Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Redirecting DNS on a Windows domain

    Scheduled Pinned Locked Moved DHCP and DNS
    11 Posts 4 Posters 438 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McMurphy
      last edited by

      I was reading about redirecting DNS to pfSense to prevent users from using their own DNS server.
      https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

      As all DNS enquiries need to go to the domain controller how can this be achieved?

      I believe I want all DNS queries to be sent to the DC and then the DC to redirect all DNS queries to pfSense

      Does this sound correct?

      T S 2 Replies Last reply Reply Quote 0
      • T
        TravisH @McMurphy
        last edited by

        @McMurphy I think the link below will be a good starting point, basically you will want to change the 127.0.0.1 to the IP address of the DC

        https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

        You will then also need rules to allow DNS from the DC to pfsense, and Pfsense out and so on.

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @McMurphy
          last edited by

          @McMurphy Without a redirect/NAT you can do a couple of things...

          1. set up a domain override on pfSense that points your contoso.lan domain to your Windows DNS. I find this works well if you will have IPv6 because you still want devices to resolve your AD domain to Windows even if they use pfSense for IPv6 DNS.

          2. allow port 53 (tcp+udp) to pfSense LAN IP, and block port 53 to any. Repeat with 853, and the pfBlocker package has a way to block DoT as well (which uses 443).

          Windows DNS can be set to forward to pfSense, and optionally set to not fall back to root servers.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          M 1 Reply Last reply Reply Quote 0
          • M
            McMurphy @SteveITS
            last edited by

            @SteveITS

            Thanks you. To clarify. I would redirect all DNS to pfSense and then have a domain override in pfSense that directs all domain name DNS to the AD DNS server?

            1 Reply Last reply Reply Quote 0
            • C
              coxhaus
              last edited by coxhaus

              The way I did it years ago running Microsoft server is I ran AD, DNS and DHCP off the server and local for all clients. Then I would forward Microsoft DNS server to PFsense DNS and then forward Pfsense out to an internet DNS server like QUAD9.

              M 1 Reply Last reply Reply Quote 0
              • M
                McMurphy @coxhaus
                last edited by

                @coxhaus

                So the options are:

                PC => AD DNS => pfSense => Internet
                PC => pfSense => AD DNS => Internet

                I have a domain override in pfSense so I think the 2nd is better

                S C 2 Replies Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @McMurphy
                  last edited by

                  @McMurphy yes either way works. For your second method ensure IPv6 isn’t using pfSense for DNS and bypassing AD. Or, just also add the override anyway. :)

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  1 Reply Last reply Reply Quote 0
                  • C
                    coxhaus @McMurphy
                    last edited by

                    @McMurphy
                    Back in the old days if you did not run AD, DHCP, and DNS off Microsoft server you could corrupt the Microsoft server domain.

                    It may be better now. Make sure you sync the clocks if you don't use all Microsoft for the clients. Timing errors can corrupt the Microsoft server.

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Galactic Empire @coxhaus
                      last edited by

                      @coxhaus I would dispute the word "corrupt" but incorrect DNS will cause the PC to not find the domain, causing timeouts, login delays, Group Policy failures, etc., and if the time is off more than IIRC 5 or 10 minutes logins will fail.

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote 👍 helpful posts!

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        McMurphy @SteveITS
                        last edited by

                        @SteveITS

                        Appreciate the help. I am unsure of how the following works.

                        If I set this rule in pfSense.
                        https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html

                        Then:

                        1. all NON LAN pfSense queries will be redirected to pfSense (good)
                        2. pfSense will forward DNS queries to the AD DC (good)
                        3. AD DNS will resolve locally or forward DNS queries to external DNS servers (good)

                        When the AD DC tries to resolve in step 3 above will the pfSense rule not redirect it back to pfSense?

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          SteveITS Galactic Empire @McMurphy
                          last edited by

                          @McMurphy yes you’d have exclude the AD DNS IPs, perhaps an alias that contains only other IPs. See the tip there;

                          “With this port forward in place, DNS requests from local clients to any external IP address will result in the query being answered by the firewall itself. Access to other DNS servers on port 53 is impossible.

                          Tip

                          This can be adapted to allow access to only a specific set of DNS servers by changing the Destination network from “LAN Address” to an alias containing the allowed DNS servers. The Invert match box should remain checked.”

                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                          Upvote 👍 helpful posts!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.