Windows Server Authoritative DNS
-
Hello. I have been trying for quite some time to get two things going here and having quite a bit of trouble. Basically all I am trying to accomplish is to have a Windows 2008 R2 server the authoritative DNS server for my home network, lab, etc. and be capable have any further DNS servers implemented look to it for name resolution. Any addresses the Windows Server does not know about are forwarded to pfSense to the appropriate DNS server on the Internet.
The second thing I am trying to get working is my reverse look-up, so I can access printers/servers/workstations by input of their host-name rather then IP address. I am curious if anybody has found an effective method they have implemented to get this working. Here is what I have currently:
http://imgur.com/Pk1rY
http://imgur.com/lk6NZ
http://imgur.com/cppEN
http://imgur.com/auQ4v -
basically you need to have your 2008 server as a DHCP server and DNS server
you should also make sure that root hints are set up (in configure DNS)
you also need to set up that the DHCP server sets up a DNS name for all clients (even if they dont request it, like printers)so when this is working on your internal lan.
to make it work for VPN users, you need to tell the VPN server to use the internal DNS server (just add the internal DNS to your general settings on pf sense.(your internal dns server has to be first in the list, then all your ISP's DNS servers
then it is a free choice if you want to use the pfsense as a forwarder for yourinternal dns or you just let your 2008 server do the name resulution on its own.
I know this setup works, because I have done many installations this way
but you never let your client on your internal network know about your extrenal dns servers(they only know about your 2008 DNS)
-
"The second thing I am trying to get working is my reverse look-up, so I can access printers/servers/workstations by input of their host-name rather then IP address."
Reverse lookup?? I think your a bit backwards, a reverse lookup would be when you have 192.168.1.3 and you want to know what is forward name is ie computer.domain.tld. If you want to lookup the IP from the name computer.domain.tld that is a forward lookup
To do a PTR lookup for an IP, you have to have that arpa zone created for the network you want to lookup – in my case I run 192.168.1.0/24 so
; <<>> DiG 9.8.1-P1 <<>> -x 192.168.1.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29676
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;100.1.168.192.in-addr.arpa. IN PTR;; ANSWER SECTION:
100.1.168.192.in-addr.arpa. 3600 IN PTR i5-w7.local.lan.;; Query time: 10 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Sun Jan 15 07:41:03 2012
;; MSG SIZE rcvd: 73a reverse lookup is PTR record, forward would be a A record or AAAA record for ipv6, just create reverse zone for your network and put in the records you want and your good.
-
Ah thank you, this is good information. So you say you must create the arpa zone, but you must manually input A record or AAAA for forward lookup? That is more windows DNS question, but maybe you can see here:
-it appears to be working correctly as far as resolution goes, but I am not sure if 172.16.1.53 - the Windows DNS server, is being queried in resolution or if pfSense is. I don't see the "flow." Thank you for help I must ensure DNS functions correctly before I begin Domain Structure and Exchange Server testing. :-\
-
if you want to see the flow with nslookup, set debug.
If you wanting to actually do any real troubleshooting or understanding of what is happening with dns – the tool dig is much better suited then the very limited windows nslookup.
Yes for PTR records your going to need the arpa zone.
