Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Transfer pfSense leases to Windows DNS

    DHCP and DNS
    3
    6
    176
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mb-panketal
      last edited by

      Hi!
      We have 9 networks on our pfSense v.2.7.2 and the pfSense is the DHCP server (ISC) for 3 networks. The pfSense also functions as a DNS resolver. All networks forward the DNS queries to a DNS server in a network (a Windows domain controller). The 3 networks with DHCP servers should send their entries (DHCP leases) to the Windows domain controller and enter them in the forward and reverse zones at the DNS server.
      This does not work at all.
      Is there any way at all to transfer the static and dynamic DHCP entries (pfSense) to the Windows DC?
      This worked with the previous iptables router, so technically it must work somehow. We have to use the Windows DNS as primary because of the Active Directory functions.
      Forwarding from Windows DNS to pfSense does not work because the Windows DNS server says ‘I am responsible for the domain, so I am not forwarding anything’.
      Would be great if someone had an idea.

      Thanks, Marcus

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @mb-panketal
        last edited by

        @mb-panketal just curious why not just let your windows be dhcp for these networks? It's normally better if you're an AD shop to let AD do dns and dhcp. Especially if the things in these networks are AD members.

        You can relay dhcp to your windows dhcp server on pfsense, vs running actual dhcpd on pfsense.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        M 1 Reply Last reply Reply Quote 1
        • M
          mb-panketal @johnpoz
          last edited by

          @johnpoz
          This is clear in principle, but the grids are only connected to the pfSense. The DC is located in one DHCP area and the other two DHCP areas have nothing to do with the AD, only the DNS resolution should work there. This means that I would have to create all networks in DNS on the DC (i.e. Windows DNS), even though the DC has nothing to do with it.
          It is clear that either the DC or the pfSense is the DNS server. Previously it was the router (which was in place before pfSense) and I have tried to map this in the same way.
          If the pfSense cannot transfer this correctly to the Windows DNS, I may have to rebuild it completely. But first I wanted to check this carefully.
          Maybe someone has an idea how to do it.
          If not, I will probably have to rebuild the system.
          Thank you, Marcus

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @mb-panketal
            last edited by Gertjan

            @mb-panketal said in Transfer pfSense leases to Windows DNS:

            Maybe someone has an idea how to do it.

            It already exists.
            But not yet implemented / completed into 2.7.2.
            24.11 has more, but not DDNS neither.
            Since the sofwtare is already there (for 24.11, as I'm using that version) I went ahead.
            I wanted to register my IPv6 DNS info into an upstream DNS server (bind, my main domain name zone server). Look here : ISC DHCP Dynamic DNS feature and Kea DHCP?

            Since, this is running just fine.

            IPv6, as register IPv4 RFC1918 upstream is for me, useless.
            IPv6 gives world wide global info about how to find my NAS, not only as a show case, as I can now use it as a backup device for everything I have out there, and use my own drives as a cloud storage.

            Doing the same with RFC1918 can be useful for bigger (corp) networks with off site (remote) networks, that need to contact other devices, not avaible in the local known (DNS) networks.

            I presume that if kea can do the classic MD5/MAC/whatever bind access, it can also handle whatever Microsoft needs to deposit DNS info.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            M 1 Reply Last reply Reply Quote 0
            • M
              mb-panketal @Gertjan
              last edited by

              @Gertjan said in Transfer pfSense leases to Windows DNS:

              Thanks for this informations!
              So I have three options:

              1. waiting and hope for the new version with the functions
              2. switch to OpenSense (after my first tests, there is it still working)
              3. DHCP Relay to the DC with a major structural change

              Thank you very much and now I have something to think about
              Marcus

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @mb-panketal
                last edited by

                @mb-panketal

                Something to read : 21.2.1. GSS-TSIG Overview

                That's what I'm using so Kea's DDNS can communicate with a remote DNS like Microsoft AD (if I understand the doc correctly.
                Not very surprising, as bind and DC are, imho, the most common ones.

                So, don't wait, don't switch, don't relay, but :
                4. Setup and start the Kea DDNS (see my other post).

                This probably needed "Kerberos 5" stuff and looking at other "pfSense Microsoft DC" forum posts, pfSense has the needed libraries already.
                So it issue might be as simple as

                1. You want A to talk to B,
                  So :
                2. Make them talk.

                And I get it, this concerns a Microsoft product so finding doc is a bit hard(er) ....

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.