PfSense blocking nameservers on Virtualmin?

eiger3970

Hi, I setup pfSense and added all the port forwards from my router, into pfSense, but my website still won't show?

I have tried: Linux > Terminal > $ ping www.domain.com > unknown host www.domain.com. I accessed Proxmox via Mint > Chrome > 192.168.1.160 > Webserver is running. I accessed Webmin VirtualServer via Mint > Chrome > https://192.168.1.163:10000 > Username: root > Password: xxx > Enter > System Information, all services are up. I accessed Webmin via Mint > Terminal >

$ ssh root@192.168.1.163.
[root@centos ~]# dig www.domain.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58817
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.domain.com.     IN  A

;; Query time: 3 msec
;; SERVER: 192.168.1.180#53(192.168.1.180)
;; WHEN: Thu Feb  6 16:53:56 2014
;; MSG SIZE  rcvd: 37

www.intodns.com > www.domain.com > Error:

Parent   Info    Domain NS records   Nameserver records returned by the parent servers are:

ns2.domain.com.   ['WANIP']   [TTL=14400] 
ns1.domain.com.   ['WANIP']   [TTL=14400] 

w.au was kind enough to give us that information.
Warn   TLD Parent Check    WARNING: Looks like the parent servers do not have information for your TLD when asked. This is ok but can be confusing.
Pass   Your nameservers are listed Good. The parent server w.au has your nameservers listed. This is a must if you want to be found as anyone that does not know your DNS servers will first ask the parent nameservers.
Pass  DNS Parent sent Glue    Good. The parent nameserver sent GLUE, meaning he sent your nameservers as well as the IPs of your nameservers. Glue records are A records that are associated with NS records to provide "bootstrapping" information to the nameserver.(see RFC 1912 section 2.3)
Pass   Nameservers A records   Good. Every nameserver listed has A records. This is a must if you want to be found.
NS Info    NS records from your nameservers    NS records got from your nameservers listed at the parent NS are:
Oups! I could not get any nameservers from your nameservers (the ones listed at the parent server). Please verify that they are not lame nameservers and are configured properly. 

Pass  Recursive Queries   Good. Your nameservers (the ones reported by the parent server) do not report that they allow recursive queries for anyone.
Pass    Same Glue   Hmm,I do not consider this to be an error yet, since I did not detect any nameservers at your nameservers.
Pass Glue for NS records OK. Your nameservers (the ones reported by the parent server) have no ideea who your nameservers are so this will be a pass since you already have a lot of errors!
Error   Mismatched NS records   WARNING: One or more of your nameservers did not return any of your NS records.
Error   DNS servers responded   ERROR: One or more of your nameservers did not respond:
The ones that did not respond are:
124.191.169.67
Pass  Name of nameservers are valid   OK. The nameservers reported by the parent send out nothing as shown above. I can't check nothing so it's a green!
Error  Multiple Nameservers    ERROR: Looks like you have less than 2 nameservers. According to RFC2182 section 5 you must have at least 3 nameservers, and no more than 7\. Having 2 nameservers is also ok by me.
Pass    Nameservers are lame    OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
Pass   Missing nameservers reported by parent  OK. All NS records are the same at the parent and at your nameservers.
Error    Missing nameservers reported by your nameservers    You should already know that your NS records at your nameservers are missing, so here it is again: 

ns2.domain.com. 
ns1.domain.com. 

Pass    Domain CNAMEs   OK. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
Pass   NSs CNAME check OK. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
Pass   Different subnets   OK. Looks like you have nameservers on different subnets!
Pass  IPs of nameservers are public   Ok. Looks like the IP addresses of your nameservers are public. This is a good thing because it will prevent DNS delays and other problems like
Pass    DNS servers allow TCP connection    OK. Seems all your DNS servers allow TCP connections. This is a good thing and useful even if UDP connections are used by default.
Pass Different autonomous systems    OK. It seems you are safe from a single point of failure. You must be careful about this and try to have nameservers on different locations as it can prevent a lot of problems if one nameserver goes down.
Pass   Stealth NS records sent Ok. No stealth ns records are sent
SOA  Error   SOA record  No valid SOA record came back!
MX   Error   MX Records  Oh well, I did not detect any MX records so you probably don't have any and if you know you should have then they may be missing at your nameservers!
WWW  Error   WWW A Record     ERROR: I could not get any A records for www.domain.com!

(I only do a cache request, if you recently added a WWW A record, it might not show up here.)
I went back into Webmin > Servers > BIND DNS Server > Existing DNS Zones > Zone: domain.com > Edit Master Zone > Type: All > Type: NS says domain.com. I think name server should be ns1.domain.com and ns2.domain.com.

I backed up current webmin files in Virtualmin > Backup and Restore > Scheduled Backups > Add a new backup schedule > Virtual servers > Servers to save: All virtual servers > Destination and format > Backup destinations: Local file or directory > Browse… > tmp > Backup (make folder if not there in tmp mkdir backup) > Ok > Create Schedule > Actions: Backup.. > Backup Now.

I tried restore but backups are of whole Virtualmin server from Proxmox. Had to restore whole webserver on Proxmox.

www.domain.com still won't load. www.intodns.com gives same nameserver error.

I haven't changed or deleted any nameservers, so I don't know if this is the true error or not, as pfSense install could probably not effect the name servers?

eiger3970

Thought I'd refresh this.

It seems no DNS packets are getting through to Virtualmin.
Port 53 is forwarded, just like before on my old router.
Any suggestions?

johnpoz

Well I take it you masking your actual domain name

But what do you mean no dns is getting through?

This shows your server refused the query

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 58817

;; SERVER: 192.168.1.180#53(192.168.1.180)

So clearly your query got there, and he told you FO basically ;)

So some more detail of what your wanting to do exactly?  is this domain.com resolvable on the public NET?  And the Nameservers are where - your pfsense wan IP?  Both of them point to your 1 IP?  You do understand its bad practice to host a domain on only one name server.

It's very confusing trying to figure out what your doing from your post.  What is intodns.com is this another domain that points to your pfsense wan IP?  Where to pfsense forward this traffic?

eiger3970

The www.domain.com is resolvable when this pfSense router is removed and I use my old router.

The name servers are on my Virtualmin server 192.168.1.163.

The pfSense WAN IP is a DHCP received from the cable modem's LAN IP.

Both of the name servers on the Virtualmin server point to the 1 IP? The name servers point to the ISP's WAN IP.
The domain registrar also has the name servers pointing to the ISP's WAN IP.

The server has two name servers, namely ns1.domain.com and ns2.domain.com.

www.intodns.com is a test site to check if the website is working or what error are occurring.

I also tested shieldsup > https://www.grc.com/x/ne.dll?rh1dkyd2, which showed no ports open like 53. Weird as ports are forwarded.

johnpoz

"The name servers are on my Virtualmin server 192.168.1.163."

So lets forget about forwarding for second - you clearly got REFUSED from this server 192.168.1.180, but that is not 192.168.1.163.

As to your port showing open - you forwarded them, did you let the forward create the firewall rule for you?  Pot up your wan firewall rules and your nats.

example see attached, notice how all my forwards show that they are linked to firewall rule, and on the firewall rules those ports are allowed.  NTP for example that 192.168.1.40 box is a member of ntp.pool so it always has lots of outside ips getting the time.

eiger3970

Yes, so 192.168.1.180 is the static IP of the old router which is now an AP for the Wi-Fi and uses the spare 4 Ethernet ports for LAN devices to access the pfSense router.
Not sure why 192.168.1.180 is rejecting any packets and it's an AP now and not a router. The ports are forwarded which worked with the Wi-Fi router working before being changed to an AP and using pfSense as the router.

Yes, pfSense has all the ports forwarded that the old Wi-Fi router used to allow all traffic to work.
I followed the standard install, so whatever the default settings pfSense sets up, this is then the case.

Yes, I have confirmed in pfSense that the port forwards (attachment Screenshot-1.png) have created firewall rules (attachment Screenshot-2.png).
Please see the attachments.

johnpoz

if .180 is just now an AP, why would you be doing a dns query to it?

;; SERVER: 192.168.1.180#53(192.168.1.180)

So are you having issues with any of the other forwards?  I can tell from looking at the rules that your understanding of network protocols is lacking.  Telnet for example is not a UDP protocol, nor is http or https, etc.  But you have your forwards and rules listed for both tcp and udp.

For example does 22 ssh work from outside your network?  If you PM my your domain I would be happy to look into if dns works for it or not, where its pointing, etc.

eiger3970

I didn't do a DNS query to the old router 192.168.1.180 on purpose.
I simply ssh'ed into the webserver and ran the dig command.
I guess the webserver is still using a default gateway of 192.168.1.180?

Maybe my port forwards aren't right? Should I have the IP address in Destination IP in the port forwards?

Thank you for the reply.
LAN devices cannot SSH pfSense.

I have two NATs and it's confusing.
Cable modem WAN IP from ISP xxx.xxx.xx.xx.
Cable modem WAN IP 192.168.0.2.
Cable modem LAN IP 192.168.0.50.
pfSense WAN DHCP 192.168.0.2.
pfSense LAN IP 192.168.1.155.

johnpoz

Dude lets schedule a time for me to teamviewer in again.

And you got some typo here - cuse how does your cable modem have the same wan IP as pfsense?

Cable modem WAN IP 192.168.0.2.
Cable modem LAN IP 192.168.0.50.
pfSense WAN DHCP 192.168.0.2.

Did you TURN off all the other forwards you had setup in your cable gateway?  Next step is to yes double check your forwards, but need to verify that traffic actually gets to pfsense.  Simple enough to do a sniff and send some traffic and verify that pfsense gets it.

Now we need to get your setup correct so you can forward stuff sure - but I highly suggest you Don't run your own DNS!!!  And that your register let you point both your name servers to the same IP is beyond me!

eiger3970

Maybe I should have written:
Cable modem DMZ IP 192.168.0.2.

Yes, I turned off all the other forwards in the cable modem (there was only one to 192.168.0.2).

All port forwards in pfSense are the same as my old router.

I am now working out the sniffing which I haven't used on pfSense before.
pfSense 2.1 > Diagnostics > Packet Capture, shows packets

15:32:05.957029 IP 80.73.4.1.11974 > 192.168.0.2.53: UDP, length 48
15:32:05.990893 IP 80.73.4.1.20446 > 192.168.0.2.53: UDP, length 48
15:32:05.994305 IP 80.73.4.1.16531 > 192.168.0.2.53: UDP, length 48
15:32:06.020875 IP 192.168.0.2 > 192.168.0.50: ICMP echo request, id 60499, seq 57094, length 44
15:32:06.022187 IP 192.168.0.50 > 192.168.0.2: ICMP echo reply, id 60499, seq 57094, length 44
15:32:06.035289 IP 192.168.0.2.28288 > 8.8.8.8.53: UDP, length 46
15:32:06.208647 IP 8.8.8.8.53 > 192.168.0.2.28288: UDP, length 76
15:32:06.211065 IP 74.125.224.63.443 > 192.168.0.2.44342: tcp 65
15:32:06.212140 IP 74.125.224.63.443 > 192.168.0.2.44342: tcp 45
15:32:06.212276 IP 192.168.0.2.44342 > 74.125.224.63.443: tcp 0
15:32:06.212482 IP 192.168.0.2.44342 > 74.125.224.63.443: tcp 0
15:32:06.212520 IP 74.125.224.63.443 > 192.168.0.2.44342: tcp 0
15:32:06.212575 IP 192.168.0.2.44342 > 74.125.224.63.443: tcp 0
15:32:06.340727 IP 74.125.189.16.51332 > 192.168.0.2.53: UDP, length 37
15:32:06.378925 IP 74.125.224.63.443 > 192.168.0.2.44342: tcp 0
15:32:06.685704 IP 80.73.4.1.9241 > 192.168.0.2.53: UDP, length 48
15:32:06.713699 IP 80.73.4.1.14926 > 192.168.0.2.53: UDP, length 48
15:32:06.716480 IP 80.73.4.1.47377 > 192.168.0.2.53: UDP, length 48
15:32:06.719723 IP 80.73.4.1.62501 > 192.168.0.2.53: UDP, length 48
15:32:06.742865 IP 80.73.4.1.38217 > 192.168.0.2.53: UDP, length 48
15:32:06.745647 IP 80.73.4.1.50471 > 192.168.0.2.53: UDP, length 48
15:32:06.801138 IP 192.168.0.2.50950 > 74.125.129.84.443: tcp 0
15:32:06.857137 IP 192.168.0.2.49948 > 74.125.224.89.443: tcp 0
15:32:06.952081 IP 74.125.239.14.443 > 192.168.0.2.42534: tcp 65
15:32:06.952411 IP 74.125.239.14.443 > 192.168.0.2.42534: tcp 45
15:32:06.952612 IP 192.168.0.2.42534 > 74.125.239.14.443: tcp 0
15:32:06.952732 IP 74.125.239.14.443 > 192.168.0.2.42534: tcp 0
15:32:06.952848 IP 192.168.0.2.42534 > 74.125.239.14.443: tcp 0
15:32:06.997880 IP 74.125.129.84.443 > 192.168.0.2.50950: tcp 0
15:32:07.020887 IP 192.168.0.2 > 192.168.0.50: ICMP echo request, id 60499, seq 57350, length 44
15:32:07.022216 IP 192.168.0.50 > 192.168.0.2: ICMP echo reply, id 60499, seq 57350, length 44
15:32:07.022828 IP 74.125.224.89.443 > 192.168.0.2.49948: tcp 0
15:32:07.124205 IP 74.125.239.14.443 > 192.168.0.2.42534: tcp 0
15:32:08.020887 IP 192.168.0.2 > 192.168.0.50: ICMP echo request, id 60499, seq 57606, length 44
15:32:08.022235 IP 192.168.0.50 > 192.168.0.2: ICMP echo reply, id 60499, seq 57606, length 44
15:32:08.222384 IP 80.73.4.1.63144 > 192.168.0.2.53: UDP, length 48
15:32:08.248429 IP 80.73.4.1.25708 > 192.168.0.2.53: UDP, length 48
15:32:08.251729 IP 80.73.4.1.25328 > 192.168.0.2.53: UDP, length 48
15:32:08.256460 IP 80.73.4.1.21083 > 192.168.0.2.53: UDP, length 48
15:32:08.259361 IP 80.73.4.1.52333 > 192.168.0.2.53: UDP, length 48
15:32:08.281641 IP 80.73.4.1.63732 > 192.168.0.2.53: UDP, length 48
15:32:09.020886 IP 192.168.0.2 > 192.168.0.50: ICMP echo request, id 60499, seq 57862, length 44
15:32:09.022223 IP 192.168.0.50 > 192.168.0.2: ICMP echo reply, id 60499, seq 57862, length 44
15:32:09.069953 IP 192.168.0.2.51754 > 117.20.45.131.443: tcp 34
15:32:09.321877 IP 117.20.45.131.443 > 192.168.0.2.51754: tcp 34
15:32:09.322050 IP 192.168.0.2.51754 > 117.20.45.131.443: tcp 0
15:32:09.450342 IP 74.125.239.31.443 > 192.168.0.2.36462: tcp 65
15:32:09.453065 IP 74.125.239.31.443 > 192.168.0.2.36462: tcp 45
15:32:09.453207 IP 192.168.0.2.36462 > 74.125.239.31.443: tcp 0
15:32:09.453418 IP 192.168.0.2.36462 > 74.125.239.31.443: tcp 0
15:32:09.453450 IP 74.125.239.31.443 > 192.168.0.2.36462: tcp 0
15:32:09.453503 IP 192.168.0.2.36462 > 74.125.239.31.443: tcp 0
15:32:09.618327 IP 74.125.239.31.443 > 192.168.0.2.36462: tcp 0
15:32:09.709451 IP 80.73.4.1.39502 > 192.168.0.2.53: UDP, length 48
15:32:09.714635 IP 80.73.4.1.54104 > 192.168.0.2.53: UDP, length 48
15:32:09.731944 IP 80.73.4.1.33951 > 192.168.0.2.53: UDP, length 48
15:32:09.740454 IP 80.73.4.1.11774 > 192.168.0.2.53: UDP, length 48
15:32:09.759855 IP 80.73.4.1.14301 > 192.168.0.2.53: UDP, length 48
15:32:09.762640 IP 80.73.4.1.34165 > 192.168.0.2.53: UDP, length 48

I checked my website and the DNS still isn't found when going via pfSense. Works when old router is used, so you said pfSense won't stop DNS in my settings, so maybe the website needs some settings adjusted.

The TeamViewer ID is the same as yesterday.
The TeamViewer password is: 2046 today.

johnpoz

"so maybe the website needs some settings adjusted."

No it would not be your website - but yes the box/vm it runs on.  What is the gateway of that machine..  From our session the other day before I had to run to work.  It was clear that pfsense was forwarding traffic to the IP you say is your dns .163 - but there were no answers from that machine.

And from the vm I was on, I could not query that local IP for dns..  But since I could ping it??  Not sure if was pinging a NAT or not.. Since the VM was on a 10.x address and your dns is on 192.168.1 address

As I asked you in the chat from the last tv session - show me a dns query from something on your network that can talk to your nameserver. Cuz pfsense is clearly forwarding the traffic too it.  But there were no answers from it.

eiger3970

So, I disconnected the Switch and connected pfSense LAN direct to the server.
I used another Internet connection to try to bring up the website (default gateway 192.168.1.180 to old router settings) and nothing. The VoIP phone (default gateway 192.168.1.155 to pfSense LAN) also on the server didn't work.

I connected pfSense LAN back into the Switch and the server's cable from the switch back into the server and my LAN was able to ping it and the VoIP phone (default gateway 192.168.1.155 to pfSense LAN) worked, but website (default gateway 192.168.1.180 to old router settings) still won't show via pfSense.

johnpoz

Dude I have been busy with RL last view days – this is NOT freaking rocket science.. When I was on your system your nameser, what you keep calling virtualmin was NOT answering a query from your own local network.. So nothing that we do on pfsense is going to fix that.

virtualmin is just some freaking software to help host websites for clients..  It dos NOT provide dns - your underlaying dns software would do that - I would assume BIND if running on linux

http://www.virtualmin.com/
Install your Operating System

Start with a freshly installed, Grade A supported Operating System on your server or VPS. CentOS and Ubuntu LTS are popular OS's for hosting..

So lets forget that, lets forget using it to toubleshoot basic network and applications.  Does your your OS your running virtualmin on point to pfsense to for a gateway for starters?  Is Bind Running for another - where is a query from a box on the 192.168 local network of yours doing a query to your nameserver??

Also - I am more than happy to help..  But give me something on the actual network your nameserver is on - not some vm behind a NAT on some 10.x network.

Lets schedule a time tmrw maybe?  I am home all day and happy to teamviewer in and get this working..  But needs some basics to work.. So whatever OS we are going to use for TV - the mouse has to work.. Lets not do a vm running on a vm, running on some other vm software under a VM ;)

Do you not have a hard machine on the same network as your pfsense lan, and your nameserver - There should be no problem with it being linux based – but I think the problem is the nested vms I believe you were using.  And whatever OS your virtualmin is runing on we are going to need access to that - be it ssh, be it remote desktop, but it another TV session - but I am not going to troubleshoot virtualmin in this situation since it has NOTHING to do with the actual problem,.

eiger3970

Hi, yes, CentOS Linux 6.4 is using BIND.

I checked CentOS and the network configuration is:
Address: 192.168.1.163.
Netmask: 255.255.255.0.
Gateway: 192.168.1.155.
DNS: 192.168.180.

I changed the DNS to 8.8.8.8.

So yes, CentOS is pointing automatically to pfSense's LAN 192.168.1.155.

Happy for some online work. I have an updated TV, so that might help with the mouse click problem, which was on a real machine. (only the 2nd time I went to  a VM to try and fix the mouse click problem, which it did (but caused the network issue on 10.x.x.x)).

I'm online in about 30 minutes.

johnpoz

So why would a dns server running bind not point to itself for dns?  Is bind not allow recursive?  Why would you not point it to pfsense if that is the case - how are you going to resolve your on local domain pointing to 8.8.8.8?

So can you query your bind server and resolve your domain now?  Because I couldn't last time I was on your network.  So lets see your query - because if that works then it will work from the outside since pfsense port forwards are setup, and we saw the traffic being sent to your .163 address via the sniff on pfsense lan remember.

eiger3970

I'm getting a bit confused with all the settings now with pfSense router and Proxmox server with Virtualmin (and Virtualmin running off CentOS (CentOS then having its own DNS settings).

So I changed the CentOS DNS from 192.168.1.180 to 8.8.8.8 and now to 192.168.1.155.

Website still not showing.

johnpoz

ARGGH dude what that box uses for dns has NOTHING to do with your issue.

Your running BIND as you stated, this hosts up your domain.tld, this is not answering a simple query from computer on the same network as it.

Say 192.168.1.162 – so how does pfsense have anything to do with it?

So my local domain is local.lan -- if I ask my dns server for a simple A record, lets call it my printer I call brother.local.lan

C:>nslookup                       
Default Server:  pfsense.local.lan 
Address:  192.168.1.253

brother.local.lan               
Server:  pfsense.local.lan         
Address:  192.168.1.253

Name:    brother.local.lan         
Address:  192.168.2.50

See how I get a response..  So on your network.. Do a simple nslookup for a record that should be there say www.yourdomain.tld

Do you get a response??  If NOT then nothing you do on pfsense or the rest of your network is going to fix that.. That is a problem with BIND running on your host, is it even running?  Have you looked in its log?  Does this centos box have a local host firewall? etc.. etc..

You need to fix that before we have to worry about people on the internet being able to resolve www.yourdomain.tld.

See attached - I am on my workstation on the 192.168.1.0/24 network, my dns (pfsense in this case) has a record for all my local devices in the local.lan domain.  If I query it for a record - it answers.  Lets see this from your workstation doing a query to your .163 server running bind.  You can change the host you query via server command in nslookup.  So make sure you change server to your .163 address and do a query for records you created in yourdomain

Let us see these queries!!  Then if not working from the internet I will be happy to TV in again and take a look at your forwards.  But they were working last time I was in.

If your using dig, you can do same sort of command with @serverIP fqdn

C:>dig @4.2.2.2 www.pfsense.org

; <<>> DiG 9.9.5-W1 <<>> @4.2.2.2 www.pfsense.org                   
; (1 server found)                                                   
;; global options: +cmd                                             
;; Got answer:                                                       
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56986           
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:                                               
; EDNS: version: 0, flags:; udp: 4096                               
;; QUESTION SECTION:                                                 
;www.pfsense.org.              IN      A

;; ANSWER SECTION:                                                   
www.pfsense.org.        1800    IN      A      192.207.126.26

;; Query time: 221 msec                                             
;; SERVER: 4.2.2.2#53(4.2.2.2)                                       
;; WHEN: Wed Feb 26 07:54:13 Central Standard Time 2014             
;; MSG SIZE  rcvd: 60

eiger3970

Yes, I have checked that the BIND server is running.

Here are the results:

192.168.1.120 > Terminal > nslookup www.domain.tld
Server:		8.8.8.8
Address:	8.8.8.8#53
** server can't find www.domain.tld: SERVFAIL

192.168.1.120 > Terminal > dig www.domain.tld
; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> www.domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63678
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.domain.tld.		IN	A

;; Query time: 3177 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Mar 01 15:37:10 EST 2014
;; MSG SIZE  rcvd: 48

192.168.1.163 > Terminal > nslookup www.sk8parks.org.au
Server:		192.168.1.155
Address:	192.168.1.155#53
** server can't find www.domain.tld: NXDOMAIN

192.168.1.163 > Terminal > dig www.domain.tld
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52297
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.domain.tld.		IN	A

;; Query time: 3192 msec
;; SERVER: 192.168.1.155#53(192.168.1.155)
;; WHEN: Sat Mar  1 15:41:56 2014
;; MSG SIZE  rcvd: 37

johnpoz

ARRRGGHHHH!!!!!

Query your freaking bind server and does it return an answer??

How hard is that to understanding – I have stated like a million times already.  You query google and pfsense..  WTF?? From the DNS box itself even??

Neither of those are going to work - because your BIND server is Not Answering!!

dig @192.168.1.163 www.sk8parks.org.au

or nslookup

server 192.168.1.163
www.sk8parks.org.au

If your BIND server does not respond, since that is where you point to for this sk8parks.org.au then no other dns server on the planet is going to resolve sk8parks.org.au..  And that has nothing to do with a port forwarding or pfsense.

eiger3970

Thank you for the clarification.
I think the results are showing that from my computer 192.168.1.120, I can connect to BIND.

192.168.1.120 ~ $ dig @192.168.1.163 www.domain.tld

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> @192.168.1.163 www.domain.tld
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31480
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.domain.tld.		IN	A

;; ANSWER SECTION:
www.domain.tld.	38400	IN	A	xxx.xxx.xxx.xx

;; AUTHORITY SECTION:
domain.tld.	38400	IN	NS	localhost.localdomain.

;; ADDITIONAL SECTION:
localhost.localdomain.	86400	IN	A	127.0.0.1
localhost.localdomain.	86400	IN	AAAA	::1

;; Query time: 3 msec
;; SERVER: 192.168.1.163#53(192.168.1.163)
;; WHEN: Mon Mar 03 10:02:26 EST 2014
;; MSG SIZE  rcvd: 143

192.168.1.120 ~ $ nslookup
> server 192.168.1.163
Default server: 192.168.1.163
Address: 192.168.1.163#53
> www.domain.tld
Server:		192.168.1.163
Address:	192.168.1.163#53

Name:	www.domain.tld
Address: xxx.xxx.xxx.xx