DOMAIN CONTROLLER AND DNS SERVER

[Xames81]

I Have all pcs on office configured by domain controller who is dns server, now i install opnsense acting of dns server instead of the first, i prefer opnsense because is the gateway and firewall of all, but today o figure that i can't connect new computer to the domain because dns are all on opnsense, what is the best configuration in this case, put the dns out of firewall or mantain the dns on the server 2012 of the controller.

Thanks.

[weust]

When I ran OPNsense and Domain Controllers at home, I had OPNsense use the DC's DNS server.
As you found out, having OPNsense as your DNS server for LAN servers and clients will give you issues, because all the service records created and needed by Windows DC and DNS aren't available if none of your servers and clients use the DC DNS server.

To be honest, reading what you wrote also gives me the idea you're new to Domain Controllers?
Because if you weren't you would have known about the service records.

Just let the DC DNS to forwarding to the internet, and let OPNsense talk to the DC DNS server.

[bartjsmit]

Or, if you want to use OPNsense DNS, make it the forwarder on your DC's. Microsoft servers offer additional features for DHCP as well - https://www.itprotoday.com/windows-8/configuring-dhcp-failover-windows-server-2016

Bart...

[xames]

ok i do what WEUST said, but where exactly tab is the best option to put the DNS of the controller on the OPNSENSE?

I think in the dhcp4 to the internals hosts of the opnsense, but maybe in general?

I'm trying to have multi-wan with his external dns inside every wan different.

[weust]

I don't know multi-WAN, so I might be wrong.
Where you configure the interface you can set the DNS servers too, instead of the ones coming with the WAN DHCP lease.

[xames]

yes but, i cant put the internal dns on the wan side because then the forwarders of the dns server internal go to loop.

The external dns is needed to put on the wan interface i think, because the server of the dns cannot put the external ones, only the forwarders inside dns configuration, if i put in the dns server interface then the clients of sql internal couldnt resolve good.

[manjeet]

I run similar setup: Multi-WAN, Windows Domain server, and Opnsense. I have done many tests with pfsense and opnsense but nothing works completely when in case of not using windows DNS. You have to use DC's DNS services because one way or another every setting you can make will fail, forwarders do not work 100% as well.

So this is what I do and will hope this will help you as well.

First, you need DC's DNS so in DHCP4 settings add it as primary / first DNS.
Use Opnsense as your second DNS

In system -> Settings -> General -> Networking & DNS Servers -> Use Any of public DNS server
In system -> Settings -> General -> Networking & DNS server options -> Uncheck both i.e. "Allow DNS server list to be overridden by DHCP/PPP on WAN" & " Do not use the local DNS service as a nameserver for this system"

Now in OPNsense DNS / Unbound DNS -> Overrides -> Domain Overrides: Add your DC server here.
* Do add some host entries in "Host Overrides" so that when domain DNS is not available or down it will not disturb your internet connectivity or DNS connection/queries to other hosts.

[xames]

The same config as me, in forwarders in dc dns i only have the opnsense ip. Then all go throught opnsense firewall.

[AveryFreeman]

The same config as me, in forwarders in dc dns i only have the opnsense ip. Then all go throught opnsense firewall.

New to OPNSense, just set it up like 5 minutes ago.  Coming from pfSense, got tired of bugs (my web configurator just decided to stop loading).

I'm confused --

If OPNSense is the gateway, wouldn't all traffic traversing the gateway's IP go through the firewall?

My DC/OPNSense setup:

OPNSense -
dns = DC01, DC02, nothing else, searching localhost disabled (box checked)
DHCPv4/6 = off
Unbound = off
All other DNS/DHCP-related services = off

Windows DCs -
dns:
Interfaces = listen on all IPs (necessary since my ipv6 is on 'track interface' so it changes)
Forwarders = Google DNS (insert your choice of public DNS) both ipv4 and ipv6 addresses
Enable root hints if no forwarders available
Advanced = Enable round robin, netmask ordering, seccache against pollution and DNSSEC for remote responses

The theory behind my settings are that:
1) OPNSense can focus on being gateway/firewall and not compete with DCs (proprietary) DNS/DHCP methods
2) Windows can have exclusive control over directing traffic, both internal and external

This is what I found worked best after years of experimenting with pfSense + Windows Networking.

Please let me know if this is like totally wrong or if I missed something.  Thanks!

[weust]

I had that setup at home for some time. Except I used Pi-hole as DNS Forwarders which used DNS Root Hints.

Your DC'd do not direct traffic, that is what OPNsense does for you with NAT ;-)

[AveryFreeman]

I had that setup at home for some time. Except I used Pi-hole as DNS Forwarders which used DNS Root Hints.

Your DC'd do not direct traffic, that is what OPNsense does for you with NAT ;-)

Oh yes, so help me understand

Public inet <--> modem <--> {gateway (NAT) <--> firewall} <--> DCs (DNS/DHCP) <--> LAN Clients

1) The gateway and firewall are essentially one device and traffic sent to the gateway is filtered by the firewall (unless rule specifies otherwise)
2) The DNS instructs where packets go to/from LAN clients and endpoint destinations (whether on local subnet or NAT-ed from public inet)
3) The gateway sends traffic to/from public inet based on instructions from local DNS translating address via NAT

Does that sound about right?  Am I missing something?

Pulled up this simple topology chart which appears to be what I'm doing (sub OPNSense for Cisco ISA depicted):



https://phillipwindell.wordpress.com/networking-material/topology-layouts/this-is-a-simple-single-subnet-lan-topology-using-a-single-firewall/

[weust]

1. Traffic is always filtered by the firewall. Is has the list (rules) of ports that are allowed.
2. DNS only resolves either an URI (opnsense.org or google.com) or reverse resolves and IP so you get the URI.
Is passed that information back to the client, who then proceeds to set up the connection using the correct gateway address.
3. The gateway is only the address to the router. Your DNS server will do forward lookup through it, and your client will set up a connection to the resolved address through it.