Hi all, I have a query about having two DNS servers on my network, as follows:
1: I already have IPFire running as my “primary” DNS server, all working correctly.
2: I am testing a Windows Server 2022 setup as a Domain Controller and it ALSO installs a DNS server as default.
My question is, will I have any issues with connectivity in ANY way, while having these two DNS servers running together?
AD works better while working as DHCP server and DNS server of the AD subnet.
Not willing to design a network on a forum post. Nor excluding there’s more than one way to do that.
AFAIK, DHCP is a matter of simple choice. Or you put that on IPFire, or on your DC. Microsoft says that DC is better for AD, but any mileage may vary. Take time to study what microsoft says and what you want to achieve on your network.
DNS is more nuanced. Integrated AD DNS server is more powerful and more configurable than the one integrated on IPFire, but using from outside the subnet might be not the best idea. However, IPFire has some features that MS DNS server do not have so maybe combine them using forward rules and correct entries might be a interesting idea.
However (the last one, i swear) it’s not the simplest task in the world because a bit of knowledge about
Domain Name System (the whole theory behind DNS)
AD+DNS of Microsoft
IPFire implementation of DNS tools
is necessary to create the right service pie for your taste.
Last but not least: few years ago Microsoft DHCP Server deactivates automatically if find any other DHCP running in the same subnet. So before start tinkering and testing, consider to tell IPFire’s DHCP server to take a nap on AD subnet.
1 Like
@pike_it Thank you, I appreciate your reply and I am in no way asking you to design a network on the forum, I am simply trying to understand the ins and outs of this setup. I last did a domain controller setup with SBS, so my knowledge is somewhat rusty. Having said that, I will most certainly look at any and all documentation to assist me in my endeavour.
Thank you again.
Mark,
I can try to answer some of your questions although I am still a beginner with IPFire and WIndows Server
Out of the box, IPFire uses Unbound DNS server in forwarding mode.
Microsoft Windows server is using recursive DNS
Main differences would be speed and privacy. Unbound will forward DNS requests to an upstream server of your choosing and it will use TLS and DNSSEC which is more secure and slower than recursive.
Microsoft DNS in recursive mode will contact Root servers and might use DNSSEC but it will use Plain unencrypted DNS.
I think these are the main differences.
Another thing to consider is best practices. Windows server 2022 has a whole list of Best practices, and using Windows DNS server is one of them. It might make your life easier, or not, although once you become an expert you can probably make it work with Unbound as well.
I guess for starters you could setup Windows DNS server as the primary authoritative DNS
Later I would add IPFire Unbound DNS and switch Windows DNS from recursive to forward requests to IPFire,
That way you get the benefits of both, with a slight delay because forwarding DNS queries will add an extra hoop or two.
There is an older discussion about this:
https://unbound-users.unbound.narkive.com/njOLIGsS/unbound-vs-ms-resolver
@trish Thank you so much for your reply. I really appreciate your insights and I do kinda understand about recursive vs unbound, to a degree. I will look into your suggestion, once I have re-installed Server 2022, as I made a major messup of installing AD the first time round, LOL.
1 Like
My experience of such dual DNS servers is over a decade old and some of the above discussion indicated that the situation might have changed.
Windows Server is often running on the faster PC and most likely will process a client’s DNS request, then return the result before the IPFire does. The same applies to DHCP, that Windows Server also implements.
If you want to force clients to apply IPFire procedures, particularly encrypted DNS queries, then you it is more important to disable DHCP on Windows Server. It might not then be essential to disable DNS on Windows Server too, although that would be advisable.
A relevant question is where does the packet go?
I have two internal DNS servers in Orange. Enquiries from either Green or Red go to one of them, which is authoritative for the domain. Queries from “Blue” (IoT) flit straight out to internet servers, reaching no DNS inside. Queries from a blocked device under an internal router (in Orange) get their DNS queries for time servers / NTP answered by that router with no further packet progress, and everything else blocked. The edge router today answers nothing itself. It will in a redesign.
So, what do you want answered by what, for reason?
@oscine I am not sure what exactly you are asking by “so, what do you want answered by what, for reason?”
I do not have any other zones except green and red. So All I am essentially asking is will there be conflicts or issues if I have a DNS server on Server 2022 as well as a DNS server on IPFire.
At the moment, I am simply busy getting my Server 2022 installation back up to par, as I messed up with the last attempt to install AD, so this is a project tht I will put on hold, until my Server 2022 is configured back the way it was, as it is my webserver and mailserver.
Thank you all for your replies.
Your IPfire should transfer the Windows Domain to the Domain Controller handling the DNS.
Your clients must be able to “ping mydomain.local”.
Greetz
@odongarma Thank you, however, according to MS, mydomain.local is no longer an acceptable best prectice. So I cannot and will not be using that. Thanks anyway.
Mark, the short version of my answer to your question about running two DNS servers is: yes.
I sought to explain that the second will do nothing without queries being directed to it, that you have complete control of where queries are directed within your network or to somewhere outside.
I hope that clarifies it reassuringly.
I’m not confident that is the case. If each workstation has static IP address, then, yes, it will direct queries to whatever DNS server it is set.
OTOH, workstations using DHCP for IP addressing, will implement the first IP address offered plus the DNS server contained within the offer. That might not be the DNS server that the administrator wants used.
Which is the DHCP server and what is the router configuration for DNS queries? These are controllable. All of my workstations use DHCP, some ephemerally rather than returning to ‘the usual thanks’.
Yes, if you want to differentiate within a single IP group then you need source IPs. Having randomly available DHCP servers sounds like something I would tend to avoid.
I have no current use for Windows Server. Any workstations that use DHCP, including a couple of Windows laptops, get their parameters from IPFire.
My comment was directed to OP, who is running Windows Server, as well as IPFire, on the same LAN.
What works well for me on a network with AD is turning off DHCP on ipfire. Windows server runs DHCP and DNS, with DHCP handing out DNS of AD Server only. For AD DNS config, rather than use root hints set Forwarder to ip address of ipfire firewall. (IPfire DNS can then utilize TLS to whatever external DNS you want) ensure that AD DHCP has credentials to populate DNS with DHCP client info so AD can keep track of Domain Members.