ISSUE WINDOWS 2012 AS PUBLIC DNS



  • hello,
    we have a problem with pfsense and public dns in windows 2012.

    We're migrating from a Watchguard Firebox to pfSense with two different public networs (Firebox 81.208.x.x, pfsense 151.0.149.x).

    At the moment we have:

    • NS1 with new public ip natted to a Windows Server 2008 R2 from pfSense
    • NS2 with old public ip natted to a Windows Server 2012 R2 from Watchguard

    It seems to work correctly but…if we take offline one of the two NS (is the same: old one or new one) they STOP working...

    We've made a nat on pfsense from 1 Public IP (on WAN) to 1 internal ip (53 (DNS)  is it correct?



  • @marcodv:

    We've made a nat on pfsense from 1 Public IP (on WAN) to 1 internal ip (53 (DNS)  is it correct?

    If you have a public IP range, you have to ensure that the responds from DNS server are natted back to its public IP. You can do this with 1:1 NAT by just one rule for inbound and outbound packets.



  • @marcodv:

    It seems to work correctly but…if we take offline one of the two NS (is the same: old one or new one) they STOP working...

    Define "STOP working". Can you no longer query the DNS server(s) from outside or inside the network? Are you querying the public or private IPs, and if so from where? How have you set up routing on each of the name servers going out correctly? And what forwarders are the servers using - public DNS or name servers specific to each carrier (assuming you're using two different pipes)?



  • @viragomann:

    @marcodv:

    We've made a nat on pfsense from 1 Public IP (on WAN) to 1 internal ip (53 (DNS)  is it correct?

    If you have a public IP range, you have to ensure that the responds from DNS server are natted back to its public IP. You can do this with 1:1 NAT by just one rule for inbound and outbound packets.

    I've set up  1:1 NAT with inboud rule…but nothing happen!



  • @muswellhillbilly:

    @marcodv:

    It seems to work correctly but…if we take offline one of the two NS (is the same: old one or new one) they STOP working...

    Define "STOP working". Can you no longer query the DNS server(s) from outside or inside the network? Are you querying the public or private IPs, and if so from where? How have you set up routing on each of the name servers going out correctly? And what forwarders are the servers using - public DNS or name servers specific to each carrier (assuming you're using two different pipes)?

    I try to explain better:
    actually if I try to use public IP with nslookup from the internet and dns1 (behind pfsense) e dns2 (behind firebox) it works correctly.

    If I put offline dns1 or dns2 (removing default gateway from network adapter) nslookup stops working (request timeout).

    Thanks



  • This still isn't all that clear, but I'll try to answer based on what you've given us so far.

    If you are running a query for your domain where you've specified one or the other of your DNS servers as the POA for your public DNS information, then you may well get a timeout if you remove the gateway information from your WAN. If you're using one server to act as forwarder for the other, then again you may get a timeout error occurring. On the face of it, it does sound like you have some kind of dependency operating across your name servers, but without more information there's not much else I can suggest. You might also want to investigate the routing you have on each of your name servers (as already mentioned).


  • LAYER 8 Global Moderator

    POA?  You mean SOA (source of authority) ?

    So you have 2 2k12r2 boxes, and you have 2 wan with 2 different firewalls.. And these connect to different lans or same lan?

    So you top or the bottom?

    If your running 2 different ns for this domain, should not matter if the SOA goes offline if your directly doing queries to the 2nd one..  But sounds like maybe you have 1 in forward mode..  IF you turn off that one then it would fail, and query that one it would fail, but doing queries to the other one should be fine..

    What is this public domain?  Can you PM it to me if you don't want to post it so I can see what is setup for the Name servers..




  • @johnpoz:

    POA?  You mean SOA (source of authority) ?

    Sorry - wrote in a hurry and had a brief brain-melt. Yes - meant SOA.

    Some information on what forwarders your name servers are each using would probably help, too.


Log in to reply