DHCP add leases to DNS via kerberos (AD)
-
Hey folks,
TL;DR - any way to get pfSense's DHCP to register leases in AD-style DNS?
A quick (and even thorough) google search shows this question comes up every year or so, but it doesnt seem like anyone has found a solution. The answer may well be that there isn't a solution.
Why?
We use Samba as DCs for SSO. Each Samba DC also runs a Bind 9.16 DNS server which are the canonical servers for the internal domain.Those Bind DNSs forward all other queries to pfSense's Unbound resolver.
We use pfSense for DHCP and recursive DNS. That's because the pfSense boxes at each site are likely to be the first ones to come up in the unlikely event of power loss. It also means with only pfSense online, the network is still mostly usable.
This would particularly help with IPv6 where the addresses are all assigned via DHCP6.
You might note that I mentioned Samba - we don't have any windows servers running. Everything is FOSS stuff running on FreeBSD servers.
Could we move to DHCPd on FreeBSD, probably. But for the reasons above I'd prefer to keep DHCP on pfSense.
Goal
We'd like to register DHCP clients in the DNS zone(s) managed by the Bind servers. My understanding is that updates in AD-style DNS happen with a kerberos key.Although, perhaps there are other ways to allow updates? Open to that too.
-
@spacebass The only way I found to do it is to use samba's DHCP server (isc-dhcp-server) with the following script:
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records
In pfsense, if you have other networks, you would need to enable DHCP relay option.Perhaps there is another way of doing it that I'm currently not aware of.
You would use the samba's DNS server too.
There is a very nice discussion about the DNS side of it here: https://forum.netgate.com/topic/176888/using-pfsense-as-firewall-and-windows-server-as-dhcp-and-dns-server-re-hash?_=1683907911478