Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS failures on authoritative server behind itself, using split-view

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 2 Posters 750 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • maverickwsM
      maverickws
      last edited by maverickws

      Hi all,

      I'm sorry about this question I don't know what I may be missing here, but I am having an issue where machines behind pfSense can't resolve domain names, given that the DNS servers are behind the said pfSense.

      I'll try to explain with more detail:

      lets say we have these two DNS Servers ns1 and ns2 domain.org

      The DNS Servers are accessed using NAT 1:1 with a public IP map. I can resolve these domains from ANYWHERE (except inside).

      All the domains have the same name servers: ns1.domain.org and ns2.domain.org.

      On the DNS Resolver there are entries for these servers:
      ns1.domain.org has an host override to its private IP
      ns2.domain.org has an override to its private IP as well.

      Whenever I query our pfSense about ... let's say, google.com I get all the correct answers.

      Whenever I query about the one of the domains the DNS Server has on them, I get a SERVFAIL error.
      However querying the ns servers directly (using the private IP's) from the pfSense has no errors.

      I'm a bit out of ideas maybe someone could chime in? Thanks!

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @maverickws
        last edited by

        I would question the thought process of running your own authoritative name servers to pubic on your own. What at best case are using the same network.. Its bad practice to host NS for a domain on the same network.

        That aside. Just setup domain overrides on pfsense for domain.org so it knows to talk to your local authoritative ns IP vs trying to use the public ones.

        If you were going to run your own NS for public domain. They should be on different networks, and really geographically diverse as well.

        Lets hope the IPs these NS are giving out for host.domain.org don't also point your own local public IPs.. Which you also are hosting behind pfsense - or your going to have to use nat reflection.. Or setup views on your NSers so that stuff doing query for host.domain.org that are coming from rfc1918, get back the rfc1918 IP for host.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • maverickwsM
          maverickws
          last edited by

          Hi @johnpoz thank you for your reply.

          I understand your remark about same network and being a bad practice. indeed you're right. however for the time being will be so. The public ip network in question has high availability from the provider side, and it's delivered through a vlan to this pfsense which is an HA config using CARP. And working quite well I may add.

          So your suggestion is that I add the domains in question to "domain override" with the IP of the authoritative server?

          My logic was that unbound would see the authoritative name servers for the domain "ns1.domain.org" and "ns2.domain.org" and that by having those hosts on host override it would then query the servers using their internal IP.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @maverickws
            last edited by

            Not without a domain override they wouldn't.. When unbound resolves domain.org it would get the public IPs.. You need to tell it hey if wanting to look up something for domain.org - go ask these NSers.. Which you would give the local IPs for.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            maverickwsM 1 Reply Last reply Reply Quote 0
            • maverickwsM
              maverickws @johnpoz
              last edited by

              @johnpoz I've just put the domains on domain override and everything is working fine.

              But about how this works if you bare with me for a second, why it doesn't work even considering that domain.org is in split view?
              Or by other words...

              I want domain abcd.com resolved from the inside, the dns auth server for the domain is inside.

              the name servers for abcd.com are ns1.domain.org and ns2.domain.org

              domain.org has the following entries on Host Overrides:

              Host: domain.org and www.domain.org to internal ip of the web server
              host ns1.domain.org to the internal ip of the ns1 server
              host ns2 ... likewise.

              So... what you mean is unbound gets the public ip for the name servers from the root dns servers themselves, not it that goes resolving along the way. is that it?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.