unbound DNS and Active directory


Recommended Posts

I installed an Unbound DNS at my network to get some benefit from the DNS caching, i used google DNS (8.8.8.8) as forward zone for "." , its working perfect, now i thought about using our Active Directory DNS as a forward so i replaced the google DNS with our AD DNS ip address but it does not work, any idea what i am missing here? thanks.

Link to comment
Share on other sites

You do understand your AD dns caches as well right... You really have zero use for another caching NS in your network if your MS shop..

 

Your clients should all point to your AD for dns... your AD then can either forward to something like unbound, that then  forwards or resolves.  Or you AD can just forward to something like 8888 or it can just resolve itself.

 

Pointing your AD members to anything other than your AD dns going to lead to a bad day at some point, when clients ask say google for stuff that is in your AD.. when public sends back a NX, your clients not going to automagically go ask your AD dns.

Link to comment
Share on other sites

4 hours ago, BudMan said:

You do understand your AD dns caches as well right... You really have zero use for another caching NS in your network if your MS shop..

 

Your clients should all point to your AD for dns... your AD then can either forward to something like unbound, that then  forwards or resolves.  Or you AD can just forward to something like 8888 or it can just resolve itself.

 

Pointing your AD members to anything other than your AD dns going to lead to a bad day at some point, when clients ask say google for stuff that is in your AD.. when public sends back a NX, your clients not going to automagically go ask your AD dns.

Thanks for your valuable answer...
OK, let me make it clearer here,
If my clients asked unbound and unbound configured to forward everything to AD DNS, so my clients will never go to 8.8.8.8
my question mainly is, whats preventing unbound from using AD DNS as a forwarder ?

Link to comment
Share on other sites

Can your AD dns lookup other than what its authoritative for?  Do you have it setup to forward to resolve?

Link to comment
Share on other sites

14 minutes ago, BudMan said:

Can your AD dns lookup other than what its authoritative for?  Do you have it setup to forward to resolve?

Yes it can, i am using it as internet DNS for most of clients.

Link to comment
Share on other sites

And where does it forward?  If it forwards to unbound - you would have a circle ;)

 

Not sure what you think this would get you?

 

client - unbound -- ad dns -- internet

 

Lets be clear your clients should only ever ask dns that resolves the same stuff..  If your clients point to both AD and unbound and unbound can not resolve your AD, ie it forwards to googledns or something then your going to have a bad day.  Your AD already caches, so not sure what through unbound before your AD gets you..  After your AD like this

 

client - ad dns - unbound - internet

 

Would get you control and keep your ad dns from talking directly to the internet.. But its not getting you any extra caching or anything.

Link to comment
Share on other sites

man, the AD DNS forward to 8.8.8.8 there is no loops here,
Again my issue simply is
unbound do not forward to my AD-DNS, while it can forward to 8.8.8.8 normally!

Link to comment
Share on other sites

Did you turn off rebind protection for your AD domain?  If you forward to your AD dns in unbound, and it returns a rfc1918 address, unbound is not going to hand that back to the client since that would be a rebind.  Unless you tell unbound that domainx.tld is a private domain, or you completely disable rebind protection...

 

Post up your unbound.conf

 

It prob has like the below in it

private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

You can turn off rebind for a specific domain with setting it to private

private-domain: "plex.direct"

 

Link to comment
Share on other sites

Thanks so much,
Its fixed when i disabled validator module.

 

Quote

3. Disable the validator module

This also disables validation for other domains, as well as DLV. In the unbound.conf file:

server: module-config: "iterator"

 

Link to comment
Share on other sites

Um... So your dnssec for your AD is broken... You can for sure query a NS for a domain that has not attempted to setup dnssec with that enabled and get back results.

 

module-config: "validator iterator"

 

If that was not the case then pretty much most of the internet would fail, since they do not have dnssec setup, etc.

 

Here I setup a forwarder for domain running on AD, 2k12r2 box

forward-zone:
        name: "home.lan"
        forward-addr: 192.168.2.220

Set it as private domain as well insecure

private-domain: "home.lan"
domain-insecure: "home.lan"

Since doing rebind protection.. And then query unbound, and it goes and asks my 2k12r2 box for that record (192.168.2.220).

 

$ dig @192.168.9.253 host.home.lan

; <<>> DiG 9.14.1 <<>> @192.168.9.253 host.home.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 123
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;host.home.lan.                 IN      A

;; ANSWER SECTION:
host.home.lan.          3600    IN      A       10.10.10.10

;; Query time: 2 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Tue May 28 08:00:45 Central Daylight Time 2019
;; MSG SIZE  rcvd: 58

You shouldn't really need the domain-insecure: option unless you using say the same domain name as outside that had dnssec enabled.. I could pull that out, but running unbound on pfsense, when you domain override it auto puts that in to allow for such setups where doing a domain override to an internal NS where dnssec is setup publicly, but your internal ns wouldn't be able to validate, etc.. ie broken chain.

 

If your going to use unbound in a forwarder mode, anything to do with dnssec pretty pointless on your setup.. If you end up forwarding to "resolver" that has dnssec enabled then you would be doing dnssec anyway.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.