Errors transferring zone between Windows Server and pfSense Plus
-
Hello,
I have setup many local DNS entries on my pfSense's DNS Resolver. I have a home lab. I am taking a self-taught "crash course" in Windows Server configuration.
I first tried just setting up pfSense as the forwarding location, and that worked for Internet locations, but not for local entries. I then tried the DNS Server wizard and told it that my "ISP DNS Server" was hosting the records in question. It now tries to download all of the local records and fails.
I'm trying to discern if I need to change something on my DNS Resolver settings, or in Windows (and if the latter, then I'll look to another forum for help).
I have a NetGate 4200 running pfSense Plus 24.11
-
It never fails. Complain about something, and it suddenly starts working!
Resolved for now.
For future Googlers' sake: I turned DNS over HTTPS on in pfSense, then I had to change my upstream DNS server to one that supports DNS over HTTPS, and disable allowing my ISP's DHCP server to override the box's DNS server selection.
-
Looks like I spoke too soon.
Issue is intermittent. One moment I get DNS Resolution for internal sites, the next I do not. Very strange!
Only happens on my laptop and 2 Servers - the only 3 machines where Windows server is set to my DNS server.
nslookup reports no such domain, but strangely ping works fine from a command prompt on my Windows 11 laptop.
The 2 servers are setup with my Netgate 4200 as forwarders.
-
If you have a Windows Active Directory environment, the only proper way to configure DNS is to let your Windows AD handle that task by installing the DNS Role on an AD server. Depending on the size of your AD network, the most common place to put the DNS role is on the Domain Controller.
Point ALL of your Windows servers and clients to the AD DNS server. Otherwise, AD stuff will not work reliably. Windows AD writes a lot of weird records into the DNS database. That's why it can't ever work properly with your ISP's DNS server unless your ISP surrenders control of their server to you and allows you to write DNS records directly into their DNS. Unlikely they would ever allow that. If you have your own external leased DNS server that you have a secure control panel for administering, then you might could set it up to receive zone updates from AD. But at that point why not just keep the AD DNS internal?
You can, if desired, enable Forwarding in the Windows AD DNS server and point it to either pfSense (where you should have the DNS Resolver configured in its default setup), or you could point it to an external DNS forwarder such as Cloudflare, Google, etc. You will want a domain override configured in the DNS Resolver on pfSense that points back to your Windows AD DNS server for your AD domain. And don't forget to create the proper domain override for reverse pointer lookup.
And, in a Windows AD environment, you should run DHCP on a Windows server and NOT on pfSense. That way DNS will be automatically updated with dynamic Windows client information. With smaller AD networks, it is fine to run the DHCP Role on your domain controller.
Trying to use an external DNS server (including the DNS Resolver on pfSense) as your primary DNS server in a Windows Active Directory network is not ever going to work well (if it works at all). I speak from experience having managed such networks in the corporate world for many years. If you are a Windows AD shop, don't try to be cute -- just configure primary DHCP and DNS services on a Windows AD server.
Later Edit: I am assuming in my reply above that you configured an Active Directory domain when you set up Windows in home lab. If that is true, then what I said above holds. But if you did NOT choose to configure an Active Directory domain, then you can have Windows servers and workstations work perfectly well with pfSense and its built-in DNS Resolver. This is the setup I currently run in my home network. I have Windows client PCs that use pfSense Plus 24.11 with DNS Resolver and Kea (as the DHCP server). Of course with this arrangement I do NOT have an Active Directory domain and all my workstations have local accounts only (no AD domain accounts and no SSO (single-sign-on feature).
-
I see. My internal DNS records are currently on my pfSense box with DNS Resolver. I am taking a crash course (self-taught) in Windows Server setup and configuration. Yes, I have DNS service installed, but also yes, I am running AD. I have 2 servers for redundancy - one each among 2 different Proxmox hosts, for what I hope are obvious reasons.
Windows 2022 has a setup wizard that has an option to select whether it will hold the master DNS records, or whether my ISP holds them and Windows has a "Read-Only copy". I tried it both ways (even though it's not technically hosted by my ISP) but ended up with the same issue.
Both Windows Server boxes have the pfSense box setup as the upstream forwarder, and pfSense is using Cloudflare as it's DNS forward destination, and each server's Ethernet params point DNS first at localhost, and then the other server.
When selecting the option to use my ISP's DNS (technically my pfsense box, not hosted by ISP), it tries to do something called a "zone transfer", whatever that is. This fails.
I understand the basic concepts of DNS, but advanced config is still a bit over my head. I am mostly self-taught.
FWIW: Until I get this working, only my laptop is using Windows Server for DNS, as I have domain logins setup for it. That said, it sounds like this won't work, so I suppose I'll have to manually add all of my DNS records inside Windows and then remove from pfSense. darn!
-
@bmeeks said in Errors transferring zone between Windows Server and pfSense Plus:
You can, if desired, enable Forwarding in the Windows AD DNS server and point it to either pfSense (where you should have the DNS Resolver configured in its default setup), or you could point it to an external DNS forwarder such as Cloudflare, Google, etc. You will want a domain override configured in the DNS Resolver on pfSense that points back to your Windows AD DNS server for your AD domain. And don't forget to create the proper domain override for reverse pointer lookup
I'm just re-reading this again, slower this time. I'm not sure how to setup a "domain override configured in the DNS Resolver pfSense that points back to your Windows AD DNS server for your AD domain". I already have a forwarder setup on each server.
Update: I found the setting in pfSense, however, it seems this requires setting Windows Server as the authoritative DNS Server for my domain, however, pfSense is currently the authoritative server. Can there be 2 authoritative DNS Servers in the same domain?
Epiphany: I'm pretty sure I know my issue! I am experiencing a DNS namespace collision! Not sure if that's what it is called, but I hope you all understand what I mean.
Saw this once at a job site and had to change one side to a subdomain of the other. I was setting up a pfSense box at another office, and initially tried to setup the internal network with a Domain name the company had bought from their registrar, but then from inside the firewall I couldn't access the company web site or emails. I found and fixed that issue before the workers came in the next morning.
-
@aaronouthier said in Errors transferring zone between Windows Server and pfSense Plus:
Can there be 2 authoritative DNS Servers in the same domain?
If they both contain the exact same records for the domain, then yes. Although typically they are treated as primary and backup servers, respectively.
@aaronouthier said in Errors transferring zone between Windows Server and pfSense Plus:
FWIW: Until I get this working, only my laptop is using Windows Server for DNS, as I have domain logins setup for it. That said, it sounds like this won't work, so I suppose I'll have to manually add all of my DNS records inside Windows and then remove from pfSense. darn!
The correct way to handle this with AD is to let AD DNS be the sole DNS server for all the Windows machines. You can add a domain override for your AD domain to the DNS Resolver in pfSense that points to the IP address of your Windows AD DNS server (typically the domain controller in small networks). That way, the DNS Resolver on pfSense knows which server to ask for information about your AD domain.
