Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HA config - backup node not resolving BIND domains

    Scheduled Pinned Locked Moved DHCP and DNS
    1 Posts 1 Posters 78 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LookHearThere
      last edited by LookHearThere

      Hi everyone.

      We're having a problem with DNS resolution when the backup firewall in a HA cluster takes over.

      We're running two nodes on pfSense 2.7.2 and have installed the BIND DNS server package (version 9.17). We have configured multiple CARP VIPs on the WAN side and multiple VLAN CARP VIPs. On the DNS Resolver we have added several Domain Overrides for internal domains pointing to one of the VLAN VIPs (example, domain: myinternaldomain.com, lookup server IP address: 192.168.200.1@5353). The BIND DNS server is listening on all interfaces on port 5353. We have enabled DNS Query Forwarding to Google DNS. The System Domain Local Zone Type is set to Transparent.

      When we shut down the primary firewall or enter Persistent CARP Maintenance mode, the backup firewall takes over existing states but DNS resolution to the override domains does not work.

      In the BIND DNS server service, we have configured an ACL comprising all RFC1918 subnets, and created a view 'Trusted-View' that uses the ACL for 'match-clients' and 'allow-recursion.' For each zone we have created in BIND, we have used the View and enabled 'allow-query', 'allow-update' and 'allow-transfer' using the previously created ACL. We have also enabled syncing of BIND configuration changes to the backup firewall.

      We have interface firewall rules allowing tcp/udp access to port 53 and 5353 from all RFC1918 subnets, but when we run a 'dig @192.168.200.1 host.myinternaldomain.com' command from the backup firewall the command times out even though the firewall log on the primary firewall logs the DNS request and allows it.

      What could be the cause of this behaviour? We have reviewed similar posts in the forum where DNS resolution failed after HA failover but haven't found anything similar to the problem we're facing.

      We're hoping some here can point us in the right direction.

      Cheers,

      LookHearThere.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.