HA config - backup node not resolving BIND domains
-
Hi everyone.
We're having a problem with DNS resolution when the backup firewall in a HA cluster takes over.
We're running two nodes on pfSense 2.7.2 and have installed the BIND DNS server package (version 9.17). We have configured multiple CARP VIPs on the WAN side and multiple VLAN CARP VIPs. On the DNS Resolver we have added several Domain Overrides for internal domains pointing to one of the VLAN VIPs (example, domain: myinternaldomain.com, lookup server IP address: 192.168.200.1@5353). The BIND DNS server is listening on all interfaces on port 5353. We have enabled DNS Query Forwarding to Google DNS. The System Domain Local Zone Type is set to Transparent.
When we shut down the primary firewall or enter Persistent CARP Maintenance mode, the backup firewall takes over existing states but DNS resolution to the override domains does not work.
In the BIND DNS server service, we have configured an ACL comprising all RFC1918 subnets, and created a view 'Trusted-View' that uses the ACL for 'match-clients' and 'allow-recursion.' For each zone we have created in BIND, we have used the View and enabled 'allow-query', 'allow-update' and 'allow-transfer' using the previously created ACL. We have also enabled syncing of BIND configuration changes to the backup firewall.
We have interface firewall rules allowing tcp/udp access to port 53 and 5353 from all RFC1918 subnets, but when we run a 'dig @192.168.200.1 host.myinternaldomain.com' command from the backup firewall the command times out even though the firewall log on the primary firewall logs the DNS request and allows it.
What could be the cause of this behaviour? We have reviewed similar posts in the forum where DNS resolution failed after HA failover but haven't found anything similar to the problem we're facing.
We're hoping some here can point us in the right direction.
Cheers,
LookHearThere.