Secondary DHCP/DNS server

[epicurean]

I need to have a secondary DHCP/DNS server aside from my pfsense (standalone) router that is serving as a router as well , for a small network of 3 esxi servers.
What would be the recommended practice, and how do I set it such that the secondary kicks in when my pfsense goes down for whatever reason?

 

[gigatexal]

like a fail-over pfsense vm?

 

[epicurean]

like a fail-over pfsense vm?

Is that complicated? I do not need the firewall part, jus the DHCP /DNS actually

 

[Rand__]

Secondary DNS should be simple enough but having two DHCP servers (especially serving the same range) is a no-go.
Therefor might be easier if you can do active/passive or active/active pfsense pair (not sure what it offers)

 

[Stril]

Hi!

If you are using VMs, you can easily setup a pair of DHCP-servers. Linux DHCPd can do this with the config key "failover peer". Windows DHCP can do this, too.

 

[EffrafaxOfWug]

I assume you're using pfsense's inbuilt dnsmasq to perform DHCP and DNS duties? I don't think dnsmasq supports anything resembling HA or failover, so bear in mind that what follows will be vastly more complicated than that.

Yeah ISC dhcpd supports failover natively. I don't run it myself (and years since I did it at work) but there's a (perhaps slightly outdated) tutorial on this here that's quite nice and easy to follow.

On a similar note, it's quite common to provide HA (but not failover) by having two DHCP servers, each serving half of the network segment. For instance, if you've got a network 10.11.12.0/23, dhcpdA might be configured to dish out addresses 10.11.12.1-255 and dhcpdB might be configured to dish out addresses 10.11.13.0-254 - that way even if one of your DHCP servers goes down you should still have half of your range accessible - but this sort of setup plays merry hell with things like static DHCP reservations, so it's really only useful for large ad-hoc networks where static configs won't be needed.

bind/dhcpd doesn't really have the same sort of thing because DNS is meant to be redundant by default - you should be able to configure two identical SOAs that should both be able to function independently of one another. Just set up two name servers that are authorative for examplezone.local or whatever and both should be able to function - but this can make things like DDNS via DHCP problematic as well since you'd now need to be updating two zones rather than one.

I'm cheating in this regard and using Samba with a bind DLZ; the DNS configuration is actually stored on all my domain controllers (which handle the multi-master replication) and that's presented through bind via the DLZ.

Going back to basics, it might be able to keep using pfsense dnsmasq as your primary and scripting something to pull info out of the dnsmasq config and copy to another dnsmasq instance elsewhere... and a quick bit o' google-fu turned up a project that already aim to try doing this...
GitHub - spops/dnsmasq-ha: dnsmasq failover (keepalived)
GitHub - jiasir/dnsmasq-ha: dnsmasq failover (keepalived)
...albeit looking like some seriously horrible wrangling with apt commands, essentially installing/uninstalling to achieve fake HA. Yeuch!

 

[PigLover]

pfSense "default" DNS is not dnsmasq - but it is also not a full DNS server. It is a "cacheing DNS resolver" based on Unbound.

Unfortunately, Unbound does not really support a "secondary" resolver very easily. If you are just using it as a cacheing resolver then you can run a second one elsewhere on your network, but I will assume that you have installed a number of local DNS entries (either host overrides or domain overrides) and you want the entries registered by DHCP. There is no simple way to do replicate this automatically with Unbound.

If you really want a secondary DNS and you don't want to do a full secondary pfSense replica then your best option would probably be to disable the Unbound resolver, install the full DNS package "bind" instead, set up a second Bind server on a VM and then set up replication between them.

Doing all of this takes a bit of planning. It is really not for the feint of heart to attempt...

 

[Aestr]

I previously used pfSense CARP failover and it handled DHCP and DNS just fine. If the built in DNS resolving is working for you with a single box the failover should work just fine. I know you said you don't need firewall failover, but if you have a spare port on one of your vsphere servers it can be nice to have full HA support for pfSense. It makes patching painless.