DNS & DHCP over Server 2003



  • Hi,

    I've recently deployed a pfsense installation without DHCP neither DNS services, because this services it's going to be running on 2 DC's with Server 2003.

    What is necessary to do on DC's & pfsense for the computers to make them accessible to the internet through the pfsense? With manual IP and DNS configuration, it's possible to do this.
    On pfsense, i've the WAN configured with 2 DNS ip address from the ISP, but I don't know if this is correct.

    Thank you in advance!


  • LAYER 8 Global Moderator

    So you want your 2k3 dhcp clients to be able to use the internet via pfsense, and using dns of your 2k3 boxes lookup say www.pfsense.org, etc.

    Well what is the IP address of your pfsense LAN?  Lets call it 192.168.1.1/24 and lets say your dc's are 192.168.1.2 and .3, and lets say your clients get 192.168.1.10-200 as their IPs

    So on dhcp scope you need to set pfsense as your gateway/router 192.168.1.1 and the IPs of your DCs running dns as clients dns so 192.168.1.2 and .3

    on your 2k3 dcs - you need to setup dns to either directly ask roots, or forward to either your isp dns, opendns, googledns, etc.

    There you go - done.



  • Easy! Thank you for your answer!

    It's done but it fails… The DHCP services works giving IP adresses, but no access to internet.
    I've reinstalled again DNS services in both DC servers properly...  ???
    there is an additional setup in order to make this works?
    where is the 'logical connection' or 'setup' between ISP DNS servers and DC's DNS servers?

    I've read about Routing&RAS services in DC's... could be this an additional setup to be done?

    Thanks!


  • LAYER 8 Global Moderator

    No you don't need any routing/ras on the DC..  Just need to configure your DNS to forward to your ISP dns, opendns, googledns or roots directly.  And have pfsense allow outbound traffic to either those specific IPs on udp/tcp 53 or any on 53.

    I think I have a 2k8 box as vm I could fire up and show you were to configure the dns service to forward?  If that is your question.

    edit:  You know when you say "I've reinstalled again DNS services in both DC servers properly… " This sounds like your running Active directly to me, if you when you say DC you mean Domain Controller.

    What is the output of one of your clients ipconfig /all ?

    What is it using for dns, can it query say your dcname.yourdomain.tld via something as simple as ping that name?

    You need to configure forwarders on your dns service - here
    http://technet.microsoft.com/en-us/library/cc773370(v=ws.10).aspx
    Configure a DNS server to use forwarders



  • Hi,

    Finally it's working now!

    The problem was outbound traffic rule. I had to enable traffic on udp/tcp port 53  :)

    When I said about 'reinstalling again DNS services', I mean I've reinstalled DNS services without demote DC's ;)

    Thank you very much for your help johnpoz.


  • LAYER 8 Global Moderator

    Well you must of locked down the rules then from default, because the default rules in pfsense is allow anything from lan subnet to ANY.



  • Hi,
    Now I have:

    1. PASS. Destination: Lan Address. Ports: 443, 80, 22 Description: Anti-Lockout rule
    2. PASS. Source: 'ADMIN' alias (which is included my computer)
    3. PASS. Source: LAN net. Ports: 'General Ports' alias (which is included TCP/UDP ports like 80, 443, 553, 23, 21…)

    If not is indicated, the rest is blocked by default, isn't it?


  • LAYER 8 Global Moderator

    If you remove or edit the DEFAULT rule that pfsense sets up out of the box then yes you have to allow 53 either to pfsense dnsmasq or some outside dns

    But yeah, once you start limiting traffic, if there is not a pass then default block is there

    553 guessing that is a typo ;)  That sure isn't a typical port.



  • OK!
    @johnpoz:

    553 guessing that is a typo ;)  That sure isn't a typical port.

    Oops… for sure! I meant 53 of course  ;D

    Thanks a lot!


Log in to reply