OPNSense as Firewall Windows 2019 Server as DHCP and DNS Server Best practices

Started by PencilHCV, August 28, 2024, 09:54:14 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 28, 2024, 09:54:14 PM
Hi
Using OPNSense 24.1.10_8

1.-What is the best way to configure OPNSense when using it as a Router/Firewall and DHCP/DNS managed by a Windows 2019 Server? How to configure OPNSense DNS settings?

2.-In the same network has a Mail Server. And the users with laptops and mobiles should be able to access the Mail Server at work, with the External DNS Name (the same DNS name they use when they are outside the company). So I first configured in OPNServer>Service>Outbound DNS>Overrides>Host Overrides and added there the Host and domain name that you use externally to access the Mail Server in the Office which pointed to the Mail Server IP address). But it didn't work, so finally I added those DNS in Windows DNS Server and it worked.
Is this the right way?

Thank you if I can get some clarity on it all.

Best regards,
HCV
August 28, 2024, 10:06:52 PM #1
Quote from: PencilHCV on August 28, 2024, 09:54:14 PM
What is the best way to configure OPNSense when using it as a Router/Firewall and DHCP/DNS managed by a Windows 2019 Server? How to configure OPNSense DNS settings?

Use query forwarding to point all your AD-integrated forward and reverse zones (in-addr.arpa, ip6.arpa) to the AD DNS server(s).
August 28, 2024, 10:18:02 PM #2
I prefer to run a local instance of BIND, pull all AD integrated zones as secondary, and use domain overrides in Unbound to forward these zones to the local BIND.

This is motivated by the fact that our DCs are located in a data centre in Frankfurt with offices in Frankfurt and Karlsruhe connected via single uplinks and with OPNsense as their main gateways relying on these AD based zones.

Just forwarding is of course perfectly fine if you consider reachability of your AD DCs more reliable than everything else in the chain. If you don't see above for another layer of resiliency.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 28, 2024, 10:34:54 PM #3
Thanks Patrick and doktornotor!

doktornotor, you recommend to Use query forwarding. Sorry for my ignorance (I'm new to OPNSense) how/where did I do that?

best regards,
HCV
August 28, 2024, 10:54:27 PM #4
With the default DNS server on OPNsense, it's Services - Unbound DNS - Query Forwarding.
August 28, 2024, 11:04:33 PM #5
Maybe need to explain that my subnet is 192.168.0.1/24. Could it be that what is causing problems with DNS right now in the network is that under Services> Unbound DNS> Advanced> Rebind protection networks there is the IP address 192.168.0.0/ 16? Do I have to remove that IP address from that list?

//HCV
August 28, 2024, 11:16:16 PM #6
Is this OK, See the picture

//HCV
August 29, 2024, 12:11:23 AM #7
Well that will forward everything with the domain left empty. Not really sure that's what you want.
August 29, 2024, 06:40:27 AM #8
doktornotor, so you mean this is what i most to do? se picture

August 29, 2024, 07:07:39 AM #9 Last Edit: August 29, 2024, 07:16:42 AM by doktornotor
I mean the DNS zones which the AD DNS is authoritative for. If you have multiple DCs (you really should), add the same entry for each (or at least do two of them for redundancy).



August 29, 2024, 03:10:25 PM #10
In Windows Server DNS, you can just forward queries for non-authoritative requests to the firewall and the firewall will answer those requests.
August 29, 2024, 08:01:13 PM #11
Thanks to all!!

how can i mark this as solved?

best regards,
HCV
August 29, 2024, 08:12:35 PM #12
I don't think there is any such feature. Edit the OP's subject and prepend with [SOLVED] or something. Not really required anyway.
Print
Go Up Pages1
User actions