pfSense 2.4.5 + BIND 9.14_3: Everything works until I create a view!?

lennysh

Hello,

Using the versions you see in the subject, BIND works perfectly (with recursion) until I add a VIEW. As soon as I add a VIEW, every query is returned with SERVFAIL. The VIEW also has recursion turned ON, and the ACL is working (because if I choose an ACL that doesn't include my client, I get a REFUSED response). If I turn recursion OFF in the VIEW, I also get a REFUSED result back.

Has anyone else had/seen this issue?

Here's the steps I did (hitting every SAVE button behind every change):

1. Started with a default config (erased everything from the pFsense config file manually), only changed listening port to 1053.
   --- nslookup works (yes, I specify the port in the lookup)

2. Modified the built-in ACL's to have the correct networks in them.
   --- nslookup still works

3. Create VIEW that has recursion turned on, and the ACL includes all RFC1918 networks (which my client is in).
   --- nslookup returns SERVFAIL

4. Modify VIEW to turn off recursion
   --- nslookup returns REFUSED

5. Delete VIEW
   --- nslookup works again

Thoughts? Am I missing something?

lennysh

Update :

The issue seems to be related to this section of the view config (sorry, kinda new to bind).

zone "." {
    type hint;
    file "/etc/namedb/named.root";
}

named.root is an empty file. I have a couple of other BIND servers running, and the equivalent file on those servers is not empty. My goal truly was to have BIND on pfSense use a forwarder anyhow, but even turning that on doesn't make a difference. Removing the VIEW with the forwarder ON does work, and yes, it is using the forwarder. But just as soon as I put the VIEW back and the ZONE above re-appears, recursion no longer works. Removing the ZONE restores recursion via the forwarder, but I'd rather not have to do this manually every time.

If I remove the above manually from the named.conf, then restart the service, recursion works again.

Do I need to manually create a zone matching this in the gui for recursion to work without having to manually make this change every time?

I created a forward zone matching, and it did replace this entry, but recursion didn't work still.

Thoughts?

bmeeks

I'm not a bind user on pfSense although I have used it in the past on Linux. I seem to recall recently reading a thread here on the Netgate forum about an issue similar to yours and it was related to a bug in the chroot processes the bind package was using. I don't recall the details at the moment.

Have you done a search of forum threads for similar posts? I will try a search myself to see if can locate the thread.

Okay, found what I recalled reading about chroot and it was a little different. Here is that issue from the Redmine bug tracker: https://redmine.pfsense.org/issues/10413. It had to do with some new plugins and does not appear related to what you are seeing.

lennysh

@bmeeks Thanks for the link though... Handy to know in case I need that.

kevaru

I have exactly the same problem! This drives me nuts as I have pfSense 2.4.4 installations with bind 9.12 installed where this setup works flawlessly.
I still have the 2.4.4 installer image but I was not able to find and install the old working bind package.

Have you tried to copy the content from a populated named.root file to the named.root file on the machine that does not work?

I assume that this is a bug and I hope it will be resolved soon.

Edit: Clearly a bug. Report #10507 has been filed by Jocelyn Viau on April 28.:
https://redmine.pfsense.org/issues/10507

Labure

Hi thank you for this thread because i have the same issue since upgrade to 2.4.5.

Effectively the problem is the file named.root located in /cf/named/etc/namedb.
This file need to contain the list of the root server dns of internet. We need to download it manualy

To solve the issue you need to login in ssh to your pfsense and go to a shell console and after folow the commands below :

1: cd /cf/named/etc/namedb/
2: rm named.root
3: curl http://www.internic.net.zones/named.root --output named.root
4: restart named module in pfsense webgui

I hope this help :-)

kevaru

Aaaah, sigh of releaf it's as simple as that. I tried the same thing but made a mistake with the file location. The path in the named.conf file pointed to /etc/namedb/named.root so I created the file there and forgot about the /cf directory

Minor correction: The URL in step 3 is http://www.internic.net/zones/named.root (with a / between net and zones, not a .)

Thank you very much for the fix anyway. It works perfectly. I hope they automate this step again in an upcoming release.