Active Directory DNS Configuration With Gold
New to Firewalla and just got my Gold up and running a week or so ago. Loving it so far.
I have an active directory domain on my network with Windows domain controllers serving DNS requests for the local domain/clients. As you can imagine things don't work so well when the clients can't resolve the local domain so I've had to set the primary DNS on the network to point to one of the internal DNS servers. The secondary DNS is pointing to Cloudflare in case the internal DNS server is down. Under this config the clients are happy and many of the Firewalla features work (ad block, safe search, porn block, and even domain blocking using default mode), however domain blocking using "domain only mode" does not. I presume some other features may be broken as well but I haven't noticed it yet.
I assume this is because the Firewalla is pushing out the internal DNS server IP to clients via DHCP and so they're able to talk directly to the DNS server on the same network without having to talk to the Gold and hit it's DNS cache. The Gold's DNS cache seems to be where all the DNS based magic happens so all solutions I've read (mostly pi-hole threads) revolve around finding ways to make clients hit the Gold first prior to hitting the DNS server in question. However, putting my domain controllers on separate network segments isn't ideal.
One solution would be to push out the Gold's IP as the DNS server for all clients on the network, forcing them to hit the DNS cache before the Gold would then forward the requests out to the configured DNS servers. Obviously clients could manually bypass the DHCP based DNS settings and configure alternate DNS servers, but as long as those servers are external, the DNS traffic still passes through the Gold so I'm not too concerned about that.
Another solution would be the ability to configure conditional DNS forwarders so that "xyz.local" domain requests are configured to resolve to specific DNS servers.
Are either of these things possible with the Gold or could they be?
Actually, the configuration of the DNS nameserver in DHCP and the upstream DNS for DNS cache on Gold's backend are separated. Meaning that you can set DNS nameserver in DHCP to Gold's LAN IP while setting your domain controller as the upstream DNS for the DNS cache on Gold. However, the app only provides a uniformed way to set the same value to these two options for simplification.
The conditional DNS forwarder is currently unavailable on Firewalla. But it is doable and we will think over to implement it in the future.
If you want us to manually change the configuration on the box to use separate config for DNS in DHCP and upstream DNS for DNS cache, you can send an email to firstname.lastname@example.org.
Just to update/close this thread, this is working as expected now. Had a little trouble getting one specific client working and it ended up being because it was in a "kids" group that had the 'family protect' feature enabled. That feature relies on forwarding client DNS requests to UltraDNS, so it was breaking internal DNS resolution. After disabling that, internal resolution is now functioning across all devices.
DHCP hands out the internal Gold IP as clients only DNS server > DNS requests hit the Gold's DNS cache and are blocked/filtered > Request is forwarded to the internal IP of my primary Windows DNS server for internal domain resolution (Cloudflare is secondary in case the internal DNS is down) > Windows DNS forwards the request out to Cloudflare for all additional external resolution
Firewalla support provided the config file and internal API call to manage DHCP vs. Upstream DNS, but hoping this ability comes to the UI in a future update.
I was able to achieve a similar configuration by ssh'ing into the device and writing a dnsmasq config.
create a file in /home/pi/.firewalla/config/dnsmasq_local/
in the file should have server=/<dns fqdn to forward requests for>/<dns server address to forward requests to>
as an example. refer to dnsmasq config for conditional forwarding. this does survive reboots.
I can resolve my internal domain and can still enable DNS over HTTPS. My configuration does have my DNS server outside the segment my firewalla blue is protecting, if that matters at all.
Edit: Family Protect conflicts with this. I'm still looking into how to resolve that. Will update if i find a solution.
Edit #2: add the same server definition a second time to the file but append $family_protect to it.
I revisited this recently;
I do believe there was a conflict between the Firewalla's default 'local domain' setting of .lan and the domain name associated with my domain home.lan which is associated with my Active Directory. Once I changed the 'local domain' on the Firewalla, I was able to resolve hosts within home.lan
However, my success was short lived when I realized that it worked from my mobile phone, but not my windows laptop. I worked with Firewalla Support, we determined that there is an issue with the way Firewalla Gold handles TCP based DNS queries, when DoH is enabled.
Their response "Thanks for the update. I can confirm that there is a known issue on the local DNS server on Gold, which does not handle TCP DNS request properly. If the device uses TCP to send DNS queries, the features configured in the app will not work properly.
From the history DNS logs on the box, the phone sometimes sent DNS queries using TCP and got responses for home.lan suffixes. If it sent DNS using UDP, it also got NXDOMAIN response. However, the computer always sent DNS using UDP, which is the reason why home.lan does not work if DoH is enabled."
That sounds great. I'll shoot an email over this afternoon.
I may be mistaken, but wouldn't this same ability to define a LAN DNS server, while also being able to define an upstream DNS server for the Gold solve many of the problems people are having with pi hole configs as well? Seems lots of people are hoping to point their clients in the LAN to the Gold while pointing the Gold to their pi hole.
depends. i'm not 100% how the Gold works but home.lan. should be a different TLD to lan. you will have to reboot your device or restart firemasq with sudo systemctl restart firemasq.
assuming home.lan (the name of the file is irrelevant to the contents or behaviour) is your domain than the following should be your entries.
should be the correct entry to permit all *.home.lan to be forwarded to <address> for name resolution. i can only assume the Gold is still using dnsmasq and that the .conf file is still including dnsmasq_local/* files.
depending on what else is involved you may have to clear/disable any dns caching as i had to with my ubuntu desktop (systemd-resolved). good luck.
Edit #1: i suppose i didn't mention that the <address> and 192.168.1.1 mentioned above should be substituted with appropriate ip addresses for the dns server.
Please sign in to leave a comment.