Ansible make static dns record in Microsoft DNS

If you have a heterogenous datacenter with GNU/Linux and Microsoft servers, you might run into this problem.

When you want to create dynamic dns records programmatically, you can use the nsupdate module. It doesn’t work with gsstsig auth which is the only way the AD DNS works for “secure updates” so I previously wrote a wrapper for doing so. However, when you want to create static records, it’s a little bit harder. With the help of my Windows teammates, I now have a working solution for making static records in AD DNS, complete with the reverse PTR records.


  • A Windows Server 2016 client with RSAT with DNS installed. Apparently regular RSAT isn’t enough. I don’t know what’s involved in installing the right components, so if anybody could share your notes for how that works, comment at the end here.
  • Winrm with kerberos auth enabled

The tricky part here was learning how to elevate privileges once getting to the Windows client.


- name: playbook that creates static DNS static records, both A and PTR, through the windows utility box
  hosts: localhost
  - /etc/ansible/creds/windows_service_account.yml


  - add_host:
      group: rsat
      name: ""
      ansible_connection: winrm
      ansible_winrm_server_cert_validation: ignore
      ansible_user: "{{ win_ansible_user }}"
      ansible_ssh_pass: "{{ win_ansible_ssh_pass }}"
      ansible_port: "5986"
      ansible_win_rm_scheme: https
      ansible_winrm_transport: kerberos
    changed_when: false
    no_log: true

  - set_fact:
      ansible_winrm_server_cert_validation: ignore

  - name: make static a and ptr records, ad
    win_shell: Add-DnsServerResourceRecord -ComputerName -ZoneName -A -Name newhost1 -IPv4Address -CreatePtr
    become: yes
    become_method: runas
    become_user: "{{ win_ansible_user }}"
      ansible_winrm_transport: kerberos



  1. How to make ansible connect to windows host behind linux jump server – ExceptionsHub
  2. Add-DnsServerResourceRecord []
  3. Understanding Privilege Escalation — Ansible Documentation

Disabling firefox detect captive portal


While working on a dns server on my virtual network, I was tailing the named logs in journald, and I saw a request go through:

I thought to myself, “What is that?” I ddged it and found that was a function in firefox that tries to detect if it’s in a captive portal, like at a hotel or other public wifi where you must agree to something before you can access the World Wide Web.
I realize that it is probably fine for firefox to do this, but it’s not necessary. I don’t want my browser doing anything of the sort. I will tell what and when to visit web URLs.

Disabling firefox detect captive portal

In firefox, visit about:config and search for captive.
You can change the values. The easiest one to change is the network.captive-portal-service.enabled. You can change this boolean value to false by double-clicking it.