How do I get SRV records through Domain Override?



  • Hi,

    On my DNS forwarder, I have a domain override that points all addresses on the internal network domain to a DNS entry from an internal DNS server, rather than going out to the web.  This works well when it's "myserver.mydomain"

    How do I get this to work with SRV records?  Specifically _kerberos._udp records, which of course do not end in .mydomain.

    Regards,
    Rob.


  • Banned

    Stick this to advanced config:

    
    server:
    local-data: "_kerberos._tcp.example.com 3600 IN SRV 0 100 88 dc1.example.com"
    local-data: "_kerberos._udp.example.com 3600 IN SRV 0 100 88 dc1.example.com"
    
    

    Warning note: Do NOT attempt to use unbound on pfSense as a DNS server for Active Directory.



  • Well I was about to say "I won't, because I don't have Unbound installed" but I realised, upon entering your solution into the Advanced section of DNS Forwarder and getting a format error, that Unbound is now the default in replacement of DNS Forwarder.

    So I just jumped through the hassle of upgrading from 2.1.5 to 2.2.1.  A few pain points:

    • admin account password wouldn't work, in the end I had to attach to the terminal and reset the password from there.

    • squid proxy just doesn't work anymore, it blocks all internet access with settings that used to work; for the time being, I've removed it from the interfaces.

    I then moved my domain overrides across to the DNS Resolver section, and switched off the DNS Forwarder.  After switching on the DNS Resolver, I checked the sockets to make sure Unbound was listening.

    After flushing all the DNS caches, I was irritated to find that all internal DNS lookups were failing and sending me to some odd 92.blah address.  I then rebooted the pfSense box, and everything started resolving normally.

    So, I then try a nslookup on the _kerberos._udp.mydomain entry as configured in the Advanced setup:

    
    server:
    local-data: "_kerberos._udp.mydomain 3600 IN SRV 0 100 88 kdc.mydomain"
    
    

    And I get the following message:

    
    *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for _kerberos._udp.mydomain
    
    

    No idea what that means.  I was going to try and put into the Advanced section my original DNS records using the TXT approach, since I still get responses on _kerberos._udp

    However I do not know how to put that entry in the Advanced section and escape the double quote marks around the TXT value.  Any ideas?

    Regards,
    Rob.


  • Banned

    @peridian:

    And I get the following message:

    
    *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for _kerberos._udp.mydomain
    
    

    No idea what that means.

    No idea what are you messing with and why. You do the nslookup wrong, that's all.

    nslookup -type=SRV _kerberos._udp.example.com

    Server:  dc1.example.com
    Address:  192.0.2.1

    _kerberos._udp.example.com SRV service location:
              priority      = 0
              weight        = 100
              port          = 88
              svr hostname  = dc1.example.com
    dc1.example.com    internet address = 192.0.2.1
    dc1.example.com    AAAA IPv6 address = 2001:db8::dead:beef

    TXT has nothing to do with this. And if you have no idea what that output means then you simply should stop messing with this stuff before you cause severe borkage with your AD domain.


  • Rebel Alliance Global Moderator

    You have to love how people that have no clue to how even use nslookup want to point their AD clients to some other dns that clearly they don't understand as well.  Why don't you just point your AD clients to your AD DNS, more than likely running on your DC..



  • Well I've reported your posts anyway, and I'm not going to inflame this any further.

    All I will say is that you perhaps have another read of my posts and tell me where, anywhere, in my posts I actually mention the words: Active, Directory.

    Hmm?


  • Rebel Alliance Global Moderator

    Dude you reported our posts??  What will I do??  Oh my gawd, I stated an opinion and now I am reported..

    Well since you clearly did not actually state what you were doing on SRV records and _kerberos._udp both used in AD.. Sorry I assumed – so what exactly are you doing that you can not point your clients to your name server that actually holds these records??

    But to create _kerberos._udp that does not end your domain, since its tld is _udp.  In the resolvers just create host _kerberos and domain _udp, or if it ends ends your domain then it would be _Kerberos as host and _udp.mydomain as the domain

    C:>dig _kerberos._udp

    ; <<>> DiG 9.10.2 <<>> _kerberos._udp
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1459
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;_kerberos._udp.                        IN      A

    ;; ANSWER SECTION:
    _kerberos._udp.        3600    IN      A      1.2.3.4

    ;; Query time: 2 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Mon Mar 23 05:09:41 Central Daylight Time 2015
    ;; MSG SIZE  rcvd: 59

    C:>dig _kerberos._udp.mydomain

    ; <<>> DiG 9.10.2 <<>> _kerberos._udp.mydomain
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5430
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;_kerberos._udp.mydomain.      IN      A

    ;; ANSWER SECTION:
    _kerberos._udp.mydomain. 3600  IN      A      1.2.3.4

    ;; Query time: 1 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Mon Mar 23 05:14:15 Central Daylight Time 2015
    ;; MSG SIZE  rcvd: 68

    For SRV record, per exact dok instructions works just fine

    C:>dig _kerberos._udp.mydomain SRV

    ; <<>> DiG 9.10.2 <<>> _kerberos._udp.mydomain SRV                     
    ;; global options: +cmd                                               
    ;; Got answer:                                                         
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56993             
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:                                                 
    ; EDNS: version: 0, flags:; udp: 4096                                 
    ;; QUESTION SECTION:                                                   
    ;_kerberos._udp.mydomain.      IN      SRV

    ;; ANSWER SECTION:                                                     
    _kerberos._udp.mydomain. 3600  IN      SRV    0 100 88 kdc.mydomain.

    ;; Query time: 0 msec                                                 
    ;; SERVER: 192.168.1.253#53(192.168.1.253)                             
    ;; WHEN: Mon Mar 23 05:15:18 Central Daylight Time 2015               
    ;; MSG SIZE  rcvd: 84




  • Solved this last night, did a bit of trial and error testing this morning.

    Admittedly I do not fully understand why the original DNS Forwarder solution did not work, but since I don't want the hassle of rolling back to 2.1.5 just to re-test it, I'll leave it as a config screw up (knowing my luck, I probably just missed a dot out of the DNS record).

    In answer to the question how do you use double quotes in the local-data line in the Advanced section, the Unbound documentation (https://www.unbound.net/documentation/unbound.conf.html) shows that you can actually use single-quotes instead.  E.g.:

    
    local-data: '_kerberos IN TXT "REALM"'
    
    

    Several Kerberos clients look for this record to infer the default Realm for the domain, but it is usually discouraged as it can be a security vulnerability (http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/realm_config.html).

    In answer to why I got a "No records available" answer once I moved to Unbound, this was because it was quite correct.  Once Unbound was running, the Domain Override records were correctly picking up the .mydomain part of the query, and sending it to my internal DNS.  However, because I had set the record up in local-data, I had also gone and removed the record from the internal DNS.

    It appears that, with Unbound, the Domain Override takes precedence over local-data entries (I've tested this with two entries for the same CNAME, one in internal DNS and one in the Advanced section, but each returning a different answer; then juggled around which records were present to see what I got back).  Hence it was unable to find the record requested because it was querying my internal DNS (which had no record) and not falling back on its local-data.

    I actually suspect that Unbound and the DNS Forwarder behave differently when faced with certain responses from the DNS server.  Unbound was giving me the answer back from my internal DNS telling me it had been unable to find the record.  The DNS Forwarder may have been passing my SRV nslookup requests out to my ISP, which seemed unlikely to me but that seems to be where the 92.blah address comes from; whether or not it even queried my internal DNS first I don't know.

    I have restored my internal DNS to what it was (I think) in the first place, and Unbound is now directing the Kerberos requests from my client (which was intended to work in an AD environment and would not let me specifically configure where to find the KDC) correctly, and successfully obtaining a ticket from my non-AD KDC in a non-AD environment.

    Regards,
    Rob.



  • @doktornotor:

    Warning note: Do NOT attempt to use unbound on pfSense as a DNS server for Active Directory.

    Why?
    So you do advise to use DNS forwarder and not DNS resolver on 2.2?


  • Banned

    @decibel83:

    @doktornotor:

    Warning note: Do NOT attempt to use unbound on pfSense as a DNS server for Active Directory.

    Why?
    So you do advise to use DNS forwarder and not DNS resolver on 2.2?

    None. Any of your AD joined computers should only point to AD DNS servers and nothing else. Set pfSense on the AD DNS servers as a forwarder for external lookups.



  • @decibel83:

    @doktornotor:

    Warning note: Do NOT attempt to use unbound on pfSense as a DNS server for Active Directory.

    Why?
    So you do advise to use DNS forwarder and not DNS resolver on 2.2?

    This is a very helpful link.  https://technet.microsoft.com/en-us/library/cc759550(v=ws.10).aspx

    AD's architecture requires it to be the primary DNS server for all servers and clients on a network.  You could run two primary DNS servers (sort of)–the AD DNS server and another server that does non-AD lookups for your LAN.  I am running a 2012 domain controller with DNS being run (ironically) on a Mac for my LAN.  The Windows clients use AD's DNS, and all internal queries that are for non-Windows or domain members--things like my Linux servers and Mac clients--use the Mac server.  The Mac runs bind, which is my preferred DNS server.