I have a simple network and lab setup and I really do not want to make it too complicated. DNS is controlled by a Ubiquiti USG; The same a the default gateway. Classic set up so far.
When running a homelab I need to have some form of DNS server I can control and add DNS records to. The USG does to day not support that role, hopefully in the future it will, but for now I need another solution.
As I would like my lab to mimic a enterprise setup I need Active Directory for authentication. So it makes perfect sense to also use this windows server as a DNS server for my lab.
Now I just need one thing – My USG DNS server and the windows DNS server to play nice together. This is called Conditional forwarding and can with some hack be set up quite easily.
The idea is that for my homelab domain – Lab.MichaelRyom.dk – the windows DNS server holds the DNS records and is therefore the DNS authority for this domain and for ever thing else the USG is the authority .
So just like when you tell your USG/router to use Cloudflare’s DNS (18.104.22.168 and 22.214.171.124) server to resolve everything on the internet for you. You need to tell your USG that for the Lab.MichaelRyom.dk domain the windows DNS server is to be used. Note that I am using a public domain here – MichaelRyom.dk – This is no issue as it is only the subdomain Lab which will be handled by the windows DNS server, everything else will work just as it use to do.
Setting up conditional forwarding
The Unifi interface does not support conditional forwarding. So we need to do this via SSH to the Cloudkey or mgmt server your are using. I am using a Cloudkey. On the Cloudkey we create a config file, which we will use force provisioning to set into action and after a reboot of the USG we should be up and running.
First SSH into the Cloudkey.
Next type: vi /srv/unifi/data/sites/default/config.gateway.json – Note that if you have multiple sites or your site name is not default. Change it so it fits your use case.
If you are using Ubuntu the path should be /usr/lib/unifi/data/sites/[site name/default]/
Below is an example of this json I am using to get the conditional forwarding to work.
Note that all you need to change is the domain, in my case lab.michaelryom.dk and what dns server to forward requests to, here 192.168.2.84.
Now hit enter and unless you have created this file in the past for some other reason. This file should be empty. Now just copy the modified version of the json config in to the ssh session.
It is very important that the json is valid, if not you may get your self into problems, when rebooting the USG, it can be stuck in a loop. To check if the json is valid use https://jsonformatter.curiousconcept.com
Now hit “esc” and type “:wq” and hit enter to save the config file.
Validation and testing
Now you should have a working config, but just to make sure. You should validate the config is in working condition.
Run this command to check python -m json.tool /srv/unifi/data/sites/default/config.gateway.json
The output should be the content unless there is an error in the config.gateway.json file.
With everything working it is now time to do a force provisioning on the USG.
Log into the Unifi webinterface and go to Devices click on the USG. Click Config > Manage Device and under Force provision click on provision
After the device as been provisioned, you need to reboot the USG. Just click on restart in the interface. It should go without saying, but you will lose internet access while it is rebooting.
That is it. Now I am able to do nslookup or ping FQDN servers running in my lab.
ps. every time I reboot my USG it comes up without the WAN interface working, so I need to do an extra reboot. I been meaning to have a chat with support about this, but just has not come around to that yet. If you face the problem, just reboot.