Dhcp and dns package

  • hi all,

    i have pfsense and use it for my home and i have dhcp enabled on my LAN and i use the dns forwarder for my dns queries, I haven't downloaded the bind package

    my question is if i was to set up an it infrastructure would you guys use the pfsense dhcp and bind package or would you install it on a seperate linux machine as i think you really want the pfsense firewall to just do the routing of traffic and not other services as if the pfsense goes down your dns/dhcp will be out swell

    what do you guys think



  • LAYER 8 Global Moderator

    and if your internet is down what does it matter that dns is down?  If your dns is down, kind of hard to look up things to use your internet that is still up.

    Dhcp being down normally not an issue unless you have a really short lease, typical dhcp setting give you hours and hours to get it back up for the majority of machines. Since you should have at worse 1/2 of your lease time to get it back up.

    What is going to run on this infrastructure that you need BIND?

    If you are setting up AD, then yes it makes complete sense to run your dns and dhcp off your AD setup.  Since these 2 features really tie in with Active Directory…  But I really would not worry about moving dhcp and dns off pfsense if your only concern is if pfsense goes down these services are out..  What are you needing to resolve with dns locally?  That this is a concern?  If so moving off to a single system doesn't really get you any extra failure protection..  Are you going to setup redundant dhcp and dns?

  • Alright if i set DHCP leases to a day then it wont be an issue as it doesnt need to talk to the dhcp server

    But i mean local dns lookups like email server ldap server spam server etc so end users dont need to know the ip

    i mentioned bind as i thought thats a good dns package to use instead of the defualt pfsense one ie dns forwarder

  • LAYER 8 Global Moderator

    Why would a client need to lookup spam server?

    So are you running Active Directory or not.. You mention ldap server..  So your using ldap to auth, but not AD from MS?

    Yes bind is a good name server.. How many IPs are you talking about?  You can use either dnsmasq or unbound that are both part of pfsense without any packages added.  Do you need a full blown authoritative name server?

    Your clients need to talk to the dhcp server at some point, but normally a worse case is /2 of your lease because if your dhcp just happen to fail you could have clients that were like 1 minute away of renew of their lease at the 50% mark, etc.

    I don't see the advantage of moving dns away from pfsense unless your going to setup redundancy on that system.  Or your just moving it to a system that could also just fail..  Unless you need some specific feature of dns that is not supported in dnsmasq or unbound or even the bind package for pfsense not sure moving it off buys you anything unless the other system is AD where all members of the AD should use AD dns and dhcp since it makes it easier to work with, etc..  If your reason for moving it off is you want dns if pfsense fails - the other system could fail as well..  Just because internet goes down does not mean pfsense stops providing local name services or dhcp even, etc.

    You could always setup carp for pfsense if your worried about the system failing, etc.

Log in to reply