Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfblocker in AD domain with local dns server

    pfBlockerNG
    3
    9
    791
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      reynold
      last edited by

      Hi, i'm using AD domain.
      The domain controller is primary DNS server for clients
      I set up static ip address and dns server is the domain controller.
      I'm using pfsense as firewall and i want to use DNSBL.
      How can i set up DNSBL in my environment?
      If I'm not wrong when I use DNSBL pfsense act like a dns server, but i' have already my local dns server in my network
      Thanks

      S C 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @reynold
        last edited by

        @reynold set AD DNS to forward to the pfSense IP.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        R 2 Replies Last reply Reply Quote 0
        • R
          reynold @SteveITS
          last edited by

          @SteveITS
          ok. Should i create NAT rule on port 53 on pfsense?

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @reynold
            last edited by

            @reynold said in pfblocker in AD domain with local dns server:

            Should i create NAT rule on port 53 on pfsense?

            I'm not sure on the goal there, but it shouldn't be necessary for forwarding DNS either to or from AD DNS servers.

            Windows PCs need to use AD DNS as their DNS in order to talk to the AD domain. If they use pfSense, for instance if IPv6 is enabled, you can set up a domain override to point the AD domain name to the AD DNS server(s).

            Then if PCs query AD DNS, Windows Server forwards that to pfSense for your block lists (from your other thread). If PCs ask pfSense how to resolve "example.lan" then pfSense forwards that one query to Windows Server.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • R
              reynold @SteveITS
              last edited by

              @SteveITS
              I did it and it's working.
              But my DC says yellow warning no internet connection when I apply dns forwarding.
              If I bdisable dns forwarding i do not have that issue

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Rebel Alliance @reynold
                last edited by

                @reynold said in pfblocker in AD domain with local dns server:

                yellow warning no internet connection

                Interesting, I've never connected that to DNS forwarding. But I have seen servers that are permanently "not connected" including our main RMM server to which all our client's PCs connect. :) Others in our office are fine. Windows has a web site it connects to, to pull a .txt file as I recall, and if it can't, it thinks Internet is down.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 0
                • C
                  Cylosoft @reynold
                  last edited by

                  @reynold There are several right ways to do this. What we do is set DHCP server to give out the PF box as DNS server. Run your pfblocker.

                  Then in the PF DNS Resolver settings we add domain overrides for the local domain. So "whatever.local" uses lookup server IP Address of the AD domain controller IP. I also add an arpa record for reverse to do lookups on domain controller. So domain override of 192.168.1.in-addr.arpa (or whatever IP scheme you use).

                  This keeps most of the traffic on PF blocker and PF DNS resolver which quite frankly is better than Microsoft DNS server.

                  R 1 Reply Last reply Reply Quote 0
                  • R
                    reynold @Cylosoft
                    last edited by reynold

                    @Cylosoft said in pfblocker in AD domain with local dns server:

                    Then in the PF DNS Resolver settings we add domain overrides for the local domain. So "whatever.local" uses lookup server IP Address of the AD domain controller IP.

                    I did it and yellow warning disappeared

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      reynold @reynold
                      last edited by

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.