Hi
Using OPNSense 24.1.10_8
1.-What is the best way to configure OPNSense when using it as a Router/Firewall and DHCP/DNS managed by a Windows 2019 Server? How to configure OPNSense DNS settings?
2.-In the same network has a Mail Server. And the users with laptops and mobiles should be able to access the Mail Server at work, with the External DNS Name (the same DNS name they use when they are outside the company). So I first configured in OPNServer>Service>Outbound DNS>Overrides>Host Overrides and added there the Host and domain name that you use externally to access the Mail Server in the Office which pointed to the Mail Server IP address). But it didn't work, so finally I added those DNS in Windows DNS Server and it worked.
Is this the right way?
Thank you if I can get some clarity on it all.
Best regards,
HCV
Quote from: PencilHCV on August 28, 2024, 09:54:14 PM
What is the best way to configure OPNSense when using it as a Router/Firewall and DHCP/DNS managed by a Windows 2019 Server? How to configure OPNSense DNS settings?
Use query forwarding to point all your AD-integrated forward and reverse zones (in-addr.arpa, ip6.arpa) to the AD DNS server(s).
I prefer to run a local instance of BIND, pull all AD integrated zones as secondary, and use domain overrides in Unbound to forward these zones to the local BIND.
This is motivated by the fact that our DCs are located in a data centre in Frankfurt with offices in Frankfurt and Karlsruhe connected via single uplinks and with OPNsense as their main gateways relying on these AD based zones.
Just forwarding is of course perfectly fine if you consider reachability of your AD DCs more reliable than everything else in the chain. If you don't see above for another layer of resiliency.
Thanks Patrick and doktornotor!
doktornotor, you recommend to Use query forwarding. Sorry for my ignorance (I'm new to OPNSense) how/where did I do that?
best regards,
HCV
With the default DNS server on OPNsense, it's Services - Unbound DNS - Query Forwarding.
Maybe need to explain that my subnet is 192.168.0.1/24. Could it be that what is causing problems with DNS right now in the network is that under Services> Unbound DNS> Advanced> Rebind protection networks there is the IP address 192.168.0.0/ 16? Do I have to remove that IP address from that list?
//HCV
Is this OK, See the picture
//HCV
Well that will forward everything with the domain left empty. Not really sure that's what you want.
doktornotor, so you mean this is what i most to do? se picture
I mean the DNS zones which the AD DNS is authoritative for. If you have multiple DCs (you really should), add the same entry for each (or at least do two of them for redundancy).
In Windows Server DNS, you can just forward queries for non-authoritative requests to the firewall and the firewall will answer those requests.
Thanks to all!!
how can i mark this as solved?
best regards,
HCV
I don't think there is any such feature. Edit the OP's subject and prepend with [SOLVED] or something. Not really required anyway.