Firewalla Gold with Active Directory Domain - DNS
Replaced my Ubiquity router with a Firewalla Gold SE recently.
I read a lot of articles and all Firewalla community posts dealing with the subject. Without success.
I host an active directory domain on my network with a Windows domain controller, a Windows Exchange server and a Synology NAS.
As you know, Windows domain devices must point to the internal Windows Domain Controller primary DNS to work properly. No worries for others devices.
The Firewalla is configured as DHCP server for my whole internal network and the DNS over HTTPS and DNS booster features are enabled for all devices too.
My scenario is very standard :
- Use the Firewalla as DHCP server
- Use the Firewalla as DNS over HTTPS and DNS booster, with no bypass allowed
- Continous internet access if Domain Controller goes down
- Windows AD domain joined computers must point to DC DNS server
I noticed my Windows DC is automatically excluded from the DNS booster clients when used as DNS server. So DNS over HTTPS is no more active.
I tried many scenario, not satifying
- Configure DNS to my DC for all devices (The DC is is automatically excluded from DNS booster, reslience is a problem)
- Firewalla DNS custom rules
- DNS forwarding
- Windows custom DNS with GPO for domain joined computers
- Specific DNS per SSID
- Use other DHCP or DNS servers
- Use differents primary and secondary DNS
I haven't evaluated the possibility to configure the DHCP to point different DNS per device (Firewalla feature not implemented) or avoid to automatically exclude my DC fromn DNS booster (possible per script ?).
So, what is the solution to continue to use all the Firewalla features and allow domain joined computers to work properly ?
-
Your situation is very much like running pi-hole (DNS server), see if this can help or not https://help.firewalla.com/hc/en-us/articles/360062551673-How-to-run-an-external-pi-hole-with-Firewalla
-
I already checked all Fiarewalla community links.
The difference with the pi-hole DNS server situation is pretty different because I must use the Firewalla DNS server to use DNS over HTTPS and DNS booster features (and all others related features)
If use my Domain Controller DNS then redirect the traffic to the Firewalla to make DNS encryption, the Firewalla automatically disable the DNS booster on my DC.
This is very easy to reproduce. Everyone who use an Active Directory domain should have the same situation. Currently, I'm blocked...
Is there a way to use differents DNS entries from the Firewalla DHCP service, to allow my domain joigned computers to point to my DC ?
Or can we avoid my DC to be automatically removed from the DNS booster entries ?
Others ways ?
I can make some tests if needed !
Thanks
-
So,
- how can I disable the feature which automatically exclude my own DNS server from the DNS booster client ?
- how can I setup specific DNS server for domain joigned devices to the Firewalla DHCP module ?
Currently, it's really a problem if an Active Directory domain cannot be used with a Firewalla.
-
@Benjamin, your issue is the last step, where you want your AD to use firewalla for DoH.
One way that may work is setup your clients to directly talk to AD DNS and leave firewalla as is. (Also make sure your AD + clients are on the same LAN).
The first DNS request will directly go to AD, and AD will then DNS with firewalla.
(edit, with above, you will have the same issue, that Firewalla can't distinguish which client did the DNS)
-
Already tried this solution,
- Setup the Firewalla DHCP to point to my AD DNS
- Configured the Firewalla as DNS forwarder on my AD DNS
=> Works a few minutes until the Firewalla automatically remove my AD DNS (DOmain COntroller) IP from the DNS Booster (certainly because it detects an internal DNS and want to avoid any DNS loops). So when DNS booster is disabled, the Firewalla DNS over HTTPS feature no more works.
=> Another problem is all devices will lose internet access if my AD DNS become under maintenance or go down (not recommended to setup a secondary DNS outside AD DNS in AD mode)
Please sign in to leave a comment.
Comments
6 comments