Leonardo Yanes Batista
2019-Jul-10 17:38 UTC
[Samba] Samba4 Internal DNS and pfSense DNS Resolver
I have implemented a small local network. I use pfSense as Firewall and Gateway, I have all my servers inside a DMZ, except the domain controllers that are on the LAN. LAN: 10.10.20.0/24 DMZ: 10.10.30.0/24 DC1: 10.10.20.2 DC2: 10.10.20.3 pfSense: LAN: 10.10.20.1 WAN: x.x.x.x DMZ: 10.10.30.1 In my local network, I have 2 domain controllers with SAMBA4, I would like to find out how to configure SAMBA4 so that all the DNS requests that my clients make to the domain controller ... and that record is not found in the DNS records of the domain controller, then look for them in the DNS resolver service of pfSense. For example ... I configure my clients in windows to use them as DNS servers 10.10.20.2 and 10.10.20.3 (Domain Controllers) In the SAMBA4 DNS, I do NOT have a created record called xmpp.domain.tld, in the DNS resolver of pfSense, I have a created record called xmpp.domain.tld and it points to an address in my DMZ. How could I achieve that when my client from the LAN makes a request to xmpp.domain.tld, SAMBA4 direct that request to pfSense and respond with the IP assigned to it?
On 10/07/2019 18:38, Leonardo Yanes Batista via samba wrote:> > I have implemented a small local network. I use pfSense as Firewall and Gateway, I have all my servers inside a DMZ, except the domain controllers that are on the LAN. > > LAN: 10.10.20.0/24 > > DMZ: 10.10.30.0/24 > > > > > DC1: 10.10.20.2 > > DC2: 10.10.20.3 > > pfSense: > > LAN: 10.10.20.1 > > WAN: x.x.x.x > > DMZ: 10.10.30.1 > > > > > In my local network, I have 2 domain controllers with SAMBA4, I would like to find out how to configure SAMBA4 so that all the DNS requests that my clients make to the domain controller ... and that record is not found in the DNS records of the domain controller, then look for them in the DNS resolver service of pfSense. > > > > > For example ... I configure my clients in windows to use them as DNS servers 10.10.20.2 and 10.10.20.3 (Domain Controllers) > > In the SAMBA4 DNS, I do NOT have a created record called xmpp.domain.tld, in the DNS resolver of pfSense, I have a created record called xmpp.domain.tld and it points to an address in my DMZ. How could I achieve that when my client from the LAN makes a request to xmpp.domain.tld, SAMBA4 direct that request to pfSense and respond with the IP assigned to it? >Normally this is what would happen: Client asks their nameserver (AD DC) for 'xmpp.domain.tld. This is unknown to the DC, so it asks its 'forwarder' (the pfsense machine), which, if it knows the data, returns it, otherwise it asks its forwarder. There is a potential hole in that though, if your AD dns domain is 'domain.tld', the DC wouldn't ask its forwarder because the DC would be authoritative for 'domain.tld', it would return 'NXDOMAIN' Rowland
> How could I achieve that when my client from the LAN makes a request to xmpp.domain.tld, SAMBA4 direct that request to pfSense and respond with the IP assigned to it?In the smb.conf file of your DCs you insert the line: dns forwarder = [IP address of your pfSense machine]
Am 10.07.19 um 20:38 schrieb miguel medalha via samba:> >> How could I achieve that when my client from the LAN makes a request >> to xmpp.domain.tld, SAMBA4 direct that request to pfSense and respond >> with the IP assigned to it? > > In the smb.conf file of your DCs you insert the line: > > dns forwarder = [IP address of your pfSense machine]there is no reason why an authoritative nameserver would forward a request to his own domain no matter if it's samba, named or somethign else any authoritative nameserver is supposed to know *every* record within his own zones and you can't have half of them somewhere lese except subdomain delegation but *not* for simple hosts like "xmpp.domain.tld"
I don't use pfSense but I do use Unbound (pfSense may use it) as a DNS cache for my networks. Basic setup is all clients use the Unbound server for DNS resolution, and Unbound has a stub-zone (or zones) that point(s) to the authoritative DNS server(s) - in some cases it's a Samba AD, in some a Windows AD or in others another authoritative server such as NSD. The authoritative DNS servers do no recursion. It's quite flexible and if you need/want you can easily inject records and/or hijack domains.
Leonardo Yanes Batista
2019-Jul-10 21:20 UTC
[Samba] Samba4 Internal DNS and pfSense DNS Resolver
Thank you all so much for your help. # [ mailto:sonicsmith at gmail.com | sonicsmith at gmail.com? ] you have given me the north to find the solution to my problem. pfSense has a service called DNS Resolver (Unbound), within its configuration has a section called Host Overrides and Domain Overrides. Within Host Overrides, I defined the servers that I have in my DMZ, and within the Domain Overrides table I defined that everything that comes to domain.tld must be redirected to my main domain controller 10.10.20.2 (SAMBA4). Then I configured my clients to use only pfSense as a DNS server, and now I can get DNS replies. Thank you. From: "Sonic" <sonicsmith at gmail.com> To: "Leonardo Yanes Batista" <informatico at alficsa.co.cu> Cc: "samba" <samba at lists.samba.org> Sent: Wednesday, July 10, 2019 3:53:05 PM Subject: Re: [Samba] Samba4 Internal DNS and pfSense DNS Resolver I don't use pfSense but I do use Unbound (pfSense may use it) as a DNS cache for my networks. Basic setup is all clients use the Unbound server for DNS resolution, and Unbound has a stub-zone (or zones) that point(s) to the authoritative DNS server(s) - in some cases it's a Samba AD, in some a Windows AD or in others another authoritative server such as NSD. The authoritative DNS servers do no recursion. It's quite flexible and if you need/want you can easily inject records and/or hijack domains.
Maybe Matching Threads
- Samba4 Internal DNS and pfSense DNS Resolver
- Samba4 Internal DNS and pfSense DNS Resolver
- Samba4 internal DNS - can't resolve extrenal hosts
- upsmon -c fsd command in pfsense master does not shutdown Synology slave
- PFsense via Samba Authentication Server -> ERROR! ldap_get_groups() could not bind