How to connecto to windows DNS server

[trinitech]

Hi Guys!

I just installed OPNsense for the first time and I have a question...
How do I need to setup the wan interface to work with a DHCP and DNS server hosted on a windows server?

So far, the WAN and the DHCP seem to be working ok..
From the OPNsense box, I can ping the DHCP server and the outside world (google.com)
From the LAN, I can ssh to remote server, ping the outside world with no problem but I CANNOT browse the internet..

If I manually set the desktop ethernet cart DNS to 8.8.8.8, then I can browse the internet..

So how do we set this up in OPNsense?
How do I tell my WAN that he nood to use the DNS server on the windows machine?

[Ciprian]

I started this response, wrote a few paragraphs, deleted everything and restarted with the following:

Your problem might be not related to the correct DNS server set for the FW, but to default DNSSEC settings on OPNsense. If you just installed OPNsense, then you have DNSSEC enabled (checked - Services: Unbound DNS: General) and Harden DNSSEC data enabled (checked - Services: Unbound DNS: Advanced).

Try and see if disabling (unchecking) Harden DNSSEC data works, and if not, try to disable DNSSEC completely.

Unfortunately, too many ISP's DNS servers, and enough free public DNS services, don't cope well with DNSSEC, especially if hardened.

If it solves your problem, you're welcome, if not, let's try to dig further, please come back with details.
Cheers.

[weust]

Isn't DNSSEC disabled by default?
Never enabled it myself, and I use my Domain Controller's DNS service for lookup from the OPNsense box.

From memory, you set the DNS setting somewhere in Settings\Administration?
Could be wrong, but it's not on the interface page.

[trinitech]

Hi Guys,

Thank you very much for your reply..
Spent the day trying to solve this issue and it turn out that I typed the wrong netmask when setting up the LAN interface

All good now..so far

[weust]

Derp haha

[Ciprian]

Isn't DNSSEC disabled by default?
Never enabled it myself, and I use my Domain Controller's DNS service for lookup from the OPNsense box.

From memory, you set the DNS setting somewhere in Settings\Administration?
Could be wrong, but it's not on the interface page.

No, DNSSEC it's not disabled by default, quite contrary, by default it's enabled and hardened!

In "System: Settings: General" you only set the IP addresses of DNS forwarders (and have 2 DNS options as checkboxes below). Almost all other DNS settings are, by default (meaning, after fresh install) at "Services: Unbound DNS".

[Ciprian]

Hi Guys,

Thank you very much for your reply..
Spent the day trying to solve this issue and it turn out that I typed the wrong netmask when setting up the LAN interface

All good now..so far

 
You rock! 

Good luck, have fun!

Cheers!

[weust]

Isn't DNSSEC disabled by default?
Never enabled it myself, and I use my Domain Controller's DNS service for lookup from the OPNsense box.

From memory, you set the DNS setting somewhere in Settings\Administration?
Could be wrong, but it's not on the interface page.

No, DNSSEC it's not disabled by default, quite contrary, by default it's enabled and hardened!

In "System: Settings: General" you only set the IP addresses of DNS forwarders (and have 2 DNS options as checkboxes below). Almost all other DNS settings are, by default (meaning, after fresh install) at "Services: Unbound DNS".

I checked it on IRC and it seems it enabled by default since 17.7.
I'm still using my configuration I made in 2015, and import when setting up new or for testing.

Still need to look into it. Running Domain Controllers at home, and my OPNSENSE box uses those DNS server as forwarders (which in turn use Pi-hole).