Peek last edited by Peek
I have an authoritative BIND9 server (with does not allow recursion) in a server VLAN as defined by pfSense.
- 2x floating rules for IPv6 TCP/UDP on port 53 & 853 allow for external zone queries to the BIND9 server
All VLANS query the pfsense resolver which has DNSSEC & Forwarding (2606:4700:4700::1 & 22.214.171.124) with SSL/TLS enabled.
Via IPv6 this works perfectly.
On IPv4 it only works when the DNS is manually set to 126.96.36.199 or 188.8.131.52 (I understand both services query the BIND9 server via IPv6, yet will responds to IPv4 based client queries)
In the endevour to prevent having to set the DNS manually every time connecting via 4G a "NAT/Port Forward" is setup on the WAN IPv4 interface to the BIND9 server's private IPv4 interface (Preference would've been Layer4 load balancing with HAProxy should it have supported UDP)
- an IPv4 UDP rule with the BIND9 server's private IPv4 is automatically created under the WAN rules
However, only every 3rd or even 5th query (via IPv4 over 4G) to the BIND9 zone is answered. All others are finalised as "connection timed out; no servers could be reached"
- Inspecting the firewall logs indicate that the traffic is not being blocked
- Inspecting the BIND9 log reflects 3x successful queries to the server, per single client query, before the client states "connection timed out" response
- A packet capture on the WAN interface indicates every query made to the server with the server's response
Querying any other public DNS (184.108.40.206 or 220.127.116.11) service with the exact same query (via ipv4) is answered immediately each and every time.
What sorcery is required to fix this ?
i can only guess for now i don't see anything wrong / there are not enought information but can you try to set
edns-udp-size 512; max-udp-size 512;
and test again?
if it work you can find more information here
@kiokoman, unfortunately no change ...
Either the DNS query is answered or it times out. With only the 3rd or 4th subsequent query (dig) attempt being answered.
It's only happening over the PORT FORWARDING with IPv4. Any queries from IPv4 machines within other VLANs also work flawlessly.
Please do advise what additional info you'd required.
uhm it can't be a port forward problem, all the requests are hitting the bind9 server
checksum offloading ? is it disabled ?
a more detailed packet capture could be of help
Moved the BIND9 server from the server VLAN to the LAN.
Adjusted the PORT FORWARDING to reference the new IPv4 LAN address.
Now, each and every query generated from the IPv4 4G network is answered immediately without any timeouts.
Yet queries from the SERVER VLAN to the BIND9 server now has the issue as initially described. Only exception being, the BIND9 log only registers the successful queries.
After checking (disabling) "Hardware Checksum Offloading" under SYSTEM > ADVANCED > NETWORKING > Network Interfaces every query is answered, immediately.
What a confusing and frustrating battle. Thank you @kiokoman aka "bringer of light to the dark packet woods" !
Would you advise on also having "Hardware TCP Segmentation Offloading" and "Hardware Large Receive Offloading" disabled ?