Untangle DNS (again)

Mike McCall

Well-Known Member
Reaction score
1,072
Location
Silverton, Oregon
Working with a tech at a local church and got them set up with Untangle on their flat LAN. Everything seemed to be functioning properly until he tried to push out group policy updates. This is what he gets:

DNS.jpg
Perhaps @Sky-Knight can confirm my suspicion that DNS on Untangle is (once again) misconfigured. He has an AD server on the network and I suspect he's trying to use that for DNS. Given my previous experience with DNS on Untangle perhaps it's misconfigured.
 
I have no idea, but it would be a great place to start. If AD is involved, the IP configuration of the clients should be using the AD supporting DNS service and not Untangle. The DNS service should be configured to forward to Untangle, or whatever DNS filtration service they use. Untangle should be configured to use ISP DNS or some other public DNS, and use the DNS tab's domain functionality to direct AD domain queries back to the AD server. Untangle can be the 2nd or 3rd DNS server on the client, but the first one needs to be the AD integrated service.

But... is that all? The DC should be using itself for DNS and nothing else... and after that's verified someone should run ipconfig /registerdns on it to ensure that the msdcs subdomain zone is actually present and populated. I've got a 2012 R2 server out there right now that randomly nukes that zone... run the command and POOF online... for another 6 - 8 months and splat again for no reason.

But AD certainly lives and dies on DNS, and if it's wrong all sorts of things break. So yes, in these circumstances I'd audit the entire DNS resolution stack. But the problem isn't really Untangle, not unless the admin was silly enough to let Untnagle do DHCP and DNS on an AD network... that's dumb for a ton of reasons.
 
Thanks. It's been a while since I've played with AD, but there's an MSC2 entry in Untangle>Config>DNS, so shouldn't everything point there for DNS? Wait...if the Untangle interfaces don't point back to the DC for DNS would that cause this?
 
For AD to work then the AD Server has to point to itself for DNS and all AD clients must point to it SOLELY to work. Untangle is a gateway device and shouldn't be doing any internal DNS. Not at all familiar with Untangle but if it's a 2 NIC setup then I assume the internal facing NIC would have the address of the DNS (AD) Server for lookups
 
If Untangle is say...with a LAN(gateway) IP of 192.168.10.1
And their domain controller is...say...192.168.10.11

Clients/workstations should be using 192.168.10.11 as their primary DNS (as should the server itself...or 127.0.0.1 for the server..which is still..itself). Nothing else...unless there is a secondary domain controller. The server should be doing DHCP.

Now...there are ways to make Untangle aware of an internal active directory. And that can help when you build wide area networks with multiple Untangle appliances at various different locations doing site to site VPN tunnels to connect all sites. You can populate Untangles DNS with things, if done properly. But let's keep it simple and not get into that.
 
Last edited:
Why? It's trivial...

Untangle uses whatever DNS servers are configured on its WAN interfaces for its own resolution, and to power its own resolver for clients. All non-wan interface IPs have DNS available on them.

You can use Untangle as the 2nd or 3rd DNS server on the AD client, to allow AD clients browsing when the DC is offline. But, there is logic in leaving all that out because if the DC is dead, you have larger problems. Because you need to understand and deploy the next bit I'm talking about here or you will run into trouble.

The key here is you never want to override Untangle's DNS via an interface edit of any kind, to aim at the domain's supporting DNS, that causes a dependency loop that will make your hair fall out. But if you want Untangle's reports to be easy to read, it needs to be able to resolve AD DNS names, which is why you use config -> networking -> DNS tab, DNS Server section. But, yes this is optional as for a small network the only benefit it provides is names on the reports. There are two records to put in there, one for the forward lookup zone, and one for the reverse.

But for now isolate all the variables as much as possible to get AD healthy. That means DHCP and DNS services on the DC itself, configured to perform those roles for the network. If Untangle has two interfaces, and DHCP is enabled on the Internal... in this case that's a huge alarm bell everything has gone wrong.

Untangle doesn't configure DNS on its NICs... so that logic doesn't fit either. Just know that non-WAN interface with static IP addresses have DNS running on those IP addresses. Untangle services requests with the DNS servers it's configured with on its WAN interfaces in general. And you NEVER want one of those WAN interfaces to have an AD DNS server in it... that's bad.
 
Not my network so I'm relaying info back & forth.

The key here is you never want to override Untangle's DNS via an interface edit of any kind, to aim at the domain's supporting DNS, that causes a dependency loop that will make your hair fall out. But if you want Untangle's reports to be easy to read, it needs to be able to resolve AD DNS names, which is why you use config -> networking -> DNS tab, DNS Server section. But, yes this is optional as for a small network the only benefit it provides is names on the reports. There are two records to put in there, one for the forward lookup zone, and one for the reverse.

But for now isolate all the variables as much as possible to get AD healthy. That means DHCP and DNS services on the DC itself, configured to perform those roles for the network. If Untangle has two interfaces, and DHCP is enabled on the Internal... in this case that's a huge alarm bell everything has gone wrong.

Untangle doesn't configure DNS on its NICs... so that logic doesn't fit either. Just know that non-WAN interface with static IP addresses have DNS running on those IP addresses. Untangle services requests with the DNS servers it's configured with on its WAN interfaces in general. And you NEVER want one of those WAN interfaces to have an AD DNS server in it... that's bad.

Ok, in this case, Untangle replaced an Edgerouter on a flat LAN with single WAN/LAN interfaces. He just sent me this:

Static DNS.jpg

He also commented:

"each of those two domain servers are my redundant servers"

I need to find out what he means by that as even my alarms are going off!
 
@Mike McCall Ok... those are just wrong...

The static DNS Entries? Those are supposed to be FQDNs on the left, so those are doing jack... they'll simply resolve literally the strings "OpenDNS" and "OPENDNBU" to the address on the right side. Which isn't what he thinks it does... and basically these entries aren't doing anything.

The domain DNS is also flat wrong, because that's DOMAIN not "server", seriously... whomever you're working with apparently has zero reading comprehension ability. That's supposed to be the DNS domain you want to be handed, and an IP to handle it. If you want more than 1 IP address for a specific domain, you make multiple entries. So these aren't working either, but they aren't hurting anything because there are no top level domains by those names.

This configuration is in a word... FUBAR. And your alarms are going off for good reason, because whomever set this up is so far off the reservation you're likely heading into a quagmire. Having that level of skill involved with an active directory environment at all?!?

Well let's just say those are the places where I require the customer to let me nuke it all from orbit and start over, because it's all that wrong. If I can't start from a known good situation, I might be mucking with them for YEARS before it works correctly.
 
Copied from another medium:

Me:
You're running Active Directory on a Domain Controller, right?
Also, what do you mean when you say, "each of those two domain servers are your redundant servers"? Do you mean Domain controllers or what? I thought all your server was used for is an older accounting package.
Him:
Yes- active directory on a domain controller. It hosts dns (because it has to for active directory), print serving, group policies, one accounting app. But currently the physical server is starting to fail out (drive failure within a raid). So I’ve got a virtual machine with server 2012R2 that is another within the same Forrest and replicating off the first till I can get this resolved and take the first one offline. Just can’t do that till the dns is solid.

As weak as I am in this, he has even less experience with network stuff. It looks to me as though everything he's done so far has only made things worse. Just to complicate this a bit more, this is for the church I attend, so I'm trying to help the guy out. He freely admits he's in over his head when it comes to networking. As is often the case, he inherited a far worse situation when he came on board a few years ago. Good guy, just trying to do more than he knows with no budget to work with. Old story.

His answer to my question left me with even more questions. I mean, adding a VM server replicating a physical server gives me the shivers.
 
Well, if DNS is configured correctly, and AD is functioning properly all you do is join a new server to the domain, and make it a DC.

It replicates AD off in a few minutes typically, you make it a global catalog, and you transfer all the FSMO roles. Once that's done you demote the old one... and all of AD is now running somewhere else. This would include AD supporting DNS, and DHCP potentially. But each service needs migrated one at a time.

And this is not something you want to just wing.... If he's got a new platform that's capable of running VMs... well the easy answer is to P2V the entire DC from the breaking platform as a VM on the new one. Once that VM is online on the new server, the old server is powered down, and thrown away. The "working" environment is now on hardware that isn't dying in a fire so you have more time to work through the rest.

If that 2nd server is HyperV based, the tool you want is https://docs.microsoft.com/en-us/sysinternals/downloads/disk2vhd
If that 2nd server is vSphere based, the tool you want is https://www.vmware.com/products/converter.html

But I'm not sure how we're supposed to help here, because this is professional level stuff. You either know it, or you don't.

But it sounds to me like yet another Church that failed to migrate into 365 properly, and get the heck off that DC entirely. If they aren't going to invest, they need to divest. You can't have it both ways, but Microsoft gives it away to these places so they have software well beyond their ken to use, and because it cost them a pittance they don't put any value on it at all. (E3 is $4 / month / user for them for crying out loud)

What you're describing is at least 8 hours of work for me to sort out. The process would actually potentially take days.
 
Last edited:
The Untangle DNS settings are configured in the Interfaces tab. Edit the external interface to do what he was attempting in the Static DNS Entries area.
 
Back
Top