Local DNS Setup Help

[aznguile972]

I've been trying to for days following guides and videos through google search/YouTube and nothing seems to help me set up a DNS server properly. Please help.

My current setup:
ISP --> pfsense (router, DHCP, and firewall) --> 24-port managed switch --> 2X Wireless AP's
ESXi 5.0 with 3 VM's (pfsense, Napp-It/OmniOS, Windows Server 2012) on LAN

pfsense IP Address: 192.168.1.1
Windows Server 2012 IP Address: 192.168.1.250

I am trying to set up a DNS server on a fresh install of Windows Server 2012. The server has a static IP address assigned by pfsense as 192.168.1.250. (I even tried assigning it directly through IPv4 on the network connection). However, every time I follow the instructions to add the DNS role and create forward and reverse lookup zone, I cannot ping the "domainname.net" address. When I use nslookup command, I see SERVER: (Unknown) with what looks to be a IPv6 string address. I can, however, ping the IP address 192.168.1.250

As this is my first time ever trying to set up a DNS server, please let me know what additional information you need in order to help me troubleshoot.

Thanks for your time.

 

[JJ Johnson]

What exactly are you trying to accomplish? Is this a home network? How many clients are there on the network?

 

[koolaidkitten]

I wouldn't let pfsense assigne it ip. Go ahead and set it up static in the network config.

In pfsense did you tell it when it assigns ips to clients to set their primary DNS server to be the Win2k12 server?

 

[aznguile972]

What exactly are you trying to accomplish? Is this a home network? How many clients are there on the network?

It's for a home network. More like a test lab. I re-wired my house with CAT-6 and RG6 to a structured wiring panel. Now, just trying to use it for as much as possible.

I wouldn't let pfsense assigne it ip. Go ahead and set it up static in the network config.

OK. Done.

In pfsense did you tell it when it assigns ips to clients to set their primary DNS server to be the Win2k12 server?

Not yet, I assumed that it would be the next step. I am using powershell directly from the Win2k12 server to test that it at least works there first. I have yet to try it on a client or configure pfsense as I assume if the server itself cannot ping itself properly, I didn't want to redirect it there yet.

 

[JJ Johnson]

I think you may need to learn a good deal about how DNS works before you'll be able to do this properly.

You used an example 'domainname.net'. Do you mean that you intend to us a .net domain name that you've registered?

Are you trying to teach yourself Windows network administration, or do you have more practical needs? On a Windows network, you can resolve host names using WINS rather than DNS.

 

[stormy1]

remove dhcp from pfsence.
set the server to a static ip.
Set up dhcp on the server with the dns setting the severs ip address and the router to your routers address, set the forwarders in the dns settings, set the servers dns to 127.0.0.1

 

[stormy1]

all communication with 2012 server and windows 7-8 is done on ip6 if at all possible but auto configure will take care of it. The only gotcha is if your running duel stack internet then the router must be up and advertising when you reboot the server otherwise they may get different ip6 address subnets and stuff breaks. If you have a static ip6 address range from your isp then its a good idea to set the servers ip6 address as static within the range available from the router from your isp.

 

[mwarps]

Expecting a non-real domainname.net to magically work is ... not going to happen.

Your local machines need to be configured properly and your DNS server needs to be answering properly. It seems like basic network admin stuff isn't where it needs to be for this to be a simple task.

Do you plan on running any windows-specific services on the windows server, or are you just wanting to set up local DNS?

 

[aznguile972]

I think you may need to learn a good deal about how DNS works before you'll be able to do this properly.

You used an example 'domainname.net'. Do you mean that you intend to us a .net domain name that you've registered?

Are you trying to teach yourself Windows network administration, or do you have more practical needs? On a Windows network, you can resolve host names using WINS rather than DNS.

I don't get the point of your post. Did you know that WINS is the name resolution system used for Windows NT Server 4.0 and earlier operating systems.

remove dhcp from pfsence.
set the server to a static ip.
Set up dhcp on the server with the dns setting the severs ip address and the router to your routers address, set the forwarders in the dns settings, set the servers dns to 127.0.0.1

Is there any way to do this without moving DHCP to Windows Server 2012? The only reason I want to avoid this is if for any reason Windows Server goes down, so will the rest of my network.

all communication with 2012 server and windows 7-8 is done on ip6 if at all possible but auto configure will take care of it. The only gotcha is if your running duel stack internet then the router must be up and advertising when you reboot the server otherwise they may get different ip6 address subnets and stuff breaks. If you have a static ip6 address range from your isp then its a good idea to set the servers ip6 address as static within the range available from the router from your isp.

Hmmm. Interesting. I will look into this.

 

[stormy1]

Yes you can do it without moving dhcp if and this is a big if you know what your doing and it is a pita to get everything working properly.
Moving dhcp to the server it just works because the MS dhcp server works with the MS dns server and and registers the ip and client name with dns.

 

[firedrow]

Try using ping <dns name> -4. The -4 option will lookup the IPv4 address since you are using IPv6 on your network as well.

 

[koolaidkitten]

I didn't do anything special on my network but I have this working with little effort. Here is pretty much what I have.

Pfsense is DHCP server. It issues DNS1 and DNS2 to clients.
DNS1 is the WinServer2k12. DNS2 is Pfsense
Win2k12 has static ip set. WinServer2k12 is also a domain controller if that matters.
Win2k12 server has 127.0.0.1 for primary DNS and the ip of the pfsense server for its secondary DNS.
On the Win2k12 server in the DNS settings I have a option under DNS forwarding to the pfsense server.

All clients get DNS request from the Win2k12 server unless it doesn't know the address OR its down for whatever reason, at that point then they fetch it from pfsense.

 

[JJ Johnson]

I don't get the point of your post.

The point of MY post is: What is the point of _yours_? We still don't know what you're actually trying to accomplish.

 

[aznguile972]

The point of MY post is: What is the point of _yours_? We still don't know what you're actually trying to accomplish.

Sorry, I didn't mean to offend you. I was confused when you suggested using WINS which, from my understanding, is the old way of doing things (even though it is still available and hasn't been decommissioned yet). I am trying to set up a DNS server on Win2K12 so that specific website(s) will be resolved from the Win2k12 server first before going out to the internet. Think of it like an intranet server.

I didn't do anything special on my network but I have this working with little effort. Here is pretty much what I have.

Pfsense is DHCP server. It issues DNS1 and DNS2 to clients.
DNS1 is the WinServer2k12. DNS2 is Pfsense
Win2k12 has static ip set. WinServer2k12 is also a domain controller if that matters.
Win2k12 server has 127.0.0.1 for primary DNS and the ip of the pfsense server for its secondary DNS.
On the Win2k12 server in the DNS settings I have a option under DNS forwarding to the pfsense server.

All clients get DNS request from the Win2k12 server unless it doesn't know the address OR its down for whatever reason, at that point then they fetch it from pfsense.

These settings worked. I can ping the web address now. I can use IE from Win2k12 to reach the IIS webserver. However, it is only sporadically. Occasionally, it will drop and require a /flushDNS to work again.

Also, when I set up the pfsense DNS settings, it seems to slow down my access to the internet. Here are the settings I changed:
General Setup:
- DNS Server: Win2k12 IP address as DNS1 and pfsense IP address as DNS2
- unchecked All DNS server list to be overidden by DHCP/PPP on WAN
DNS Forwarder:
- checked Enable DNS forwarder
- checked Register DHCP static mappings in DNS forwarder
- all others unchecked

On a side note, I have yet to reach the IIS webserver from a client machine. I assume that something is wrong with pfsense setup or firewall on the Win2k12 server itself.

Try using ping <dns name> -4. The -4 option will lookup the IPv4 address since you are using IPv6 on your network as well.

This definitely helps when trying to ping the server from Win8.

 

[koolaidkitten]

Can you post a screen shot of your PFsense page under SYSTEM - General Setup

 

[Biznatch]

Sorry, I didn't mean to offend you. I was confused when you suggested using WINS which, from my understanding, is the old way of doing things (even though it is still available and hasn't been decommissioned yet). I am trying to set up a DNS server on Win2K12 so that specific website(s) will be resolved from the Win2k12 server first before going out to the internet. Think of it like an intranet server.



These settings worked. I can ping the web address now. I can use IE from Win2k12 to reach the IIS webserver. However, it is only sporadically. Occasionally, it will drop and require a /flushDNS to work again.

Also, when I set up the pfsense DNS settings, it seems to slow down my access to the internet. Here are the settings I changed:
General Setup:
- DNS Server: Win2k12 IP address as DNS1 and pfsense IP address as DNS2
- unchecked All DNS server list to be overidden by DHCP/PPP on WAN
DNS Forwarder:
- checked Enable DNS forwarder
- checked Register DHCP static mappings in DNS forwarder
- all others unchecked

On a side note, I have yet to reach the IIS webserver from a client machine. I assume that something is wrong with pfsense setup or firewall on the Win2k12 server itself.



This definitely helps when trying to ping the server from Win8.

So when the client machine gets their IP from pfsense, do you see the IP for the local DNS server listed?

Is the DNS server on the same interface as the client machine? If not, have you allowed port 53 across the two interfaces?


Get rid of the second DNS IP pointing at PFsense. If you are going to use a local DNS server, then use it only. Setup the forwarders on that server, so it will lookup any hostnames that aren't in the local zones.

So your client should only be looking for IPs from the local DNS server. If it sends a request for 'domainname.net' (assuming that is the zone setup on the DNS server), the DNS server will pull the IP locally and use that in the response. Also, it should be a 'servername.net' that you query, querying the top level domain name won't return anything. If you request an IP from a domain that isn't on the local DNS, it will use the forwarders to query another internet DNS server. So you also have to make sure you setup pfsense to allow your local DNS server to make DNS queries to the WAN.

 

[aznguile972]

Can you post a screen shot of your PFsense page under SYSTEM - General Setup

pfSense - General Setup
DNS Manager
TCP/IPv4
Advanced TCP/IP Settings - IP Settings
Advanced TCP/IP Settings - DNS

So when the client machine gets their IP from pfsense, do you see the IP for the local DNS server listed?

Sorry for the dumb question, but where do I check for this?

Is the DNS server on the same interface as the client machine? If not, have you allowed port 53 across the two interfaces?

I have 3 interfaces: LAN, WAN, and OPT1. Everything at the moment is connected to LAN.

Get rid of the second DNS IP pointing at PFsense. If you are going to use a local DNS server, then use it only. Setup the forwarders on that server, so it will lookup any hostnames that aren't in the local zones.

So, would I just set up the forwarder on Win2k12 to point to 192.168.1.1 (pfSense) vs pfSense pointing to itself? Or is there where people are mentioning using 8.8.8.8 or something along those lines...

So your client should only be looking for IPs from the local DNS server. If it sends a request for 'domainname.net' (assuming that is the zone setup on the DNS server), the DNS server will pull the IP locally and use that in the response. Also, it should be a 'servername.net' that you query, querying the top level domain name won't return anything. If you request an IP from a domain that isn't on the local DNS, it will use the forwarders to query another internet DNS server. So you also have to make sure you setup pfsense to allow your local DNS server to make DNS queries to the WAN.

Do I just need to open up a port or something on the pfSense firewall for this to happen?

Again, thanks for all of your help.

 

[bmh.01]

You're missing so much here I don't really know where to start but will try to help.

If you want to loose ipv6 on the server to make it easier then untick it in the connection properties and it will revert to v4 only which will allow you to see the address more clearly at this point.

You've got the box ticked on the general setup to allow the list you've given be overriden by DHCP on the wan interface so you almost definetly won't be even sending queries to your dns server.

That said, leave it as is removing the 192.168.0.251 listing from the general setup page only. Then go the dns forwarder page and tick the query sequentially box then paste the below into the advanced options box.

no-negcache
no-resolv
server=192.168.1.250
server=8.8.4.4
server=8.8.8.8
rebind-domain-ok=/jlenterprise.net/

Those options will stop dnsmasq from caching nxdomain responces to save confusion (although windows will still cache them), stop it from reading the resolv.conf file so will use the list you give it, set the forwarding servers to your local one with google as backup and disable rebind protection for the domain you have setup.

Will probably need some more setup but that will get you pointing the right direction, leave clients and dhcp pointing to pfsense. If you want dynamic registration of dhcp clients to the windows dns then the easiest option is as said to switch dns to the windows box.

 

[aznguile972]

You're missing so much here I don't really know where to start but will try to help.

If you want to loose ipv6 on the server to make it easier then untick it in the connection properties and it will revert to v4 only which will allow you to see the address more clearly at this point.

You've got the box ticked on the general setup to allow the list you've given be overriden by DHCP on the wan interface so you almost definetly won't be even sending queries to your dns server.

That said, leave it as is removing the 192.168.0.251 listing from the general setup page only. Then go the dns forwarder page and tick the query sequentially box then paste the below into the advanced options box.

no-negcache
no-resolv
server=192.168.1.250
server=8.8.4.4
server=8.8.8.8
rebind-domain-ok=/jlenterprise.net/

Those options will stop dnsmasq from caching nxdomain responces to save confusion (although windows will still cache them), stop it from reading the resolv.conf file so will use the list you give it, set the forwarding servers to your local one with google as backup and disable rebind protection for the domain you have setup.

Will probably need some more setup but that will get you pointing the right direction, leave clients and dhcp pointing to pfsense. If you want dynamic registration of dhcp clients to the windows dns then the easiest option is as said to switch dns to the windows box.

Wow. It worked. Thank you so much.

I only ticked the 'Allow DNS server list to be overridden by DHCP/PPP on WAN' box back because my local DNS server wasn't working properly and the rest of the people in my house wanted internetz while I try to figure this DNS stuff out...LOL

Again, thanks for all of your help. I appreciate it much.