DNS Forwarder not responding to internal requests
I have a server 2008 R2-level internal domain protected by a pfSense firewall. The firewall is set up as a DNS forwarder, and it has no problem resolving queries from its own web interface (using dnslookup). My internal DC is setup to handle AD, DNS, and DHCP. Everything works fine internally - names resolve, IP addresses are issued, etc.
However, I began getting complaints that users could not reach hotmail.com, outlook,com, or live.com - or any of their subsites.
So, I began troubleshooting, and it appears that the names are not resolving internally. The DNS request flow is basically :
client -> internal DNS -> firewall (DNS forwarder) -> ISP
I was able to get the addresses to resolve about 50% of the time by adding the ISP DNS to the DNS forwarders on the internal DNS server, but I understand this is a bad practice, as it could expose AD.
So my question is:
Does anyone know why pfsense would just refuse to forward DNS requests? The dnsmasq service is running and (appears to be) is listening on the internal LAN IP. IF is run wireshark, what should I be looking for to tell me where this is going wrong?
Or is there some other basic issue that I haven't thought about yet?
However, I began getting complaints that users could not reach hotmail.com, outlook,com, or live.com - or any of their subsites.
So, I began troubleshooting, and it appears that the names are not resolving internally. The DNS request flow is basically :
client -> internal DNS -> firewall (DNS forwarder) -> ISP
I was able to get the addresses to resolve about 50% of the time by adding the ISP DNS to the DNS forwarders on the internal DNS server, but I understand this is a bad practice, as it could expose AD.
So my question is:
Does anyone know why pfsense would just refuse to forward DNS requests? The dnsmasq service is running and (appears to be) is listening on the internal LAN IP. IF is run wireshark, what should I be looking for to tell me where this is going wrong?
Or is there some other basic issue that I haven't thought about yet?
I usually set the Google external DNS servers (8.8.8.8 & 8.8.4.4) as forwarders on my domain controllers, I do not use thefirewalls ip.
http://www.petri.com/configure-dns-forwarders-windows-server-2012-r2.htm
http://www.petri.com/configure-dns-forwarders-windows-server-2012-r2.htm
So with everything I've read, I get conflicting advice about using the DC DNS to connect directly to the DNS forwarders (i.e. the ISP DNS servers). How much exposure am I really getting if I'm not sharing a zone with them?
Should I just scrap the whole internal forwarder idea and let the DNS servers ask the ISP directly?
One other possibility: Could I include a DNS server on my Exchange edge server and use it as a forwarder?
Should I just scrap the whole internal forwarder idea and let the DNS servers ask the ISP directly?
One other possibility: Could I include a DNS server on my Exchange edge server and use it as a forwarder?
Do you have a rule in pfsense to allow DNS queries to your Domain 2008 R2?
What happens when you do a tracert to internet in your 2008 R2?
What is the default gateway of your client Pcs? Is it the same gate way of your DC? or the Pfsense Internal IP?
Zac
What happens when you do a tracert to internet in your 2008 R2?
What is the default gateway of your client Pcs? Is it the same gate way of your DC? or the Pfsense Internal IP?
Zac
I can't speak to getting the pfSense configuration to work, but can about the idea in general. Using ISP or other public DNS servers as forwarders won't expose your internal AD. When you have the zones set up on your internal DNS servers, queries for those zones will never be forwarded because the server is already authoritative (it thinks it knows everything about those zones). I think any conflicting advice you've seen is referring to setting public DNS servers directly on the NIC settings on any of your internal machines, which should not be done, but using them as forwarders is a perfectly common practice. The only time I see a reason for something like you've set up is for a caching server.
1. Check that ALL your internal DNS servers have their forwarder set to pfsense (so double check your secondary DNS server; 50% sounds as if one server is missing forwarders all together).
2. Check your wireshark logs for DNS traffic coming from the both internal DNS servers to see if either one is being dropped by one of the defense mechanisms in pfsense.
2. Check your wireshark logs for DNS traffic coming from the both internal DNS servers to see if either one is being dropped by one of the defense mechanisms in pfsense.
After playing around with this for way too long (but thanks for all the information, I learned a lot about DNS, including how "authoritative" servers can affect resolution), I just added my ISP and DynDNS servers as forwarders to the DC, and everything seems to be working fine.
I really appreciate all the answers, as they all gave me some insight into the process.
I really appreciate all the answers, as they all gave me some insight into the process.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial