Dns forwarder flow?

  • please could somebody explain the dns forwarder flow as I think I may have it wrong.

    Lets assume I have a windows dns server on my lan but my dhcp leases (for test clients) are from pfsense. Because pfsense is doing the dhcp, I want it to automatically add the dhcp clients into the dns forwarder whereas the more static clients etc will be stored in the windows dns.

    So, do I point my dhcp clients to go to the pfsense dns forwarder first or second?

    dhcp client > pfsense dns forwarder > windows dns server > pfsense external dns


    dhcp client > windows dns server > pfsense dns forwarder > pfsense external dns

  • LAYER 8 Global Moderator

    ALL AD members need to point to your AD dns.  I assume if your running windows DNS that you have active directory setup??  And these clients are members of this AD?

    Members of AD NEED to point to AD dns as their ONLY DNS SERVER.

    What you can do is have your AD dns forward queries its not authoritative for to pfsense, pfsense will then go and either forward to your isp or wherever you pointed it to forward.

    But again in MS AD - all members need to use AD DNS only.  Having non AD dns in the list is going to cause you issues.

  • Thanks for that. Normally I would but we have numerous vlans running and we find it far easier to allow pfsense to do the dhcp leasing by keeping it all in one place.
    You are correct in that we have AD setup on that particular vlan which has about 20 static clients (servers + desktops) and what we would like is for pfsense to manage the dynamic (test) clients for that domain.
    So any dns lookup on that domain would go from both the static clients & the dynamic test clients > pfsense forwarder > windows server > wan dns
    Just being lazy really (by keeping the leases in pfsense) and I know the easiest solution would probably be to disable dhcp/dns for that vlan in pfsense and allow the win server to do the rest.
    I've sort of figured it anyway with my first option (dynamic & static clients > pfsense dns forwarder > win2k8 dns > win2k8 forwarder) which appears to be working ok at this time.

  • The main thing if you do use a DNS forwarder (generally that's a good option as a secondary DNS in SBS environments and similar where you have only one AD DNS server), is make sure you're forwarding the AD domain to the AD DNS. If you have a typical full blown AD environment, it's best to point the clients straight to the AD DNS, but only because they'll register their hostnames in your AD DNS that way. As long as you have that domain forward in your DNS forwarder, AD works perfectly fine for clients using the DNS forwarder. It's just DNS name registration that wouldn't work in your AD in that case.

Log in to reply