Unbound DNS override to Samba DNS causes SERVFAIL
Hi, I'm new to pfSense so I'm likely doing something wrong, but here goes. I've setup pfSense as my DHCP and DNS for my home. I also have a Samba-based AD domain controller, which I use for SSO. My main domain is ".lan". My AD domain is "home.MYDOMAIN.com". I added an entry to the Domain Overrides part of the Resolver, to point queries for domain "home.MYDOMAIN.com" to my internal Samba DNS server. When I query "SOMESERVER.home.MYDOMAIN.com", I get SERVFAIL from nslookup.
If in nslookup I set "server xx.xx.xx.xx" and point to the Samba DNS server, the query for home.MYDOMAIN.com works without issues.
Is there anything obvious that I'm doing wrong? Or some decent way to troubleshoot this issue?
(note the stuff in uppercase in my domain names above is just placeholders).
if your running dns for SSO on your AD box… WTF would you want to use pfsense dns or dhcp?? Why not just leverage your samba box for these features??
The majority of stuff in my network is not using AD.. just a few machines. AD only manages one subnet. This is how many companies operate as well, so it shouldn't be an unusual request, and I think the controls provided by pfSense seem much better than those provided by Samba for setting up DHCP.
Ideally I'd prefer to not use AD/Samba for DNS at all, and just use it for a user database, but AD really depends upon having all of those services tied together.
Ok - fair enough.. I can tell you I point to windows DNS with an domain override just fine and have no issues.
Let me vpn in and will post some examples
edit: Ok took me a bit longer than I thought, freaking real work getting in way of my helping people on the forums ;) heheh
Anyhoo – so see I created a mydomain.com domain on my Windows 2k8r2 box... And as you can see when I query pfsense at first the .253 address he doesn't find anything and returns SOA since he was asking the internet for that domain.
I ask my windows box at .19 and he says sure here you go I have a A record for host as 192.168.42.42, I then created a domain override and ask pfsense again at .253 and boom get the answer..
If I had to guess why your getting servfail is you are not allowing unbound to query on the interface to get to your AD box? See where I added the LAN interface in my outgoing interfaces so that pfsense can query the 192.168.9.19 address I pointed that mydomain.com too. If I uncheck that and then ask pfsense I get servfail like you. So check what interfaces your allowing unbound to query out from..
BTW the long query times, I am having problems with the network here, and running off hotspot on my phone currently, with a vpn to my work, and then vpn off a proxy in my work network in tx, from memphis to my home in schaumburg ;) Working latency is a bit high...