BIND gives ‘serverfail’ looking up internal hosts for OpenVPN clients

  • Hey friends!
    Ok…here goes my attempt at trying to explain this issue (no doubt user error, but I just can’t see it without some help). is my main pfSense box. It runs, as server, OpenVPN for some site-to-site connections, OpenVPN for road warriors and BIND for all clients on my network.
    Roadwarrior VPN: is another pfSense box. It runs a roadwarrior server too and connects to Washington via site-to-site.
    Roadwarrior VPN:

    Washington hosts the zone master for, my internal domain. Aspen is a slave to Washington.

    Both roadwarrior connections use redundant LDAP servers for auth. I can connect to both successfully from a range of clients.

    However, and here’s the rub, I cannot resolve anything internal (on when I connect to Washington’s roadwarrior. I can resolve internal hosts when I connect to aspen.

    Washington clients use and then as DNS pushes
    Aspen clients use and then pushed to them.

    Of course...this was all working...something changed... I dont know Im out of the country and I only brought iOS devices with me because reasons and now I’m trying to fix it remotely. I have access to most tools like a dns lookup, ping, and web browser though and am making due:) (no complains! I’m typing this from a beach-side cabana)

    On Washington’s BIND, I only have the default ACLs. For my zone it’s set to answer queries on: localhost, localnet, and any.  The view is set to any. BIND itself is set to listen on all interfaces except lan.

    Aspen’s BIND is the exact same.

    If I connect to Aspen’s roadwarrior, I can resolve hosts, including the ones (I need to reach) on However, that connection is particularly slow. I’d prefer to connect to Washington directly.

    Both Washington and Aspen’s BINDs are resolving any external (public) hosts successfully and I can reach the greater web through those connections just fine.

    Both roadwarrior connections are set to force all traffic.

    So...anyone have any ideas?

    I’ve boosted my zone file in case that’s of any value...a snippet at least...took out some public IPs :)

    $TTL 43200
    ;	Database file for zone.
    ;	Do not edit this file!!!
    ;	Zone version 2496684162
    ;	 IN  SOA\. (
    		2496684162 ; serial
    		1d ; refresh
    		2h ; retry
    		4w ; expire
    		1h ; default_ttl
    ; Zone Records
    @ 	 IN NS
    @ 	 IN A
    washington 	 IN A
    osx5 	 IN A
    prima 	 IN A
    telluride 	 IN A
    verbier 	 IN A

  • Quick update to add: apparently lookups aren’t working at all from/to local host.

    In other words the pfSense box Washington cannot do any lookups for the zone, which it hosts, for itself.

    All other locals hosted zones work. is set to use the ‘any’ acl for queries, updates and transfers

    When is do:
    I get servfail

  • LAYER 8 Global Moderator

    @        IN NS
    @        IN A

    Sorry but pointing NS to IP address not valid… Nor is that a valid SOA..

    Both of which would be a FQDN and then sure an A record for that name pointing to the IP..

Log in to reply