BIND forwarding is not working

Scissorfish · Dec 1, 2015, 2:27 PM

Hello
I've been using pfSense & BIND for a long time already since 2.1 release and it worked well until I was forced to reinstall my pfSense from scratch due to hardware failure in our branch office.
Installed latest v2.2.5 (x64), restored backup as usual and replaced faulty router, but then I was unpleasantly surprised that BIND isn't working as it should :(
have these in logs after using Diagnostics: DNS Lookup:
named[74061]: query-errors: debug 1: client 127.0.0.1#15093 (google.com): view any: query failed (SERVFAIL) for google.com/IN/A at query.c:6217
local zone resolving works well, but recursion is broken completely.

My setup isn't complex, Lanner FW-7541, 1 WAN & 4 LAN. BIND hosts 3 local zones and works as forwarder.
I began to investigate the problem and did some test installs and that's what I've found:

doing fresh install on another hardware, pfSense v2.2.5 (x64), BIND 0.4.1, same amount of interfaces, restored from backup - FORWARDING IS NOT WORKING
all local zones are working well
fresh install on same hardware, pfSense v2.2.5 (x64), BIND 0.4.1, same amount of interfaces, basic BIND setup (enabled BIND, configured forwarders, enabled logging, no zones) - FORWARDING IS WORKING
same as 2) but additionally added 1 test zone - FORWARDING IS NOT WORKING
error is the same as above, local zone resolves well
deleted test zone in BIND - FORWARDING IS NOT WORKING
same error
deleted BIND completely, enabled DNS forwarder service and changed System -> General setup -> DNS server to external IP - WORKING
reinstalled BIND package, disabled DNS forwarder, enabled BIND - FORWARDING IS NOT WORKING

Struggling with this for a week already… tried a bunch of hardware in combination with older versions of pfSense - still no go. :'(
Any ideas, guys?

doktornotor · Nov 29, 2015, 10:38 AM

@Scissorfish:

fresh install on same hardware, pfSense v2.2.5 (x64), BIND 0.4.1, same amount of interfaces, basic BIND setup (enabled BIND, configured forwarders, enabled logging, no zones) - RECURSION IS WORKING

same as 2) but additionally added 1 test zone - RECURSION IS NOT WORKING

So clearly you are breaking it with your configuration. How? No idea, because instead of posting the configuration, you told us about 50 times that RECURSION IS NOT WORKING…

johnpoz · Nov 29, 2015, 3:13 PM

With dok here, all I can say is click click and RECURSION IS WORKING

So I fired up a new pfsense 2.2.5 vm.. Went thru wizard, installed the open-vm-tools, and bind package. I then turned off resolver that is on by default in pfsense. Took the 10 seconds it took to run through a basic setup of bind, bing bang zoom it resolves my local zone I created and does recursion just fine.. So why don't you post up some actual details of your config and we can figure out what you did wrong.

Scissorfish · Nov 30, 2015, 8:26 AM

@doktornotor:

@Scissorfish:

fresh install on same hardware, pfSense v2.2.5 (x64), BIND 0.4.1, same amount of interfaces, basic BIND setup (enabled BIND, configured forwarders, enabled logging, no zones) - RECURSION IS WORKING

same as 2) but additionally added 1 test zone - RECURSION IS NOT WORKING

So clearly you are breaking it with your configuration. How? No idea, because instead of posting the configuration, you told us about 50 times that RECURSION IS NOT WORKING…

just read next one in my list

4) deleted test zone in BIND - RECURSION IS NOT WORKING
same error

doktornotor · Nov 30, 2015, 10:10 AM

Good luck with repeating "RECURSION IS NOT WORKING" hundred more times… ::)

Scissorfish · Nov 30, 2015, 11:38 AM

@doktornotor:

Good luck with repeating "RECURSION IS NOT WORKING" hundred more times… ::)

step by step video
http://sendvid.com/9eidvwdm
https://www.youtube.com/watch?v=cdSBgQWZIkM

johnpoz · Nov 30, 2015, 6:44 PM

So you want me to watch a 12 min video.. of you testing the dns resolver?? What does that have to do with BIND??

If you want help.. post up some screenshots of your config and your query results… See what I posted - took all of like a minute to put together an post up..

Scissorfish · Nov 30, 2015, 7:54 PM

@johnpoz:

So you want me to watch a 12 min video.. of you testing the dns resolver?? What does that have to do with BIND??

If you want help.. post up some screenshots of your config and your query results… See what I posted - took all of like a minute to put together an post up..

it's hard for you to watch the video where I illustrated that bug with BIND step by step and with every my config's showing up?

awebster · Nov 30, 2015, 8:19 PM

@Scissorfish:

@johnpoz:

So you want me to watch a 12 min video.. of you testing the dns resolver?? What does that have to do with BIND??

If you want help.. post up some screenshots of your config and your query results… See what I posted - took all of like a minute to put together an post up..

it's hard for you to watch the video where I illustrated that bug with BIND step by step and with every my config's showing up?

Dude, the first second of your video clearly shows that you are using a 192.168 address on your WAN side. That tells me there is other equipment between pfSense and the "real" Internet.
Obviously, if recursion really didn't work, the thousands of users that use pfSense every day would all be complaining. Since there is only one person complaining, logically the problem lies in your setup.

Scissorfish · Nov 30, 2015, 9:44 PM

@awebster:

Dude, the first second of your video clearly shows that you are using a 192.168 address on your WAN side. That tells me there is other equipment between pfSense and the "real" Internet.
Obviously, if recursion really didn't work, the thousands of users that use pfSense every day would all be complaining. Since there is only one person complaining, logically the problem lies in your setup.

yes, I'm using private ips on my test setup, but the original hardware has real ip and problem still occurs, so it's definitely not the addressing issue
I didn't said that pfSenses recursion isn't working, I was just saying that BIND RECURSION ISN'T WORKING AS IT SHOULD!

Again:

I did a clean&fresh setup of latest pfSense and BIND package. NOTHING ELSE!
Disabled pfSenses build-in dns resolver & forwarder.
General setup -> dns servers -> 127.0.0.1
BIND -> enable forwarding - checked
forwarder IPs -> 192.168.64.1;192.168.64.2;
WORKING FLAWLESSLY

But when I created a test zone (straight & reverse) then BIND immediately STOPS to forward dns requests to upstream servers with aforementioned error in logs.
And even if (as you suggested above) my zones were set up incorrectly, then why the heck BIND still refuses to forward requests when I completely deleted all of my zones?!

P.S. I'm not at work right now, so can't post any configs so if you want something specific - request it and I'll post it later

johnpoz · Nov 30, 2015, 10:33 PM

Dude your video wasn't even using BIND!!! Sorry but I don't have time to sit through a 12 minute blurry video of someone tooling around different setting in pfsense and having to pause the video to try and look over the config and then its so shitty quality that hard to make out specific details like exact IP for example you were setting dns other than they where .2 and .3 something and started with 192.168..

As I showed you it took me all of like 30 seconds to get bind up and running.. This really is point and click if its not working for you your doing something wrong.. Are you not creating your views, are you not setting who can query your local zone? I posted up my configs - lets see your configs.. And then maybe we can spot what you missed… But NO I am not going to attempt to gather that info from some 12 min video sorry!

doktornotor · Nov 30, 2015, 10:37 PM

I certainly do NOT have time to watch videos. All I can say it's critical to set up views properly when configuring this (you can also use the fine search box here to get the same experience from others).

Other than that, it just works.

Scissorfish · Dec 1, 2015, 9:45 AM

@doktornotor:

I certainly do NOT have time to watch videos. All I can say it's critical to set up views properly when configuring this (you can also use the fine search box here to get the same experience from others).

Other than that, it just works.

well, you asked for pictures, so here they are

![bind logs.jpg](/public/imported_attachments/1/bind logs.jpg)
![bind logs.jpg_thumb](/public/imported_attachments/1/bind logs.jpg_thumb)

![test pc.JPG](/public/imported_attachments/1/test pc.JPG)
![test pc.JPG_thumb](/public/imported_attachments/1/test pc.JPG_thumb)

doktornotor · Dec 1, 2015, 9:54 AM

So you tick forwarding and wonder why recursion is not working?!?! Did you read the description under that option?!!?!? That ain't Bind on pfSense refusing to do the recursion. Debug the 192.168.x.x you entered there (or untick the checkbox!).

Scissorfish · Dec 1, 2015, 11:16 AM

@doktornotor:

So you tick forwarding and wonder why recursion is not working?!?! Did you read the description under that option?!!?!? That ain't Bind on pfSense refusing to do the recursion. Debug the 192.168.x.x you entered there (or untick the checkbox!).

64.1 & 64.2 are our main dns servers. BIND should serve lan1 zone and forward all other requests recursively to these servers

doktornotor · Dec 1, 2015, 11:25 AM

@Scissorfish:

64.1 & 64.2 are our main dns servers. BIND should serve lan1 zone and forward all other requests recursively to these servers

Dude. May I suggest to read the fine description of the forwarding checkbox once again? Bind will NOT perform any recursion when set up as forwarder. Period.

Scissorfish · Dec 1, 2015, 12:13 PM

@doktornotor:

@Scissorfish:

64.1 & 64.2 are our main dns servers. BIND should serve lan1 zone and forward all other requests recursively to these servers

Dude. May I suggest to read the fine description of the forwarding checkbox once again? Bind will NOT perform any recursion when set up as forwarder. Period.

You are absolutely right. It seems that we have a misunderstanding. I really meant forwarding when I was speaking about recursion… my bad

Now, concerning my setup:
BIND should serve lan1 zone and FORWARD all other requests to our upper dns servers (192.168.64.1;192.168.64.2;)
But it doesn't work >:(

doktornotor · Dec 1, 2015, 1:13 PM

And as noted earlier, you should investigate why are those servers not answering the DNS queries… "It doesn't work" ain't a useful description. Do the queries reach your DNS servers? Are those DNS servers set up to allow recursion?

Scissorfish · Dec 1, 2015, 2:01 PM

@doktornotor:

And as noted earlier, you should investigate why are those servers not answering the DNS queries… "It doesn't work" ain't a useful description. Do the queries reach your DNS servers? Are those DNS servers set up to allow recursion?

All these dns servers are working. As I said before, BIND works well, until I add any zone, check pictures I posted
and even if I delete all zones, it still doesn't work ;(
BUT if I disable BIND and turn on built-in dns forwarder - everything begins to work instantly

@Scissorfish:

I did a clean&fresh setup of latest pfSense and BIND package. NOTHING ELSE!
Disabled pfSenses build-in dns resolver & forwarder.
General setup -> dns servers -> 127.0.0.1
BIND -> enable forwarding - checked
forwarder IPs -> 192.168.64.1;192.168.64.2;
WORKING FLAWLESSLY

But when I created a test zone (straight & reverse) then BIND immediately STOPS to forward dns requests to upstream servers with aforementioned error in logs.

doktornotor · Dec 1, 2015, 2:16 PM

Good luck. You need to answer the questions asked and perform some logical troubleshooting, instead of repeating over and over and over and over and over again how bind does not work. Waste of time. You have already told us zillion times that it doesn't work, that's absolutely USELESS "information". ::)