DNS Resolver vs DNS Forwarder and Active Directory (SOLVED)



  • UPDATE: seems to be working using the domain override technique described here: https://forum.pfsense.org/index.php?topic=43835.0
    The override added from the GUI did not work.

    Just migrated a remote site to 2.2 from 2.1.5 and I have a question regarding the switch to DNS Resolver.

    The remote site was running pfsense as the DHCP server and DNS Forwarder with the Active Directory at the remote end of an IPSec tunnel. I used DNS Forwarder with domain override (<ad-domain>.local) option and a configured Source IP (the internal LAN interface of the pfsense FW) pointing to the remote AD controller. All worked well for the remote office.

    REMOTE HOST -> (REMOTE LAN) -> PFSENSE -> IPSEC -> PFSENSE -> HQ LAN -> AD Controller

    In 2.2 I have read that DNS Forwarder should not be used and instead DNS Resolved should be used instead.

    Trying the same approach with DNS Resolver and domain override I cannot see any traffic from pfsense to the remote AD Controller. Ping and manual host commands work from both pfsense and hosts in the remote network. DNS Resolver is configured to listen and send on All interfaces and tried disabling the various "harden" options.

    Configuring the ADC as the DNS for the remote hosts works but it is not feasible to have the remote users only use the remote ADC due to latency (~150 ms) making Internet browsing painfully slow due to slow resolving.

    Is there a way to get DNS Resolver to work in a situation like this or should I just weather it out with DNS Forwarder until it is deprecated in a future release of pfsense and then get a backup AD Controller at the remote site?

    Any input greatly appreciated,
    /Mattias</ad-domain>



  • Read this: https://forum.pfsense.org/index.php?topic=84184.0
    I think you are in the same situation. Pick one of the possible ways to achieve success.



  • Just got it to work using the sticky note about wildcard DNS.
    I have updated my own original post with the solution.

    Thanks,
    /Mattias


Log in to reply