Active Directory DNS Configuration With Gold

Comments

9 comments

  • Avatar
    Support

    Actually, the configuration of the DNS nameserver in DHCP and the upstream DNS for DNS cache on Gold's backend are separated. Meaning that you can set DNS nameserver in DHCP to Gold's LAN IP while setting your domain controller as the upstream DNS for the DNS cache on Gold. However, the app only provides a uniformed way to set the same value to these two options for simplification.

    The conditional DNS forwarder is currently unavailable on Firewalla. But it is doable and we will think over to implement it in the future.

    If you want us to manually change the configuration on the box to use separate config for DNS in DHCP and upstream DNS for DNS cache, you can send an email to help@firewalla.com.

    1
    Comment actions Permalink
  • Avatar
    Jeremy

    I was able to achieve a similar configuration by ssh'ing into the device and writing a dnsmasq config.

    create a file in /home/pi/.firewalla/config/dnsmasq_local/

    in the file should have server=/<dns fqdn to forward requests for>/<dns server address to forward requests to>

    server=/example.com/192.168.1.1

    server=/example.com/192.168.1.1$family_protect

    as an example. refer to dnsmasq config for conditional forwarding. this does survive reboots.

    I can resolve my internal domain and can still enable DNS over HTTPS. My configuration does have my DNS server outside the segment my firewalla blue is protecting, if that matters at all.

     

    Edit: Family Protect conflicts with this. I'm still looking into how to resolve that. Will update if i find a solution.

    Edit #2: add the same server definition a second time to the file but append $family_protect to it.

    1
    Comment actions Permalink
  • Avatar
    Chris Dillard

    That sounds great. I'll shoot an email over this afternoon.

    I may be mistaken, but wouldn't this same ability to define a LAN DNS server, while also being able to define an upstream DNS server for the Gold solve many of the problems people are having with pi hole configs as well? Seems lots of people are hoping to point their clients in the LAN to the Gold while pointing the Gold to their pi hole.

    0
    Comment actions Permalink
  • Avatar
    Chris Dillard

    Just to update/close this thread, this is working as expected now. Had a little trouble getting one specific client working and it ended up being because it was in a "kids" group that had the 'family protect' feature enabled. That feature relies on forwarding client DNS requests to UltraDNS, so it was breaking internal DNS resolution. After disabling that, internal resolution is now functioning across all devices. 

    DHCP hands out the internal Gold IP as clients only DNS server > DNS requests hit the Gold's DNS cache and are blocked/filtered > Request is forwarded to the internal IP of my primary Windows DNS server for internal domain resolution (Cloudflare is secondary in case the internal DNS is down) > Windows DNS forwards the request out to Cloudflare for all additional external resolution

    Firewalla support provided the config file and internal API call to manage DHCP vs. Upstream DNS, but hoping this ability comes to the UI in a future update. 

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    I prefer to have dhcp hand out the routers address, and then have the router forward any queries for my AD domain name to the AD Name Server. That way, if AD goes down, the clients can still get out to the internet via the router.

    0
    Comment actions Permalink
  • Avatar
    Chris Dillard

    Yeah I would prefer to just have the ability to set up dns forwarding as well, but this config does work even if my internal AD is down. You can set a secondary upstream dns server for the lan (in my case cloudflare) to ensure dns continues to function.

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    I put a file (called home.lan) in the location specified above, but it does not appear to be working.

    Is it possible I'm running into issues because the firewall is using lan?

    0
    Comment actions Permalink
  • Avatar
    Jeremy

    depends. i'm not 100% how the Gold works but home.lan. should be a different TLD to lan. you will have to reboot your device or restart firemasq with sudo systemctl restart firemasq

    assuming home.lan (the name of the file is irrelevant to the contents or behaviour) is your domain than the following should be your entries.

    server=/home.lan/<address>

    server=/home.lan/<address>$family_protect

    should be the correct entry to permit all *.home.lan to be forwarded to <address> for name resolution. i can only assume the Gold is still using dnsmasq and that the .conf file is still including dnsmasq_local/* files.

    depending on what else is involved you may have to clear/disable any dns caching as i had to with my ubuntu desktop (systemd-resolved). good luck.

    Edit #1: i suppose i didn't mention that the <address> and 192.168.1.1 mentioned above should be substituted with appropriate ip addresses for the dns server.

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    I revisited this recently;

      I do believe there was a conflict between the Firewalla's default 'local domain' setting of .lan and the domain name associated with my domain home.lan which is associated with my Active Directory.  Once I changed the 'local domain' on the Firewalla, I was able to resolve hosts within home.lan

      However, my success was short lived when I realized that it worked from my mobile phone, but not my windows laptop.  I worked with Firewalla Support, we determined that there is an issue with the way Firewalla Gold handles TCP based DNS queries, when DoH is enabled.

    Their response "Thanks for the update. I can confirm that there is a known issue on the local DNS server on Gold, which does not handle TCP DNS request properly. If the device uses TCP to send DNS queries, the features configured in the app will not work properly.

    From the history DNS logs on the box, the phone sometimes sent DNS queries using TCP and got responses for home.lan suffixes. If it sent DNS using UDP, it also got NXDOMAIN response. However, the computer always sent DNS using UDP, which is the reason why home.lan does not work if DoH is enabled."

     

    0
    Comment actions Permalink

Please sign in to leave a comment.