BIND gives ‘serverfail’ looking up internal hosts for OpenVPN clients
SpaceBass last edited by
Ok…here goes my attempt at trying to explain this issue (no doubt user error, but I just can’t see it without some help).
Washington.foo.publicinternet is my main pfSense box. It runs, as server, OpenVPN for some site-to-site connections, OpenVPN for road warriors and BIND for all clients on my network.
Roadwarrior VPN: 192.168.27.0/24
Aspen.foo.publicinternet is another pfSense box. It runs a roadwarrior server too and connects to Washington via site-to-site.
Roadwarrior VPN: 192.168.42.0/24
Washington hosts the zone master for nsnet.us, my internal domain. Aspen is a slave to Washington.
Both roadwarrior connections use redundant LDAP servers for auth. I can connect to both successfully from a range of clients.
Washington clients use 10.15.1.1 and then 10.50.1.1 as DNS pushes
Aspen clients use 10.50.1.1 and then 10.15.1.1 pushed to them.
Of course...this was all working...something changed... I dont know what...now Im out of the country and I only brought iOS devices with me because reasons and now I’m trying to fix it remotely. I have access to most tools like a dns lookup, ping, and web browser though and am making due:) (no complains! I’m typing this from a beach-side cabana)
On Washington’s BIND, I only have the default ACLs. For my nsnet.us zone it’s set to answer queries on: localhost, localnet, and any. The view is set to any. BIND itself is set to listen on all interfaces except lan.
Aspen’s BIND is the exact same.
If I connect to Aspen’s roadwarrior, I can resolve nsnet.us hosts, including the ones (I need to reach) on 10.15.1.0/24. However, that connection is particularly slow. I’d prefer to connect to Washington directly.
Both Washington and Aspen’s BINDs are resolving any external (public) hosts successfully and I can reach the greater web through those connections just fine.
Both roadwarrior connections are set to force all traffic.
So...anyone have any ideas?
I’ve boosted my zone file in case that’s of any value...a snippet at least...took out some public IPs :)
$TTL 43200 ; $ORIGIN nsnet.us. ; Database file nsnet.us.DB for nsnet.us zone. ; Do not edit this file!!! ; Zone version 2496684162 ; nsnet.us. IN SOA 10.15.1.1\. zonemaster.nsnet.us. ( 2496684162 ; serial 1d ; refresh 2h ; retry 4w ; expire 1h ; default_ttl ) ; ; Zone Records ; @ IN NS 10.15.1.1. @ IN A 10.15.1.1 washington IN A 10.15.1.1 osx5 IN A 10.15.1.100 prima IN A 10.75.1.20 telluride IN A 10.75.1.1 verbier IN A 10.75.1.15
SpaceBass last edited by
Quick update to add: apparently lookups aren’t working at all from/to local host.
In other words the pfSense box Washington cannot do any lookups for the nsnet.us zone, which it hosts, for itself.
All other locals hosted zones work.
Nsnet.us is set to use the ‘any’ acl for queries, updates and transfers
When is do:
I get servfail
@ IN NS 10.15.1.1.
@ IN A 10.15.1.1
Sorry but pointing NS to IP address not valid… Nor is that a valid SOA..
Both of which would be a FQDN and then sure an A record for that name pointing to the IP..