DNS & Active Directory issues



  • My pfSense is running as a Hyper-V VM, and I'm having issues with the DNS on its host machine:
    1. I can't join the host machine to my domain ("The network path was not found")
    2. nslookup results in timeout error.

    I didn't think pfSense would have anything to do with this problem, but just in case, I should get things sorted.  How should I configure pfSense so that domain-joined machines all go to the ADDC/DNS server and the non-domain machines just use ISP/Google DNS?

    n.b.(1)- The domain is intended to be LAN-only, not facing the internet
    n.b.(2)- DHCP is not used anywhere on my network, only on the WAN side from the ISP.  All machines have static IP assignments

    I am currently configured as follows:

    pfSense
    DNS Forwarder enabled

    • Register DHCP static mappings: checked

    • Do not forward private reverse lookups: checked

    • Interfaces selected: LAN, LAN IPv6 link-local, localhost

    • Domain override entry: mydomain.com, IP of ADDC

    –Should I switch pfSense or my ADDC's DNS listener off port 53 to prevent conflicts?
    --How should I populate the list of DNS servers in pfSense? Since I have the domain override, should I omit my ADDC from the list of DNS servers in the General Setup?

    Hyper-V Host Server
    Windows 2012 R2
    4 physical NICs:

    • NIC1 is a dedicated external vSwitch (pfSense's WAN) for the cable modem

    • NIC2 is a dedicated external vSwitch (pfSense's LAN) connected to my network switch

    • NIC3 & 4 are teamed and connected to my switch, for the host machine's network connection

    Network adapter settings are statically configured, and the only DNS server it points to is my ADDC
    I can ping anything on the LAN, access shared folders/drives, & do Remote Desktop.
    nslookup times out

    ADDC/DNS Server
    Windows 2012 R2
    DNS points to pfSense's IP as the only DNS forwarder
    dcdiag passes all checks



  • The best configuration I've found myself is to set your LAN/Windows clients to use your internal Windows servers are their primary DNS (this is essential, since Active Directory depends on MS-DNS to function properly). The PFS can be set to use the Windows servers as it's forwarder, since you may need the firewall to resolve both internal and external hosts, as I sometimes do. Your Windows DNS server(s) should then use an external forwarder to resolve external addresses. This way, all your LAN clients and your firewall will be able to fully resolve all internal and external addresses, plus you can operate split-DNS if you should need to resolve externallly-facing servers locally.


  • Rebel Alliance Global Moderator

    ^ agreed.. If you are going to run Active directory – Then you should use AD for dns and dhcp, you really have no use of pfsense to provide those functions since you have them in your AD.. AD for sure needs dns to function, and it helps with dns registrations of clients if AD is also the dhcp server.

    The DNS in 2k12r2 is more than capable, and to be honest the dhcp server has way more features than what pfsense has.

    Point all your local assets to your AD so they can resolve your local zones, then either forward your AD to pfsense dns to either forward yet again or do actual resolving.  Or just have your AD forward to publicdns or your isp, or have it resolve..



  • I think you guys are missing something.  There are several non-domain clients on the LAN that I don't want pointing to my ADDS for DNS services.  The less those machines are aware of my domain, the better.  So, shouldn't pfSense handle DNS for them?

    All domain machines have the ADDS as their only DNS server.  I already said that in my OP!

    Also, DHCP does not exist anywhere on my network, except for the Cox ISP's DHCP on my WAN.


  • Rebel Alliance Global Moderator

    So your whole network is static..  Ok point your non AD clients to pfsense, or google or opendns, etc..

    Why are you pointing to your AD in pfsense?? Or client even?  Or trying to join boxes that you don't point to your AD dns via your static IP setup??

    "The less those machines are aware of my domain, the better."
    "1. I can't join the host machine to my domain ("The network path was not found")"

    So I am  completely confused at what your wanting to do???

    But yes could setup a domain override pointing to your AD dns if you want to resolve hosts in it..  But you just stated you don't want non domain machines even knowing about your AD machines..

    So look I bring up another DNS, be it Windows, Bind, whatever that is authoritative for another domain..  I then point pfsense to it and it can resolve..

    So see pfsense can not resolve host.example.com

    D:>dig host.example.com

    ; <<>> DiG 9.10.3-P2 <<>> host.example.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43016
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;host.example.com.              IN      A

    ;; AUTHORITY SECTION:
    example.com.            3600    IN      SOA    sns.dns.icann.org. noc.dns.icann.org. 2015082504 7200 3600 1209600 3600

    ;; Query time: 225 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Sat Feb 06 05:47:08 Central Standard Time 2016
    ;; MSG SIZE  rcvd: 102

    but my windows dns server can…

    D:>dig @192.168.9.19 host.example.com

    ; <<>> DiG 9.10.3-P2 <<>> @192.168.9.19 host.example.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46382
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4000
    ;; QUESTION SECTION:
    ;host.example.com.              IN      A

    ;; ANSWER SECTION:
    host.example.com.      3600    IN      A      1.2.3.4

    ;; Query time: 2 msec
    ;; SERVER: 192.168.9.19#53(192.168.9.19)
    ;; WHEN: Sat Feb 06 05:49:21 Central Standard Time 2016
    ;; MSG SIZE  rcvd: 61

    If I then create a domain override in pfsense, I am currently using the resolver so I do it there you see that pfsense now resolves my host in example.com and shows that my local 2k8r2 box on my local.lan is the SOA for it...




  • Dude, I have no idea what is that text you just posted.  Is this some FreeBSD CLI stuff?  Well, I have zero knowledge of FreeBSD, so you'll have to dumb it down for me.


  • Rebel Alliance Global Moderator

    Does d:\ look like freebsd to you??  Its a simple dns query using the tool dig from ISC, the makers of bind on windows…

    "I have zero knowledge of FreeBSD"

    Should prob say have zero knowledge of dns

    Why don't you ask what you want vs posting conflicting information..
    "The less those machines are aware of my domain, the better."
    "1. I can't join the host machine to my domain ("The network path was not found")"

    How exactly is something going to join your domain if it can not resolve it??  And why should it be joining your domain if you don't want it to know about your domain??



  • @johnpoz:

    Should prob say have zero knowledge of dns

    You're pretty much correct.  Everything I know about DNS I learned in the past several weeks of getting pfSense running and my first experience with Active Directory.  How much more humble can I get?  Shall I prostrate myself before you and autoflagellate until you achieve the proper level of smugness and superiority that you finally have enough pity on me to help?

    When I was 16 and had my first car, I had to replace the clutch myself.  The expert at the auto parts store was very helpful, which led to my continued growth and expertise as an automotive enthusiast and collector.  People have to start somewhere, and it usually requires the help of someone more knowledgeable.  If you don't think I deserve your assistance, then don't post in my thread.

    The current setup is:
    –DNS resolver & forwarder in pfSense are disabled.
    --pfSense basic DNS configuration is System:General Setup is pointing to OpenDNS servers (208.67.222.222 & x.x.220.220)
    --All non-domain devices on the LAN have static IP config and use OpenDNS
    --DC/DNS server for domain uses itself (own IP, then loopback) for DNS in the adapter settings & OpenDNS in the forwarder settings
    --The problem machine points only to the DC's address for DNS

    To clarify, the problem machine is the only one remaining that is not joined to the domain but I want it to join.  All other machines will never join the domain and thus are configured to use pfSense as the gateway and OpenDNS.  They have no issues with this configuration.

    FWIW, I think the issue is confounded by problems of security certificate negotiation.  I'm doing all I can to learn about that and resolve it as well.

    Could the IPv6 settings have anything to do with this problem?  If anyone thinks it is relevant, I can post that configuration.


  • Rebel Alliance Global Moderator

    "–DNS resolver & forwarder in pfSense are disabled."

    That what does pfsense have to do with anything???

    If pfsense dns services are OFF, then it has ZERO to do with your name resolution issues - unless your pointing something to it for something it can not provide.

    How exactly would this work if pfsense forwarding and resolving services are off

    DNS points to pfSense's IP as the only DNS forwarder

    What do you expect to happen here???

    Now you say your using opendns for your forwarder in MS DNS… Which as nothing to do with stuff joining your domain.

    I would run dcdiag on your AD DC and validate its dns shows good.  Do a simple query to your Machine running your AD DNS can it resolve your your AD?

    dcdiag /c would prob be a good start...

    I would prob say your AD is not correct..



  • @johnpoz:

    "–DNS resolver & forwarder in pfSense are disabled."

    That what does pfsense have to do with anything???

    If pfsense dns services are OFF, then it has ZERO to do with your name resolution issues - unless your pointing something to it for something it can not provide.

    How exactly would this work if pfsense forwarding and resolving services are off

    DNS points to pfSense's IP as the only DNS forwarder

    What do you expect to happen here???

    Now you say your using opendns for your forwarder in MS DNS… Which as nothing to do with stuff joining your domain.

    I would run dcdiag on your AD DC and validate its dns shows good.  Do a simple query to your Machine running your AD DNS can it resolve your your AD?

    dcdiag /c would prob be a good start...

    I would prob say your AD is not correct..

    I gave an updated configuration in my last post, which is different from the old stuff you are quoting.  Apples and oranges, man.

    That updated configuration included the bit about switching to OpenDNS, which is different from the Cox & Google DNS that I was using before (latency has really decreased since doing so).  I simply included this information as the natural companion to having disabled DNS forwarding/resolving in pfSense.

    All dcdiag results, including the optional tests, pass with no errors.

    I'm done here.  This thread has degenerated into little more than you expressing your indignance at my lack of an MSCE credential while revealing your poor reading comprehension and inability to form complete sentences.  If I am to blame for not providing exactly the information you want, then you are also to blame for not asking me clearly what you want.  Questions like "What do I expect???" have no pedagogical or problem-solving value.  I'm not a Marine recruit at Parris Island; I'm an adult who doesn't have to take this crap.  And I won't.  Goodbye.


  • Rebel Alliance Global Moderator

    Dude how are you going to troubleshoot dns if you don't even know how to do a query??

    Nslookup, dig, drill, host – all valid tools in doing a simple query.  If you say dcdiag is good - then post it!

    Can not help if you can not provide information... Yo say your clients can not find your domain - then test it with a simple query!!

    And lets figure out why it doesn't work
    https://technet.microsoft.com/en-us/library/cc959303.aspx
    Verifying Your Basic DNS Configuration

    Since you don't have dns on pfsense even on... How exactly is pfsense even involved in your problem?  You might have better luck on a MS forum, they are still going to want you to be able to do a simple dns query!