Redirecting DNS on a Windows domain
-
I was reading about redirecting DNS to pfSense to prevent users from using their own DNS server.
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.htmlAs all DNS enquiries need to go to the domain controller how can this be achieved?
I believe I want all DNS queries to be sent to the DC and then the DC to redirect all DNS queries to pfSense
Does this sound correct?
-
@McMurphy I think the link below will be a good starting point, basically you will want to change the 127.0.0.1 to the IP address of the DC
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
You will then also need rules to allow DNS from the DC to pfsense, and Pfsense out and so on.
-
@McMurphy Without a redirect/NAT you can do a couple of things...
-
set up a domain override on pfSense that points your contoso.lan domain to your Windows DNS. I find this works well if you will have IPv6 because you still want devices to resolve your AD domain to Windows even if they use pfSense for IPv6 DNS.
-
allow port 53 (tcp+udp) to pfSense LAN IP, and block port 53 to any. Repeat with 853, and the pfBlocker package has a way to block DoT as well (which uses 443).
Windows DNS can be set to forward to pfSense, and optionally set to not fall back to root servers.
-
-
Thanks you. To clarify. I would redirect all DNS to pfSense and then have a domain override in pfSense that directs all domain name DNS to the AD DNS server?
-
The way I did it years ago running Microsoft server is I ran AD, DNS and DHCP off the server and local for all clients. Then I would forward Microsoft DNS server to PFsense DNS and then forward Pfsense out to an internet DNS server like QUAD9.
-
So the options are:
PC => AD DNS => pfSense => Internet
PC => pfSense => AD DNS => InternetI have a domain override in pfSense so I think the 2nd is better
-
@McMurphy yes either way works. For your second method ensure IPv6 isn’t using pfSense for DNS and bypassing AD. Or, just also add the override anyway. :)
-
@McMurphy
Back in the old days if you did not run AD, DHCP, and DNS off Microsoft server you could corrupt the Microsoft server domain.It may be better now. Make sure you sync the clocks if you don't use all Microsoft for the clients. Timing errors can corrupt the Microsoft server.
-
@coxhaus I would dispute the word "corrupt" but incorrect DNS will cause the PC to not find the domain, causing timeouts, login delays, Group Policy failures, etc., and if the time is off more than IIRC 5 or 10 minutes logins will fail.
-
Appreciate the help. I am unsure of how the following works.
If I set this rule in pfSense.
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.htmlThen:
- all NON LAN pfSense queries will be redirected to pfSense (good)
- pfSense will forward DNS queries to the AD DC (good)
- AD DNS will resolve locally or forward DNS queries to external DNS servers (good)
When the AD DC tries to resolve in step 3 above will the pfSense rule not redirect it back to pfSense?
-
@McMurphy yes you’d have exclude the AD DNS IPs, perhaps an alias that contains only other IPs. See the tip there;
“With this port forward in place, DNS requests from local clients to any external IP address will result in the query being answered by the firewall itself. Access to other DNS servers on port 53 is impossible.
Tip
This can be adapted to allow access to only a specific set of DNS servers by changing the Destination network from “LAN Address” to an alias containing the allowed DNS servers. The Invert match box should remain checked.”