"
Hi,
Could someone help me with configuring BIND in my environment, as I'm stuck?
I'm trying to figure out how to configure BIND with my AD enabled DNS server on WS 2019. I've seen a few topics on this forum and around the Internet, but I'm definitely missing some pieces.
According to what I have I should on AD DNS:
- Enable BIND secondaries on AD DNS
- Add Opnsense to Name Servers for all Forward Lookup Zones
- Enable Zone Transfer for machines on list above
On Opnsense:
- Add both DNSes to System -> General -> Networking
- Confirm that "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked
- Disable other DNS services like Unbound
- Do basic BIND configuration
- Add my domain.local and _msdcs.domain.local to Secondary Zones
and with that I'm stuck - access to the Internet works, but from test client I still cannot ping any test service that's under this domain.
I wasn't sure if ACL was needed, but created one basic for my whole IP range, but that helped only partly. Previously I had errors where Opnsense couldn't sync with AD DNS. Now, at least it syncs something, but I'm getting "Transfer status: unexpected end of input" in BIND log.
Any advice where I should check next, would be helpful.
Inb4:
- Why? Because currently I'm using only Unbound that has query forwarders to my DC controllers. Problem is, that this isn't redundant in any way and when Opnsense isn't available (for any reason), my local network dies.
- Why not 2x MS DNS? Because I'm not sure if want to keep everything on these servers, wanted to still use Opnsense for DNS and it was interesting to test if it's even possible. Also, for non-domain devices, Opnsense is "closer" in network then my DNSes on domain controllers.
Edit:
Nevermind - I figured this out.
- Instead of System -> General -> Networking, you have to add your DNSes to DHCP configuration. In my case it was Services -> ISC DHCPv4 -> [LAN] -> DNS Servers. If you want more then two DNS Servers, check this topic https://forum.opnsense.org/index.php?topic=22078.0.
- Create basic ACL with your IP subnet - for example 192.168.1.0/24. Then assign this ACL to "Recursion", "Allow Transfer" and "Allow query" in General tab.
- On AD DNS, optionally instead of adding your router to Name Servers, select last option in "Zone Transfer" and add Opnsense on list there. Everything depends on your situation
Could someone help me with configuring BIND in my environment, as I'm stuck?
I'm trying to figure out how to configure BIND with my AD enabled DNS server on WS 2019. I've seen a few topics on this forum and around the Internet, but I'm definitely missing some pieces.
According to what I have I should on AD DNS:
- Enable BIND secondaries on AD DNS
- Add Opnsense to Name Servers for all Forward Lookup Zones
- Enable Zone Transfer for machines on list above
On Opnsense:
- Add both DNSes to System -> General -> Networking
- Confirm that "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked
- Disable other DNS services like Unbound
- Do basic BIND configuration
- Add my domain.local and _msdcs.domain.local to Secondary Zones
and with that I'm stuck - access to the Internet works, but from test client I still cannot ping any test service that's under this domain.
I wasn't sure if ACL was needed, but created one basic for my whole IP range, but that helped only partly. Previously I had errors where Opnsense couldn't sync with AD DNS. Now, at least it syncs something, but I'm getting "Transfer status: unexpected end of input" in BIND log.
Any advice where I should check next, would be helpful.
Inb4:
- Why? Because currently I'm using only Unbound that has query forwarders to my DC controllers. Problem is, that this isn't redundant in any way and when Opnsense isn't available (for any reason), my local network dies.
- Why not 2x MS DNS? Because I'm not sure if want to keep everything on these servers, wanted to still use Opnsense for DNS and it was interesting to test if it's even possible. Also, for non-domain devices, Opnsense is "closer" in network then my DNSes on domain controllers.
Edit:
Nevermind - I figured this out.
- Instead of System -> General -> Networking, you have to add your DNSes to DHCP configuration. In my case it was Services -> ISC DHCPv4 -> [LAN] -> DNS Servers. If you want more then two DNS Servers, check this topic https://forum.opnsense.org/index.php?topic=22078.0.
- Create basic ACL with your IP subnet - for example 192.168.1.0/24. Then assign this ACL to "Recursion", "Allow Transfer" and "Allow query" in General tab.
- On AD DNS, optionally instead of adding your router to Name Servers, select last option in "Zone Transfer" and add Opnsense on list there. Everything depends on your situation
