Domain Override not working from workstations
-
Very odd behavior
Site A and Site B
Connected via Wireguard
Kea DHCP- Diagnostics>ping of remote hosts via domain override - OK
- Add remote DNS to a local workstation - OK
- Point DNS of local workstation to PFSense - Not OK
- nslookup on local workstation with PFSense set as DNS- OK (responding from PFSense)
So for some reason, PFSense won't pass that dns response to the workstations on the lan.
I have another site connected to the same office where the domain controllers are... I have gone page by page, setting by setting and the only difference is Kea and Domain name of the Pfsense is the same as the domain in Domain override
Any suggestions? Thanks everyone
-
@a-dresner
If it is a private domain you tell this the DNS resolver. -
@viragomann Our Active Directory domain is not private, its a public domain that we use internally and externally.
Site C and D are connected to Site A and Domain Override is working perfectly. It's Site B and I can't seem to find out why?
-
@a-dresner said in Domain Override not working from workstations:
Point DNS of local workstation to PFSense - Not OK
So what does this mean?
And what is the different to his:nslookup on local workstation with PFSense set as DNS- OK (responding from PFSense)
You local machines are configured to use the local pfSense for DNS or a remote DNS server?
If pfSense, how is it configured?
How is the domain override configured? -
@viragomann said in Domain Override not working from workstations:
@a-dresner said in Domain Override not working from workstations:
Point DNS of local workstation to PFSense - Not OK
So what does this mean?
If workstation 1 DNS is pointed to the PFSense, it can resolve DNS, including hots overrides. However the domain override does not work.And what is the different to his:
nslookup on local workstation with PFSense set as DNS- OK (responding from PFSense)
If I open CMD on the workstation, open nslookup, its working.. I can do all functions of DNS including the domain override.
You local machines are configured to use the local pfSense for DNS or a remote DNS server?
local machines are configured to only use the pfSense.
If pfSense, how is it configured?
Resolving is on. Please see screen shots for configuration for both of these questions!
How is the domain override configured?Like I previously shared, it's very strange, seems like everything is working except Domain Override when the local workstation tries to request that DNS via normal activity.
-
@a-dresner said in Domain Override not working from workstations:
If I open CMD on the workstation, open nslookup, its working.. I can do all functions of DNS including the domain override.
Like I previously shared, it's very strange, seems like everything is working except Domain Override when the local workstation tries to request that DNS via normal activity.
What is this "normal activity"? Accessing the hosts with a web browser?
If so, possibly it doesn't request your local DNS, but requests public servers via DNS over HTTPS. This is often the default setup of web browsers these days. -
@a-dresner said in Domain Override not working from workstations:
PFSense won't pass that dns response to the workstations on the lan.
I may have just run into this? We are catching up on upgrading a few remaining clients to 23.09(.1) and after the upgrade I found I had to restart the DNS Resolver service. Otherwise Diagnostics/DNS Lookup would not honor the configured domain override and had no answer. After the restart, it returns the A and AAAA records for the local server.
-
@SteveITS said in Domain Override not working from workstations:
after the upgrade I found I had to restart the DNS Resolver service
Turns out, the first restart didn't completely fix it as random lookups for the AD domain were failing during the day. I enabled forwarding (and turned off DNSSEC accordingly) which restarted unbound, and after that it's been fine since yesterday afternoon.
We usually forward to Quad9 but for some reason it wasn't enabled on this router. I suspect something started IPv6 DNS lookups going to pfSense but I'm not sure why it wasn't a problem in the prior few years, since that would be expected.