of IOT stuff will have hard coded DNS settings that they will use instead of what your lease gives out. If your end goal is to force them all to your DNS server, and have that forward to PFSense or have your server resolve them, you will need to set a NAT PORT FORWARD set in PFSense to grab any destination port 53 traffic that isn't coming from your server, going to your server or PFSense lan IP, and direct it to your DNS server. And of course, browsers now turn on DOT and DOH and skip what you set and use their own choice coded by the browser's maker. So sadly, this can get complicated, depending on your end goal. Maybe I am paranoid, but my goal was to stop all of that and use my server for internal, and PFSense using internet root servers, not what Google thinks I should use.

bmeeks

If you have an Active Directory setup on your Windows server, then you absolutely need to use Windows for DHCP and DNS (especially DNS as the unbound DNS daemon on pfSense is really not suitable for Active Directory).

So here is what I suggest:

1. Use Windows for DHCP and DNS. Configure DHCP on your Windows Server to handout the Domain Controller as the DNS server for all clients.

2. In the Windows DNS setup, you have two options. Let Windows DNS act as a resolver, or have Windows DNS forward non-local lookup requests to either pfSense or an external DNS provider like Cloudfare, Google, OpenDNS, etc. I prefer to let Windows DNS resolve. There are several Google tutorials for how to configure that in Windows.

3. Over on the pfSense box, you can leave the DNS setup at the out-of-the-box defaults. Don't put any IP addresses for DNS in the SYSTEM > GENERAL SETUP page.

4. There are two things you want to configure on the DNS Resolver tab under SERVICES > DNS RESOLVER. First, in the Custom Options box you need to provide the name of your Windows AD domain like so --

server:
private-domain: "yourdomain.tld"

Second, you will want to configure two domain overrides so that pfSense will know to contact your Windows DNS server when it wants to resolve the IP address of any local hosts, or if it wants to perform a reverse pointer lookup on a local IP. So configure one domain override for your domain name and point to your Windows DNS server as the authoritative server for the domain, and configure a second override for the *.in-addr.arpa reverse IP pointer range.

These DNS overrides are necessary so that pfSense can find your local host names if you do things like perform lookups on firewall log entries or view the ARP table. The overrides tell pfSense which DNS server is authoritative for your domain and reverse IP pointer range.

johnpoz

@bmeeks said in Using pfSense as firewall and Windows Server as DHCP and DNS server:

absolutely need to use Windows for DHCP and DNS

Not sure if 100% agree with that ;) But yes if your running AD, the better choice for sure would be to use it for dns and dhcp.. It makes little sense not to, and for sure would increase complexity of setup and possibility of issues for really no benefit.. You should really be sure on what your doing and "why" you wouldn't just leverage your AD for dns and dhcp..

BTW - to the private domain, seems at some point in the past.. It was changed so that when you create a domain override, it auto adds that as a private domain. There was a recent thread related to where that came up, and upon investigation the domain override was auto added to the unbound.conf to be private.

bmeeks

@johnpoz said in Using pfSense as firewall and Windows Server as DHCP and DNS server:

@bmeeks said in Using pfSense as firewall and Windows Server as DHCP and DNS server:

absolutely need to use Windows for DHCP and DNS

Not sure if 100% agree with that ;) But yes if your running AD, the better choice for sure would be to use it for dns and dhcp.. It makes little sense not to, and for sure would increase complexity of setup and possibility of issues for really no benefit.. You should really be sure on what your doing and "why" you wouldn't just leverage your AD for dns and dhcp..

BTW - to the private domain, seems at some point in the past.. It was changed so that when you create a domain override, it auto adds that as a private domain. There was a recent thread related to where that came up, and upon investigation the domain override was auto added to the unbound.conf to be private.

My experience a long time ago with trying to use bind on Linux to support AD was a mini disaster. AD just stores a ton of weird stuff, and it just makes the world go around easier to let Windows DNS handle all the duties in Active Directory setups. You do have the option of how AD DNS resolves non-local stuff. You can let it resolve on its own, or you can let it forward to pfSense or someplace else.

As for DHCP, to be perfectly honest, the DHCP server on pfSense is subpar at the moment with the way it communicates lease updates to unbound. Restarting DNS with every lease renewal is just "not optimum" ... . And in larger enterprises with lots of Windows machines, it is easier to use DHCP and have DHCP register host names dynamically for you. Trying to handle DHCP reservations with lots of workstations gets very hairy very fast.

Upon reflection, I think my "private" setting was in fact auto-added. Been a while since I configured the setup.

johnpoz

@bmeeks said in Using pfSense as firewall and Windows Server as DHCP and DNS server:

it just makes the world go around easier to let Windows DNS handle all the duties in Active Directory setups.

Completely and utterly agree with that statement! ;)

But if people want to cause themselves grief and pain - they "could" if they wanted too not use their AD directly for dns and dhcp ;) hehehe

SteveITS

@thyewah said in Using pfSense as firewall and Windows Server as DHCP and DNS server:

However, I do not know where can I point the DNS server to the DC handling the DHCP and DNS roles

Generally you don't need to force pfSense to use the Windows DNS server. If it just needs to get to the Internet for updates then it can do that directly.

However if IPv6 is being used, that will typically use the router/pfSense as the DNS, so it is helpful to go to the Services/DNS Resolver page, and enter one or more Domain Overrides entries pointing to the IP of your DCs. That will cause queries for your Windows domain name to be sent to those DNS servers.

The "private-domain" setting is to allow public DNS servers to return private IPv4 addresses. We don't have that for our office domain but did need it on our office router for the domain we use in our data center, since a subdomain there returns private IPs.

johnpoz

@steveits said in Using pfSense as firewall and Windows Server as DHCP and DNS server:

The "private-domain" setting is to allow public DNS servers to return private IPv4 addresses

What it allows for any upstream or forwarded to NS to return rfc1918 space and not be considered a rebind.

But when you create a domain override entry - it is now automatically added as private domain.. There is no "need" to add it to the advanced option section of unbound gui