BIND forwarding is not working
-
I certainly do NOT have time to watch videos. All I can say it's critical to set up views properly when configuring this (you can also use the fine search box here to get the same experience from others).
Other than that, it just works.
well, you asked for pictures, so here they are
 -
So you tick forwarding and wonder why recursion is not working?!?! Did you read the description under that option?!!?!? That ain't Bind on pfSense refusing to do the recursion. Debug the 192.168.x.x you entered there (or untick the checkbox!).
-
So you tick forwarding and wonder why recursion is not working?!?! Did you read the description under that option?!!?!? That ain't Bind on pfSense refusing to do the recursion. Debug the 192.168.x.x you entered there (or untick the checkbox!).
64.1 & 64.2 are our main dns servers. BIND should serve lan1 zone and forward all other requests recursively to these servers
-
64.1 & 64.2 are our main dns servers. BIND should serve lan1 zone and forward all other requests recursively to these servers
Dude. May I suggest to read the fine description of the forwarding checkbox once again? Bind will NOT perform any recursion when set up as forwarder. Period.
-
64.1 & 64.2 are our main dns servers. BIND should serve lan1 zone and forward all other requests recursively to these servers
Dude. May I suggest to read the fine description of the forwarding checkbox once again? Bind will NOT perform any recursion when set up as forwarder. Period.
You are absolutely right. It seems that we have a misunderstanding. I really meant forwarding when I was speaking about recursion… my bad
Now, concerning my setup:
BIND should serve lan1 zone and FORWARD all other requests to our upper dns servers (192.168.64.1;192.168.64.2;)
But it doesn't work >:( -
And as noted earlier, you should investigate why are those servers not answering the DNS queries… "It doesn't work" ain't a useful description. Do the queries reach your DNS servers? Are those DNS servers set up to allow recursion?
-
And as noted earlier, you should investigate why are those servers not answering the DNS queries… "It doesn't work" ain't a useful description. Do the queries reach your DNS servers? Are those DNS servers set up to allow recursion?
All these dns servers are working. As I said before, BIND works well, until I add any zone, check pictures I posted
and even if I delete all zones, it still doesn't work ;(
BUT if I disable BIND and turn on built-in dns forwarder - everything begins to work instantlyI did a clean&fresh setup of latest pfSense and BIND package. NOTHING ELSE!
Disabled pfSenses build-in dns resolver & forwarder.
General setup -> dns servers -> 127.0.0.1
BIND -> enable forwarding - checked
forwarder IPs -> 192.168.64.1;192.168.64.2;
WORKING FLAWLESSLYBut when I created a test zone (straight & reverse) then BIND immediately STOPS to forward dns requests to upstream servers with aforementioned error in logs.
-
Good luck. You need to answer the questions asked and perform some logical troubleshooting, instead of repeating over and over and over and over and over again how bind does not work. Waste of time. You have already told us zillion times that it doesn't work, that's absolutely USELESS "information". ::)
-
Good luck. You need to answer the questions asked and perform some logical troubleshooting, instead of repeating over and over and over and over and over again how bind does not work. Waste of time. You have already told us zillion times that it doesn't work, that's absolutely USELESS "information". ::)
I gave you all information I have, what else you want?!
I even made you a video but you declined to view it!!! -
Do the queries reach your DNS servers? Are those DNS servers set up to allow recursion?
^^^ Perhaps you could start reading… and perform some common sense troubleshooting, we don't give a damn about repeating how much it doesn't work.
-
^^^ Perhaps you could start reading… and perform some common sense troubleshooting, we don't give a damn about repeating how much it doesn't work.
Perhaps YOU should START READING MY POSTS before posting such pearls lol
And as noted earlier, you should investigate why are those servers not answering the DNS queries… "It doesn't work" ain't a useful description. Do the queries reach your DNS servers? Are those DNS servers set up to allow recursion?
WHERE DID YOU GET THAT MY DNS SERVERS ARE NOT ACCEPTING DNS QUERIES!?
did you ever looked at the pictures I posted earlier?! or you @doktornotor:I certainly do NOT have time to watch
them but have so much time to post useless answers instead?
I said you many times before -
All these dns servers are working. As I said before, BIND works well, until I add any zone, check pictures I posted
and even if I delete all zones, it still doesn't work ;(
BUT if I disable BIND and turn on built-in dns forwarder - everything begins to work instantlyI did a clean&fresh setup of latest pfSense and BIND package. NOTHING ELSE!
Disabled pfSenses build-in dns resolver & forwarder.
General setup -> dns servers -> 127.0.0.1
BIND -> enable forwarding - checked
forwarder IPs -> 192.168.64.1;192.168.64.2;
WORKING FLAWLESSLYit's BIND WHO DOESN'T ACCEPT QUERIES after configuring views & zones!
check the pictures I posted ffs!P.S. it's definitely VIEWS issue. it just doesn't matter what I'm entering there. Using built-in ACLs, no zones defined:
recursion -> yes
match-clients -> any
allow-recursion -> any
named[50020]: query-errors: debug 1: client 192.168.83.20#1585 (google.com): view test: query failed (SERVFAIL) for google.com/IN/A at query.c:6217recursion -> no
match-clients -> any
allow-recursion -> any
named[78330]: query-errors: debug 1: client 192.168.83.20#2431 (google.com): view test: query failed (SERVFAIL) for google.com/IN/A at query.c:6221pfSense can't resolve addresses itself too:
named[5197]: query-errors: debug 1: client 127.0.0.1#35576 (0.pfsense.pool.ntp.org): view test: query failed (SERVFAIL) for 0.pfsense.pool.ntp.org/IN/AAAA at query.c:6217
named[41921]: query-errors: debug 1: client 127.0.0.1#42011 (0.pfsense.pool.ntp.org): view test: query failed (SERVFAIL) for 0.pfsense.pool.ntp.org/IN/A at query.c:6221Deleting all views and rebooting the pfSense restores BIND forwarding
-
$ignore_list++
WTF really… ::) >:(
-
query.c:6217
query.c:6221well you can look at the source code to what those failures are exactly
not sure if this is same version the package is running, but
https://github.com/fanf2/bind-9/blob/master/bin/named/query.cit doesn't seem like since the line numbers don't actually match up.. .those errors in query.c point to the line number where it failed. If I recall query.c is when there is an authoritative query.. so way I read those errors is bind is not authoritative for what you asking for..
For one I really don't like your single labels – its really bad practice to use single label names...
I would get your authoritative working first... then try and change to your forwarder mode.. have your local domains working, in bind - then add the forwarders for stuff your not authoritative for.
this is really simple stuff.. Clickity Clickity.. But I would never in a million years use a single label.. So maybe it doesn't like that? I believe I was leaving bind in resolver mode... When I get a chance I will fire up that vm I setup again and change it to forward on vs doing actual recursive. You don't seem to have any A records at all set... So again before you try and forward, why don't you make sure your views and everything else is working for you resolving your stuff your wanting to be authoritative for.. Looks like you want it to add hots from dhcp reservations, etc.. Those should resolve, then set up forwarding.
-
Hi guys, upon searching for a solution to my issue i came across this thread and have to say. I have the exact same problem.
I installed bind on my pfsense and added a forwarder in the main settings. At this point every request made to my pfsense were perfectly forwarded to the given dns.
But my intentions was a single zone for my development environment which answers with different ip adresses for the same hostname depending on the source of the request. If the pfsense is asked from wan site it answers with 192.168.0.x and from lan site with 10.47.0.x
Therefore i created two acls mapping to my networks and two views reflecting these networks. Finally i added my zone twice with different ips. At this point everything works like a charme. If i ask from wan i get a response with a 192 ip and from lan with 10.47.
But forwarding isn't working anymore. Every request which is not going toward my domain gets: query-errors: debug 1: client 10.47.0.14#36368 (heise.de): view LAN-View: query failed (SERVFAIL) for heise.de/IN/A at query.c:6981
Do you have any idea what could be the problem?
Here my generated named.conf
#Bind pfsense configuration #Do not edit this file!!! key "rndc-key" { algorithm hmac-md5; secret "ji6Vp5Nw/NtmJS4cQ8Ft4Q=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; options { directory "/etc/namedb"; pid-file "/var/run/named/pid"; statistics-file "/var/log/named.stats"; max-cache-size 256M; listen-on { 10.47.0.1; 192.168.40.47; }; forwarders { 192.168.0.23; }; dnssec-validation no; }; logging { channel custom { syslog daemon; print-time no; print-severity yes; print-category yes; severity debug 5; }; category default { custom; }; category general { custom; }; category database { custom; }; category security { custom; }; category config { custom; }; category resolver { custom; }; category xfer-in { custom; }; category xfer-out { custom; }; category notify { custom; }; category client { custom; }; category unmatched { custom; }; category queries { custom; }; category network { custom; }; category update { custom; }; category dispatch { custom; }; category dnssec { custom; }; category lame-servers { custom; }; }; acl "ZSO-Net" { 192.168.0.0/16; }; acl "dgi.dev" { 10.47.0.0/24; }; view "WAN-View" { recursion yes; match-clients { ZSO-Net; }; allow-recursion { ZSO-Net; }; zone "dgi.dev" { type master; file "/etc/namedb/master/WAN-View/dgi.dev.DB"; allow-query { any; }; allow-transfer { any; ZSO-Net; }; allow-update { none; }; }; zone "." { type hint; file "/etc/namedb/named.root"; }; }; view "LAN-View" { recursion yes; match-clients { dgi.dev; }; allow-recursion { dgi.dev; }; forwarders { 192.168.0.23; }; zone "dgi.dev" { type master; file "/etc/namedb/master/LAN-View/dgi.dev.DB"; allow-query { any; }; allow-transfer { none; }; allow-update { none; }; }; zone "." { type hint; file "/etc/namedb/named.root"; }; }; -
Please try to use the option: forward only;
-
In case somebody is still having this issue:
https://forum.netgate.com/topic/139262/query-forwarding-in-bind9-is-not-working
