DNS Issue? (pfSense + Windows AD/DNS + pfBlockerNG)

Networking & Firewalls
1

Hi everyone,

I had a hard time finding an idiot proof answer for “How to configure pfSense with Windows DNS/DHCP.”

I seem to be having a DNS issue, here are the symptoms:

  • Partially Fixed - Only the DCs are appearing in Windows DNS.
    example: None of the devices in my Home VLAN are showing up in DNS, yet they show my DCs as their DNS servers. Same is true for the Linux VMs in my Server VLAN.

  • Fixed - I’m unable to connect to local file shares, RDP, or ping by using hostname or FQDN. Only works if I use the IP address.

  • If I try to install a TrueNAS plugin and use DHCP or specify the IP manually, the install get’s stuck at: “50% Testing plex’s SRV response to pkg.FreeBSD.org”, then the install fails.
    Giving the error “Error: plex had a failure Exception: RuntimeError Message: pkg.FreeBSD.org could not be reached via DNS, check plex’s network configuration. Partial plugin destroyed”
    Using NAT for the plugin allows it to install with no errors. This is the case for official and community plugins.

Here is my current config:

Windows DNS

I have 2 DCs, both are setup as DNS servers.
Under Forwarders, I’ve entered the IPs for the other DC and pfSense.
“Use root hints if no forwarders are available” is unchecked.

Windows DHCP

Only the primary DC is a DHCP server.

I have scopes set for each of my VLANs. DHCP gives out the IPs of my DCs as DNS servers. I have verified that client devices are only showing the 2 DCs for DNS.

pfSense DNS/DHCP

Under System/General Setup. I’ve only set 1.1.1.1 and 9.9.9.9 as my DNS.
“DNS Server Override” and “Disable DNS Forwarder” are disabled.

DHCP Server is disabled on all VLANs.

DHCP Relay is enabled for all VLANs. “Destination server” is set to my primary DC.

DNS Resolver is enabled. Under “Domain Overrides”, I’ve entered both of my DCs.
All other settings are left at default.

DNS Forwarder is disabled. Under “Domain Overrides”, I’ve entered both of my DCs.

Firewall rules are currently wide open between VLANs.

pfBlockerNG

pfBlockerNG is enabled, it’s set to function on all my VLANs. I’ve tried turning off pfBlockerNG but I didn’t notice difference with this DNS issue.

I’ll keep playing around with it, hopefully I’m just oblivious to some setting that needs to be turned on.

2

It sounds like you don’t have DHCP set to register DNS records dynamically. If that isn’t set any device that gets an IP won’t be in DNS.

With the DNS forwarders, don’t point the DCs to each other, this is unnecessary as they both contain the same information as they replicate between themselves. If the DC is down it won’t be able to answer any query let alone forward the query.

Maybe have a read of this https://social.technet.microsoft.com/wiki/contents/articles/51810.windows-server-integration-between-dns-and-dhcp.aspx

1 Like
3

Reading the technet page now.

You were right about the the Dynamic DHCP records. I just changed it to “Always dynamically update” and now everything is appearing in DNS. I also removed the other DC from both DNS servers.

Thanks for the info!

4

Seems I’m still having the issue with TrueNAS plugins. rebooted TrueNAS just in case.

It’s getting a DHCP lease, but it wasn’t getting a DNS entry. I turned on “Dynamically update DNS Records for DHCP clients that do not request updates.” and tried installing a plugin again. This time it got a DNS entry but still failed with the same DNS error.

If I install the plex plugin using NAT, it installs successfully, but I’m unable to access the webpage for plex.

I believe this is a VNET issue. My TrueNAS server is a VM on my ESXI host, with a HBA card passed through.

5

I won’t say I solved the issue, but I did get past it. I believe there is still a DNS issue though…

First, I needed to set “Promiscuous mode” and “Forged transmits” to “Allow” on my ESXI host. This stopped the DNS error from my original post from occurring, but any jails I made still had DNS issues.

DHCP kept assigning the same couple IPs while I was testing. And I was also using the same IP when setting a static one. During testing I tried deleting DNS and DHCP records for the jails, this didn’t help.

I created a new jail and used an IP that I know has never been used before. (10.0.50.111 instead of 10.0.50.104) No more network problems!

So the question now is, what is wrong with DNS?
Since the jail started working when I used a “new” IP, I feel like there is some messed up information in DNS that I am not sure how to check.