DNS failures on authoritative server behind itself, using split-view
-
Hi all,
I'm sorry about this question I don't know what I may be missing here, but I am having an issue where machines behind pfSense can't resolve domain names, given that the DNS servers are behind the said pfSense.
I'll try to explain with more detail:
lets say we have these two DNS Servers ns1 and ns2 domain.org
The DNS Servers are accessed using NAT 1:1 with a public IP map. I can resolve these domains from ANYWHERE (except inside).
All the domains have the same name servers: ns1.domain.org and ns2.domain.org.
On the DNS Resolver there are entries for these servers:
ns1.domain.org has an host override to its private IP
ns2.domain.org has an override to its private IP as well.Whenever I query our pfSense about ... let's say, google.com I get all the correct answers.
Whenever I query about the one of the domains the DNS Server has on them, I get a
SERVFAIL
error.
However querying the ns servers directly (using the private IP's) from the pfSense has no errors.I'm a bit out of ideas maybe someone could chime in? Thanks!
-
I would question the thought process of running your own authoritative name servers to pubic on your own. What at best case are using the same network.. Its bad practice to host NS for a domain on the same network.
That aside. Just setup domain overrides on pfsense for domain.org so it knows to talk to your local authoritative ns IP vs trying to use the public ones.
If you were going to run your own NS for public domain. They should be on different networks, and really geographically diverse as well.
Lets hope the IPs these NS are giving out for host.domain.org don't also point your own local public IPs.. Which you also are hosting behind pfsense - or your going to have to use nat reflection.. Or setup views on your NSers so that stuff doing query for host.domain.org that are coming from rfc1918, get back the rfc1918 IP for host.
-
Hi @johnpoz thank you for your reply.
I understand your remark about same network and being a bad practice. indeed you're right. however for the time being will be so. The public ip network in question has high availability from the provider side, and it's delivered through a vlan to this pfsense which is an HA config using CARP. And working quite well I may add.
So your suggestion is that I add the domains in question to "domain override" with the IP of the authoritative server?
My logic was that unbound would see the authoritative name servers for the domain "ns1.domain.org" and "ns2.domain.org" and that by having those hosts on host override it would then query the servers using their internal IP.
-
Not without a domain override they wouldn't.. When unbound resolves domain.org it would get the public IPs.. You need to tell it hey if wanting to look up something for domain.org - go ask these NSers.. Which you would give the local IPs for.
-
@johnpoz I've just put the domains on domain override and everything is working fine.
But about how this works if you bare with me for a second, why it doesn't work even considering that domain.org is in split view?
Or by other words...I want domain abcd.com resolved from the inside, the dns auth server for the domain is inside.
the name servers for abcd.com are ns1.domain.org and ns2.domain.org
domain.org has the following entries on Host Overrides:
Host: domain.org and www.domain.org to internal ip of the web server
host ns1.domain.org to the internal ip of the ns1 server
host ns2 ... likewise.So... what you mean is unbound gets the public ip for the name servers from the root dns servers themselves, not it that goes resolving along the way. is that it?