Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver vs DNS Forwarder and Active Directory (SOLVED)

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      matsan
      last edited by

      UPDATE: seems to be working using the domain override technique described here: https://forum.pfsense.org/index.php?topic=43835.0
      The override added from the GUI did not work.

      Just migrated a remote site to 2.2 from 2.1.5 and I have a question regarding the switch to DNS Resolver.

      The remote site was running pfsense as the DHCP server and DNS Forwarder with the Active Directory at the remote end of an IPSec tunnel. I used DNS Forwarder with domain override (<ad-domain>.local) option and a configured Source IP (the internal LAN interface of the pfsense FW) pointing to the remote AD controller. All worked well for the remote office.

      REMOTE HOST -> (REMOTE LAN) -> PFSENSE -> IPSEC -> PFSENSE -> HQ LAN -> AD Controller

      In 2.2 I have read that DNS Forwarder should not be used and instead DNS Resolved should be used instead.

      Trying the same approach with DNS Resolver and domain override I cannot see any traffic from pfsense to the remote AD Controller. Ping and manual host commands work from both pfsense and hosts in the remote network. DNS Resolver is configured to listen and send on All interfaces and tried disabling the various "harden" options.

      Configuring the ADC as the DNS for the remote hosts works but it is not feasible to have the remote users only use the remote ADC due to latency (~150 ms) making Internet browsing painfully slow due to slow resolving.

      Is there a way to get DNS Resolver to work in a situation like this or should I just weather it out with DNS Forwarder until it is deprecated in a future release of pfsense and then get a backup AD Controller at the remote site?

      Any input greatly appreciated,
      /Mattias</ad-domain>

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Read this: https://forum.pfsense.org/index.php?topic=84184.0
        I think you are in the same situation. Pick one of the possible ways to achieve success.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • M
          matsan
          last edited by

          Just got it to work using the sticky note about wildcard DNS.
          I have updated my own original post with the solution.

          Thanks,
          /Mattias

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.