DNS problem when NS is used a domain controller

Good day everyone!

I think I have a DNS issue…

• NS is used as a PDC (the only DC on the lan i.e. master.example.com/192.168.2.9)
• PFSENSE is the gateway, dhcp and reverse proxy.

When trying to map a specific server on the LAN to be accessed over the internet via the reverse proxy, only the non-domain bounded machines are able to access it. The domain machines don’t ever see it.

DNS provider is godaddy. “A” records are configured properly and reverse proxy works fine for non-domain machines.

When I manually bypassed the DNS from domain-bounded machine and ran NSLOOKUP, I was able to access the url machine.example.com and I have no issue using the reverse proxy then. Reinstall the DNS of the domain and voilà… no longer working.

I tried manually adding a host via the DNS gui in NS = not working and I found no other location to add it.

NS server is configured to forward it’s queries to 8.8.8.8.

I will shortly deploy a number of web services via a Kub. cluster and I wanted to use a reverse proxy + domain combination to avoid having our employees use port numbers and ip addresses.

Should I add something in DNSMASK? Please help!
Any will be appreciated!

Thanks folks!

NB: on a different topic, I really like the simplicity of NS vs other Linux PDC.

It’s mandatory to keep DHCP Server on PFSense?

Hi @iampellegrino

If you were using an internal DNS, as would be the clean and correct way to do this task, this would not be an issue at all!

At the moment, you’re essentially forcing all internal traffic trying to reach an internal server - making all such traffic pass through your PFsense twice, halving it’s throughput.
The professional term for what you’re trying to do is “Hairpin NAT”, allowing an internal host to use an external IP to reach another internal host. (Passing through the firewall twice!).

The use of Hairpin NAT to me as a pro signifies:

A) A lazy individual
B) Someone lacking basic DNS skills or basic networking skills

The above is without any form of valuation, it’s just a list, non prioritised…

As the old saying goes, all roads lead to Rome… You will get there…
Some roads may be less safe, more hazardous than others.
Some may be easier and less harzadous.

But I’d strongly suggest a rethink of your DNS (and DHCP) setup and replan your network a bit more according to best practices…

My 2 cents
Andy

I’ve already mentionned I was lacking the DNS skills. No surprise here. I’ve tried using NS as the DHCP and it didn’t work any better.

Used NS as DHCP and wasn’t more efficient. DHCP on Pfsense has some advantages including simplified control of VPN trafic.

Any suggestion to resolve the issue?

Did you add machine.example.com pointing to the pfsense box?

Yup. I did. Since my reverse proxy is 192.168.2.1 that’s one of the things I used.

…oh… and by the way, I would be happy to segregate my traffic internal and external as it was before using NS. Unfortunately, that’s the reason why I’m asking for assistance.

Hi @iampellegrino

Both NethServer and PFsense have more or less capable DNS servers built-in, at least for internal DNS usage.

Note:
I’m an OPNsense user, a fork of PFsense with much the same modules and capabilities. Just the GUI is much better on OPNsense. And the available source code actually compilie, not quite so for PFsense…

The idea behind having internal / external DNS servers is simple:

Your internal DNS server should be able to resolve everything concerning your domain and network. That means: every PC, notebook, smartphone and also printers and other hardware with IP. And where possible, internal IPs. Where not possible, eg an externally hosted website, use the external IP.

External DNS should NOT know these devices, it’s also a security concern…

Your external DNS Hoster, Godaddy, only needs to know and serve out IPs relevant for the Internet.

The only caveat is: you need to enter every external host at least twice…
Then again, how often do these entries change?
Do you change your external hoster every week? Not really!

→ This concept is known as Split-Brain DNS…
Basically, it can be seen as a “need to know” basis for internal and external hosts…

I’d suggest using the NethServer as primary, and the PFsense as secondary internal DNS server.
These can be entered in your DHCP Server (PFsense), for distribution to your internal clients.

This way you can point internal hosts right to the correct internal IP of whatever container you’re trying to reach, bypassing the firewall completly.
External traffic will pass through the firewall as always…

Important: Do create at least an entry for the NethServer itself, but also one for your AD.
And for the AD, do add in a wildcard (like *.ad.domain.tld)…

→ All AD clients get all information needed for correct AD working - and AD IS dependent on DNS, eg for clients to find the AD Master…

Hope this helps!

My 2 cents
Andy

Bildschirmfoto 2021-12-21 um 01.31.332852×1450 467 KB

Thank you for the explanation Andy!

Agree!!! That’s exactly what I’m trying to re-achieve! t, since that migration to NS, if I use DNS resolver and map an IP to a domain name i.e. 192.168.2.25=machine1.mydomain.com it just doesn’t work. Same for haproxy. Works if I route via internet but again, only for machines on the LAN that are not joined to the domain. Any idea why?

that’s my actual config.

I just read about split-brain DSN. Very interesting but I actually don need this if I could resolve my servers internally.

Let me rephrase my question differently now that I know more. Where in NS can I configure that host1 is reacheable via host1.mydomain.com. I tried that DSN gui. not working.

Please elaborate on the above…

HAProxy? It’s OK, but nginx or even apache on NethServer may be a better choice…

So far, I’ve mainly used the NethServer for LetsEncrypt, even though the OPNsense could do that just as well.

The main reason for me is AD. A lot of Apps, especially Java and PHP programmed stuff require a valid SSL cert on the AD, if you want to use AD authentification. MeshCentral & Guacamole are two examples on the OpenSource/NethServer side which require a valid SSL cert for AD to work. EcoDMS, a commercial Java programmed software in common use in German speaking countries is another good example…

If using LetsEncrypt on NethServer, and NethServer is your AD, this is easily achieved.
You need to enter your AD (both name versions!) in your external DNS and - like your NethServer - point them to your firewalls external IP.

nano /etc/e-smith/events/certificate-update/S80push2ad

Contents:

cp -f -p /etc/pki/tls/certs/localhost.crt  /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
cp -f -p /etc/pki/tls/private/localhost.key  /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
systemctl -M nsdc restart samba

This will automatically copy the new certs to the NDSC container in NethServer, enabling your AD with a valid SSL cert.

Here’s a more complex problem, probably along the lines of what you’re trying to achieve later on with your containers…

At home, I have a PI-Hole.
It’s real hostname is:

awr7-pi-hole.r7.anwi.ch

and has the internal IP 192.168.31.29, which is distributed to the DHCP clients from my DHCP server, my OPNsense firewall.

This PI-Hole only uses http, no https.

But if you like, try this:

https://pi-hole.r7.anwi.ch

My PI-Hole will be displayed correctly, with a correct SSL cert, even though I’m behind a dynamic IP address… What gives?

Behind the scenes:

At home, in my LAN, my NethServer handles all LetsEncrypt SSL certs. It has the name “pi-hole.r7.anwi.ch” entered in as alias for the PI-Hole.

Note: This is NOT the real hostname of the PI-Hole!

Internally, pi-hole.r7.anwi.ch also points to the NethServer, as the external DNS. The external DNS can’t really resolve the real hostname of my PI-Hole.

The NethServer acts as reverse Proxy, and adding in SSL protection at the same time. Externally, it “removes” the SSL layer before forwarding the traffic to my PI-Hole. The PI-Hole sees no SSL traffic and answers in normal http, which the reverse proxy attaches https encapsulation…

This gives me the best of both worlds.

Clean SSL protection and same access internally and externally, but also a seperate access via internal IP or real hostname if I need to eg update the PI-Hole or it’s OS.

Hope this is all somewhat understandable…

My 2 cents
Andy

DNS entries on NethServer?

Best here:

Bildschirmfoto 2021-12-21 um 02.07.552876×1462 314 KB

The DNS on NethServer can’t correctly handle CNAMEs, the only exceptions are CNAMEs pointing to NethServer itself. These can be entered in the first page of cockpit, see “aliases”…

My 2 cents
Andy

How do you point it internally? Do you mean adding a DNS record in NS via the GUI?

Reverse Proxy entry:

Bildschirmfoto 2021-12-21 um 02.38.172316×142 28.2 KB

Real DNS entry:

Bildschirmfoto 2021-12-21 um 02.38.442316×104 20.2 KB

Alias on Dashboard page:

Bildschirmfoto 2021-12-21 um 02.39.061202×1266 54.1 KB

I see all your DNS entries. That’s exactly what doesn’t work in my NS implementation (I also use a VM for NS).

Regardless if I add a DNS entry with server/ip combination, it doesn’t work. None of my clients can resolve the names afterward.

please see the pic as a confirmation:

image1636×448 156 KB

You can see the IP, is an active IIS,
the URL can’t be resolved despite being entered in DNS records and that machine being joined to the network.

That’s exactly what I’m trying to understand… why it isn’t working!

Same result if I change the IP to the IP of my reverse proxy. Can’t resolve any entry in the DNS field.

Hi @iampellegrino

Sorry, I think I fell asleep…

Opening a Browser is not a way to test DNS.

Using a console (DOS-Shell) and nslookup would be correct.
After all, it could be a browser plug-in issue…

nslookup dns-name ip_of_dns_server_to_check

My 2 cents
Andy

Please post the results of ping machine.example.com and nslookup machine.example.com of a domain machine and a non-domain machine to see what’s not working and which DNS server is used.

Did you try different browsers and flush DNS cache on clients?

ipconfig /flushdns

@mrmarkuz @mrmarkuz…as discussed,

NB: sorry had to remove all dots (.) in the domain names as per your forums’ policy

my client DNS config:

result of ipconfig /all =
DNS Servers . . . . . . . . . . . : 192.168.2.9
192.168.2.1
info: 1st server = NS (…2.9), 2nd = pfsense (…2.1)

step 1: FLUSHED DSN
ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.

NSLOOKUPS

1. (from the main DNS/NS)
   nslookup science dot ibiopro dot com 192.168.2.9
   Server: UnKnown
   Address: 192.168.2.9

RESPONSE: *** UnKnown can’t find science dot ibiopro dot com: Non-existent domain

2. (from pfsense)
   nslookup science dot ibiopro dotcom 192.168.2.1
   Server: gateway dot ibopro dot com
   Address: 192.168.2.1

RESPONSE: *** gateway dot ibspro dot com can’t find science dot ibiopro dot com: Non-existent domain

Y:>ping 192.168.2.54

Pinging 192.168.2.54 with 32 bytes of data:
Reply from 192.168.2.54: bytes=32 time=5ms TTL=128
Reply from 192.168.2.54: bytes=32 time=4ms TTL=128
Reply from 192.168.2.54: bytes=32 time=4ms TTL=128
Reply from 192.168.2.54: bytes=32 time=5ms TTL=128

Ping statistics for 192.168.2.54:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 5ms, Average = 4ms

just wondering if were using lets encrypt would we just change

/etc/pki/tls/certs/ to /etc/letsencrypt/live/yournethserver.com/