pfSense best practice setup with Active Directory for DHCP\DNS

dac · October 19, 2021, 6:38pm

Hi folks, Im new to this forum but have been following Tom’s good work for quite a while and am a keen linux enthusiast.

I have a homelab with pfSense, a small bit of self hosthing, pihole, nextcloud, etc…

Ive been offered my first pfSense setup commission (yikes!!, some small palpations appearing but Im up for the challenge also). They have an AD setup and I seem to remember that AD likes to take complete control of DHCP and DNS for its network.

Can anyone recommend best practices for DHCP and DNS setup on pfSense where there is an AD controller on the LAN?

Here are my thoughts, please correct me if Im wrong.

pfSense → Services → DHCP Relay → [ip address of DC]
pfSense → System → General Setup → DNS Server → [ip address of the DC] or should I be using the DNS forwarder section for this.

Thank you for your time.

LTS_Tom · October 19, 2021, 7:09pm

Let Windows handle DHCP and DNS For each network where the systems are that need to connect to AD. You have have pfsense handle DNS / DHCP for the other networks, such as a guest network.

dac · October 19, 2021, 8:01pm

Thank you so much for taking the time to reply Tom.
I understand the theory behind your comment.

So what your saying is, for the main LAN network [where the DC is located],
switch off the DHCP server on pfSense on the LAN network.

How should the DNS settings be configured on pfSense for the LAN network (or is this done on the Windows Server)?

Apologies if these are basic questions, just trying to get my head around the setup.

GraysonPeddie · October 19, 2021, 10:09pm

If the Windows domain controller is in the separate network than the workstations, then specify the IP helper address for DHCP relay agent. Otherwise, simply tell your Windows server to forward non-AD DNS requests to pfSense (pfBlockerNG) or Pi-Hole.

dac · October 20, 2021, 9:35am

Thank you all for your comments, I guess starting out its all a bit daunting. The skills needed to troubleshoot all the different factors need to be learned over time.

What I did was install GNS3 and setup a virtual environment and had a bit of fun with that.

nib01 · April 24, 2022, 4:41pm

May I ask how would you forward non-AD DNS requests to pfSense or Pi-Hole within Windows server?

GraysonPeddie · April 24, 2022, 5:00pm

Setup DNS forwarders in Windows Server.

In my case, for my BIND9 DNS server, here’s what mine looks like:

[REDACTED]@dnsdhcp-server:~$ cat /etc/bind/named.conf.options 
acl localclients {
    172.20.0.0/16;
    localhost;
};

options {
    directory "/var/cache/bind";
    recursion yes;
    allow-recursion { localclients; };
    allow-query { localclients; };

    forwarders {
        172.20.1.1;
    };
    forward only;
    #dnssec-enable yes;
    #dnssec-validation yes;

    auth-nxdomain no;    # conform to RFC1035   

    listen-on-v6 { any; };
};

172.20.1.1 is the OPNsense (formerly pfSense) router for DNS. For example, if google.comis not listed in my172.20.1.2` DNS server, that DNS server will forward the request over to OPNsense. pfSense will forward the requests to NextDNS and will return an IP address back to the host.

Oh, and @nib01, welcome to the forum.