Conditional DNS on UniFi’s UDM-Pro
A quick How To for getting conditional DNS forwarding working on the UDM-PRO hardware. Before this upgrade I ran a CloudKey Gen 2 controller and a USG-PRO-4 for routing – this allowed me to deploy custom configuration via the config.gateway.json to insert extra options to the running config.
The options I needed were to force the DNS server on the gateway to check against my Active Directory DNS for those entries that arrive with the correct suffix – ad.durdle.com. This allows the lookup of clients from the UniFi’s DHCP lease table as well as AD DNS entries.
The UDM-PRO is a completely different beast from the old controller and gateway, running an entirely different OS. It doesn’t support config via json. So what’s a geek to do?
Enter UDM-Utilities from boostchicken, described as:
A collection of things to enhance the capabilities of your Unifi Dream Machine or Dream Machine Pro.
We’ll just be using one of them: on-boot-script. This enables init.d style scripts to run on every boot of the UDM. We can then write a script to inject some dnsmasq configuration at boot time.
You will need:
- A UDM on the latest firmware. I did this on a UDM Pro running firmware 1.8.3. That includes Network controller 6.0.41.
- SSH enabled on the UDM Pro. (see
/settings/advanced) - UDM-Utilities on-boot-script installed. See:
https://github.com/boostchicken/udm-utilities/tree/master/on-boot-script
Once that’s all set, you can write a start up script to inject the dnsmasq options you need:
- SSH into the UDM Pro using
root@<your device IP>and the password you set in the SSH GUI. - Change to the boot script directory with
cd /mnt/data/on_boot.d - Using
vior any other editor you may have installed, create a new file to run on boot. I called minedns_conditional.sh:
#!/bin/sh
cat > /run/dnsmasq.conf.d/conditional_dns.conf <<- "EOF"
# Created by a UDM-Utilities run script
server=/ad.durdle.com/192.168.1.201
server=/_msdcs.ad.durdle.com/192.168.1.201
EOF
# Restart dnsmasq so it sees the new conf file
kill -9 `cat /run/dnsmasq.pid`
# Thanks Andreas Luebbers for the updated kill command.
# Old kill command: pkill dnsmasq
NB: Change my entries to the right values for your domain and DNS server!
- Save that file then make it executable:
chmod +x dns_conditional.sh - Test it:
./dns_conditional.sh - Check for your new config in the
/run/dnsmasq.conf.d/directory. - Check the content with:
cat /run/dnsmasq.conf.d/conditional_dns.conf
Now restart the UDM and repeat the checks that the file is there and has the correct content.
All being well, you can configure the DHCP server on the UDM to configure itself as the DNS server for its DHCP clients. When they do lookups they’ll come from the UDM lease table, or the ISP DNS, or – if their suffix matches the configured domains – to your local Active Directory DNS server.
Huge thanks to boostchicken and the residents of /r/ubiquiti!
UPDATE 11/Jan/2021:
Thanks to Andreas Luebbers for noting that since the 1.8.5 update the line that kills dnsmasq needed to change.
Enjoy Reading This Article?
Here are some more articles you might like to read next: