pfSense Support Subscription

Author Topic: How to use multiple DNS Servers within Separate Private Networks  (Read 275 times)

0 Members and 1 Guest are viewing this topic.

Offline glego

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
How to use multiple DNS Servers within Separate Private Networks
« on: November 20, 2017, 02:52:24 pm »
So for my home-lab, I've set-up multiple networks (VLANS) to separate my environments. In one network I do not want to use the DNS Resolver from pfSense but a Windows DNS Server. Also I want to make sure that all request on this subdomain are never queried outside of the private network.

Example
- Public Network
example.com
github.example.com
redmine.example.com

- Private Network
intra.example.com
winlab.example.com

- Private Hosts (intra)
pfsense.intra.example.com
laptop.intra.example.com

- Private Hosts (winlab)
ad.winlab.example.com
win10.winlab.example.com

Because the ad.winlab.* is using the pfsense as DNS Server, I can reach hosts *.intra.* from the *.winlab.* network. But because pfsense is not aware of ad.winlab.example.com as a DNS Server, I cannot query any hosts under *.winlab.*.

So I could add *.winlab.* as a DNS Server under pfsense but it will also send the queries to the other DNS Servers (like google).

How can I set this up properly?

Thanks allot!

Offline JKnott

  • Hero Member
  • *****
  • Posts: 983
  • Karma: +36/-4
    • View Profile
Re: How to use multiple DNS Servers within Separate Private Networks
« Reply #1 on: November 20, 2017, 03:38:45 pm »
With DNS resolver, you can specify which interfaces it listens on.

Offline glego

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: How to use multiple DNS Servers within Separate Private Networks
« Reply #2 on: November 20, 2017, 05:05:07 pm »
With DNS resolver, you can specify which interfaces it listens on.

I'm not sure how this will help me to query winlab hosts from the intra DNS Server?

When I enable winlab DNS Resolver to listen on the winlab interface. I can only query intra DNS Server from winlab hosts.

I'm trying to achieve that laptop.intra.example.com can resolve win10.winlab.example.com using the ad.winlab.example.com DNS Server.

« Last Edit: November 20, 2017, 05:10:29 pm by glego »

Offline glego

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: How to use multiple DNS Servers within Separate Private Networks
« Reply #3 on: November 26, 2017, 04:14:57 pm »
Anyway, I found out it's a bug in pfsense. So far I think it's not possible to have multiple DNS Servers, but you can have multiple sub domains on each DHCP Server. So it kinda has the same outcome as I want.

The only thing is I will have to change my naming convention to something more like lan.intra.example.com, lab.intra.example.com and winlab.intra.example.com.

My global Domain Name will be intra.example.com and my DNS Resolver System Domain Local Zone Type will be refused

This will keep all the queries above intra.example.com private.

https://redmine.pfsense.org/issues/1819
« Last Edit: November 26, 2017, 04:19:38 pm by glego »

Offline JKnott

  • Hero Member
  • *****
  • Posts: 983
  • Karma: +36/-4
    • View Profile
Re: How to use multiple DNS Servers within Separate Private Networks
« Reply #4 on: November 26, 2017, 08:00:24 pm »
Why do you think it's a bug?  Why would you need separate DNS servers, when you can configure one to handle multiple ranges?

Offline hbauer

  • Jr. Member
  • **
  • Posts: 45
  • Karma: +3/-0
    • View Profile
Re: How to use multiple DNS Servers within Separate Private Networks
« Reply #5 on: November 27, 2017, 12:38:44 am »
If you want to be able to resolve host names on one subnet that are not possible to be resolved on a different subnet that might be a use case.

I have not found a way to do this with one resolver. Or did I miss something?

Offline Finger79

  • Full Member
  • ***
  • Posts: 188
  • Karma: +17/-0
    • View Profile
Re: How to use multiple DNS Servers within Separate Private Networks
« Reply #6 on: November 28, 2017, 06:17:30 pm »
Maybe look at modifying this article to meet your needs:  Redirecting all DNS Requests to pfSense

So maybe something like:
Interface: [Whatever your Winlab interface is]
Protocol: TCP/UDP
Destination: Invert Match checked, Winlab Address
Destination Port Range: 53 (DNS)
Redirect Target IP: [IP address of Active Directory domain controller that does DNS]
Redirect Target Port: 53 (DNS)
Description: Redirect Winlab DNS
NAT Reflection: Disable
« Last Edit: November 28, 2017, 06:22:20 pm by Finger79 »

Offline Finger79

  • Full Member
  • ***
  • Posts: 188
  • Karma: +17/-0
    • View Profile
Re: How to use multiple DNS Servers within Separate Private Networks
« Reply #7 on: November 28, 2017, 06:24:06 pm »
Also, can't you just set up DHCP to give the IP address of your AD Domain Controller for DNS?  This way all Windows clients in your Winlab will send all DNS traffic to the domain controller instead of to pfSense.  This is simpler than the port forward option above.