BIND forwarding is not working



  • Hello
    I've been using pfSense & BIND for a long time already since 2.1 release and it worked well until I was forced to reinstall my pfSense from scratch due to hardware failure in our branch office.
    Installed latest v2.2.5 (x64), restored backup as usual and replaced faulty router, but then I was unpleasantly surprised that BIND isn't working as it should :(
    have these in logs after using Diagnostics: DNS Lookup:
    named[74061]: query-errors: debug 1: client 127.0.0.1#15093 (google.com): view any: query failed (SERVFAIL) for google.com/IN/A at query.c:6217
    local zone resolving works well, but recursion is broken completely.

    My setup isn't complex, Lanner FW-7541, 1 WAN & 4 LAN. BIND hosts 3 local zones and works as forwarder.
    I began to investigate the problem and did some test installs and that's what I've found:

    1. doing fresh install on another hardware, pfSense v2.2.5 (x64), BIND 0.4.1, same amount of interfaces, restored from backup - FORWARDING IS NOT WORKING
      all local zones are working well

    2. fresh install on same hardware, pfSense v2.2.5 (x64), BIND 0.4.1, same amount of interfaces, basic BIND setup (enabled BIND, configured forwarders, enabled logging, no zones) - FORWARDING IS WORKING

    3. same as 2) but additionally added 1 test zone - FORWARDING IS NOT WORKING
      error is the same as above, local zone resolves well

    4. deleted test zone in BIND - FORWARDING  IS NOT WORKING
      same error

    5. deleted BIND completely, enabled DNS forwarder service and changed System -> General setup -> DNS server to external IP - WORKING

    6. reinstalled BIND package, disabled DNS forwarder, enabled BIND - FORWARDING IS NOT WORKING

    Struggling with this for a week already… tried a bunch of hardware in combination with older versions of pfSense - still no go. :'(
    Any ideas, guys?


  • Banned

    @Scissorfish:

    1. fresh install on same hardware, pfSense v2.2.5 (x64), BIND 0.4.1, same amount of interfaces, basic BIND setup (enabled BIND, configured forwarders, enabled logging, no zones) - RECURSION IS WORKING
    2. same as 2) but additionally added 1 test zone - RECURSION IS NOT WORKING

    So clearly you are breaking it with your configuration. How? No idea, because instead of posting the configuration, you told us about 50 times that RECURSION IS NOT WORKING…


  • Rebel Alliance Global Moderator

    With dok here, all I can say is click click and RECURSION IS WORKING

    So I fired up a new pfsense 2.2.5 vm.. Went thru wizard, installed the open-vm-tools, and bind package.  I then turned off resolver that is on by default in pfsense.  Took the 10 seconds it took to run through a basic setup of bind, bing bang zoom it resolves my local zone I created and does recursion just fine..  So why don't you post up some actual details of your config and we can figure out what you did wrong.








  • @doktornotor:

    @Scissorfish:

    1. fresh install on same hardware, pfSense v2.2.5 (x64), BIND 0.4.1, same amount of interfaces, basic BIND setup (enabled BIND, configured forwarders, enabled logging, no zones) - RECURSION IS WORKING
    2. same as 2) but additionally added 1 test zone - RECURSION IS NOT WORKING

    So clearly you are breaking it with your configuration. How? No idea, because instead of posting the configuration, you told us about 50 times that RECURSION IS NOT WORKING…

    just read next one in my list

    4) deleted test zone in BIND - RECURSION IS NOT WORKING
    same error


  • Banned

    Good luck with repeating "RECURSION IS NOT WORKING" hundred more times…  ::)



  • @doktornotor:

    Good luck with repeating "RECURSION IS NOT WORKING" hundred more times…  ::)

    step by step video
    http://sendvid.com/9eidvwdm
    https://www.youtube.com/watch?v=cdSBgQWZIkM


  • Rebel Alliance Global Moderator

    So you want me to watch a 12 min video.. of you testing the dns resolver??  What does that have to do with BIND??

    If you want help.. post up some screenshots of your config and your query results… See what I posted - took all of like a minute to put together an post up..



  • @johnpoz:

    So you want me to watch a 12 min video.. of you testing the dns resolver??  What does that have to do with BIND??

    If you want help.. post up some screenshots of your config and your query results… See what I posted - took all of like a minute to put together an post up..

    it's hard for you to watch the video where I illustrated that bug with BIND step by step and with every my config's showing up?



  • @Scissorfish:

    @johnpoz:

    So you want me to watch a 12 min video.. of you testing the dns resolver??  What does that have to do with BIND??

    If you want help.. post up some screenshots of your config and your query results… See what I posted - took all of like a minute to put together an post up..

    it's hard for you to watch the video where I illustrated that bug with BIND step by step and with every my config's showing up?

    Dude, the first second of your video clearly shows that you are using a 192.168 address on your WAN side.  That tells me there is other equipment between pfSense and the "real" Internet. 
    Obviously, if recursion really didn't work, the thousands of users that use pfSense every day would all be complaining.  Since there is only one person complaining, logically the problem lies in your setup.



  • @awebster:

    Dude, the first second of your video clearly shows that you are using a 192.168 address on your WAN side.  That tells me there is other equipment between pfSense and the "real" Internet. 
    Obviously, if recursion really didn't work, the thousands of users that use pfSense every day would all be complaining.  Since there is only one person complaining, logically the problem lies in your setup.

    1. yes, I'm using private ips on my test setup, but the original hardware has real ip and problem still occurs, so it's definitely not the addressing issue
    2. I didn't said that pfSenses recursion isn't working, I was just saying that BIND RECURSION ISN'T WORKING AS IT SHOULD!

    Again:

    I did a clean&fresh setup of latest pfSense and BIND package. NOTHING ELSE!
    Disabled pfSenses build-in dns resolver & forwarder.
    General setup -> dns servers -> 127.0.0.1
    BIND -> enable forwarding - checked
    forwarder IPs -> 192.168.64.1;192.168.64.2;
    WORKING FLAWLESSLY

    But when I created a test zone (straight & reverse) then BIND immediately STOPS to forward dns requests to upstream servers with aforementioned error in logs.
    And even if (as you suggested above) my zones were set up incorrectly, then why the heck BIND still refuses to forward requests when I completely deleted all of my zones?!

    P.S. I'm not at work right now, so can't post any configs so if you want something specific - request it and I'll post it later


  • Rebel Alliance Global Moderator

    Dude your video wasn't even using BIND!!!  Sorry but I don't have time to sit through a 12 minute blurry video of someone tooling around different setting in pfsense and having to pause the video to try and look over the config and then its so shitty quality that hard to make out specific details like exact IP for example you were setting dns other than they where .2 and .3 something and started with 192.168..

    As I showed you it took me all of like 30 seconds to get bind up and running..  This really is point and click if its not working for you your doing something wrong..  Are you not creating your views, are you not setting who can query your local zone?  I posted up my configs - lets see your configs.. And then maybe we can spot what you missed…  But NO I am not going to attempt to gather that info from some 12 min video sorry!


  • Banned

    I certainly do NOT have time to watch videos. All I can say it's critical to set up views properly when configuring this (you can also use the fine search box here to get the same experience from others).

    Other than that, it just works.



  • @doktornotor:

    I certainly do NOT have time to watch videos. All I can say it's critical to set up views properly when configuring this (you can also use the fine search box here to get the same experience from others).

    Other than that, it just works.

    well, you asked for pictures, so here they are



















    ![bind logs.jpg](/public/imported_attachments/1/bind logs.jpg)
    ![bind logs.jpg_thumb](/public/imported_attachments/1/bind logs.jpg_thumb)


    ![test pc.JPG](/public/imported_attachments/1/test pc.JPG)
    ![test pc.JPG_thumb](/public/imported_attachments/1/test pc.JPG_thumb)


  • Banned

    So you tick forwarding and wonder why recursion is not working?!?! Did you read the description under that option?!!?!? That ain't Bind on pfSense refusing to do the recursion. Debug the 192.168.x.x you entered there (or untick the checkbox!).



  • @doktornotor:

    So you tick forwarding and wonder why recursion is not working?!?! Did you read the description under that option?!!?!? That ain't Bind on pfSense refusing to do the recursion. Debug the 192.168.x.x you entered there (or untick the checkbox!).

    64.1 & 64.2 are our main dns servers. BIND should serve lan1 zone and forward all other requests recursively to these servers


  • Banned

    @Scissorfish:

    64.1 & 64.2 are our main dns servers. BIND should serve lan1 zone and forward all other requests recursively to these servers

    Dude. May I suggest to read the fine description of the forwarding checkbox once again? Bind will NOT perform any recursion when set up as forwarder. Period.



  • @doktornotor:

    @Scissorfish:

    64.1 & 64.2 are our main dns servers. BIND should serve lan1 zone and forward all other requests recursively to these servers

    Dude. May I suggest to read the fine description of the forwarding checkbox once again? Bind will NOT perform any recursion when set up as forwarder. Period.

    You are absolutely right. It seems that we have a misunderstanding. I really meant forwarding when I was speaking about recursion… my bad

    Now, concerning my setup:
    BIND should serve lan1 zone and FORWARD all other requests to our upper dns servers (192.168.64.1;192.168.64.2;)
    But it doesn't work  >:(


  • Banned

    And as noted earlier, you should investigate why are those servers not answering the DNS queries… "It doesn't work" ain't a useful description. Do the queries reach your DNS servers? Are those DNS servers set up to allow recursion?



  • @doktornotor:

    And as noted earlier, you should investigate why are those servers not answering the DNS queries… "It doesn't work" ain't a useful description. Do the queries reach your DNS servers? Are those DNS servers set up to allow recursion?

    All these dns servers are working. As I said before, BIND works well, until I add any zone, check pictures I posted
    and even if I delete all zones, it still doesn't work ;(
    BUT if I disable BIND and turn on built-in dns forwarder - everything begins to work instantly

    @Scissorfish:

    I did a clean&fresh setup of latest pfSense and BIND package. NOTHING ELSE!
    Disabled pfSenses build-in dns resolver & forwarder.
    General setup -> dns servers -> 127.0.0.1
    BIND -> enable forwarding - checked
    forwarder IPs -> 192.168.64.1;192.168.64.2;
    WORKING FLAWLESSLY

    But when I created a test zone (straight & reverse) then BIND immediately STOPS to forward dns requests to upstream servers with aforementioned error in logs.


  • Banned

    Good luck. You need to answer the questions asked and perform some logical troubleshooting, instead of repeating over and over and over and over and over again how bind does not work. Waste of time. You have already told us zillion times that it doesn't work, that's absolutely USELESS "information".  ::)



  • @doktornotor:

    Good luck. You need to answer the questions asked and perform some logical troubleshooting, instead of repeating over and over and over and over and over again how bind does not work. Waste of time. You have already told us zillion times that it doesn't work, that's absolutely USELESS "information".  ::)

    I gave you all information I have, what else you want?!
    I even made you a video but you declined to view it!!!


  • Banned

    @doktornotor:

    Do the queries reach your DNS servers? Are those DNS servers set up to allow recursion?

    ^^^ Perhaps you could start reading… and perform some common sense troubleshooting, we don't give a damn about repeating how much it doesn't work.



  • @doktornotor:

    ^^^ Perhaps you could start reading… and perform some common sense troubleshooting, we don't give a damn about repeating how much it doesn't work.

    Perhaps YOU should START READING MY POSTS before posting such pearls lol

    @doktornotor:

    And as noted earlier, you should investigate why are those servers not answering the DNS queries… "It doesn't work" ain't a useful description. Do the queries reach your DNS servers? Are those DNS servers set up to allow recursion?

    WHERE DID YOU GET THAT MY DNS SERVERS ARE NOT ACCEPTING DNS QUERIES!?
    did you ever looked at the pictures I posted earlier?! or you @doktornotor:

    I certainly do NOT have time to watch

    them but have so much time to post useless answers instead?

    I said you many times before -

    @Scissorfish:

    All these dns servers are working. As I said before, BIND works well, until I add any zone, check pictures I posted
    and even if I delete all zones, it still doesn't work ;(
    BUT if I disable BIND and turn on built-in dns forwarder - everything begins to work instantly

    @Scissorfish:

    I did a clean&fresh setup of latest pfSense and BIND package. NOTHING ELSE!
    Disabled pfSenses build-in dns resolver & forwarder.
    General setup -> dns servers -> 127.0.0.1
    BIND -> enable forwarding - checked
    forwarder IPs -> 192.168.64.1;192.168.64.2;
    WORKING FLAWLESSLY

    it's BIND WHO DOESN'T ACCEPT QUERIES after configuring views & zones!
    check the pictures I posted ffs!

    P.S. it's definitely VIEWS issue. it just doesn't matter what I'm entering there. Using built-in ACLs, no zones defined:

    recursion -> yes
    match-clients -> any
    allow-recursion -> any
    named[50020]: query-errors: debug 1: client 192.168.83.20#1585 (google.com): view test: query failed (SERVFAIL) for google.com/IN/A at query.c:6217

    recursion -> no
    match-clients -> any
    allow-recursion -> any
    named[78330]: query-errors: debug 1: client 192.168.83.20#2431 (google.com): view test: query failed (SERVFAIL) for google.com/IN/A at query.c:6221

    pfSense can't resolve addresses itself too:
    named[5197]: query-errors: debug 1: client 127.0.0.1#35576 (0.pfsense.pool.ntp.org): view test: query failed (SERVFAIL) for 0.pfsense.pool.ntp.org/IN/AAAA at query.c:6217
    named[41921]: query-errors: debug 1: client 127.0.0.1#42011 (0.pfsense.pool.ntp.org): view test: query failed (SERVFAIL) for 0.pfsense.pool.ntp.org/IN/A at query.c:6221

    Deleting all views and rebooting the pfSense restores BIND forwarding


  • Banned

    $ignore_list++

    WTF really…  ::) >:(


  • Rebel Alliance Global Moderator

    query.c:6217
    query.c:6221

    well you can look at the source code to what those failures are exactly

    not sure if this is same version the package is running, but
    https://github.com/fanf2/bind-9/blob/master/bin/named/query.c

    it doesn't seem like since the line numbers don't actually match up.. .those errors in query.c point to the line number where it failed.  If I recall query.c is when there is an authoritative query..  so way I read those errors is bind is not authoritative for what you asking for..

    For one I really don't like your single labels – its really bad practice to use single label names...

    I would get your authoritative working first...  then try and change to your forwarder mode.. have your local domains working, in bind - then add the forwarders for stuff your not authoritative for.

    this is really simple stuff..  Clickity Clickity..  But I would never in a million years use a single label.. So maybe it doesn't like that? I believe I was leaving bind in resolver mode...  When I get a chance I will fire up that vm I setup again and change it to forward on vs doing actual recursive.  You don't seem to have any A records at all set... So again before you try and forward, why don't you make sure your views and everything else is working for you resolving your stuff your wanting to be authoritative for.. Looks like you want it to add hots from dhcp reservations, etc..  Those should resolve, then set up forwarding.



  • Hi guys, upon searching for a solution to my issue i came across this thread and have to say. I have the exact same problem.

    I installed bind on my pfsense and added a forwarder in the main settings. At this point every request made to my pfsense were perfectly forwarded to the given dns.

    But my intentions was a single zone for my development environment which answers with different ip adresses for the same hostname depending on the source of the request. If the pfsense is asked from wan site it answers with 192.168.0.x and from lan site with 10.47.0.x

    Therefore i created two acls mapping to my networks and two views reflecting these networks. Finally i added my zone twice with different ips. At this point everything works like a charme. If i ask from wan i get a response with a 192 ip and from lan with 10.47.

    But forwarding isn't working anymore. Every request which is not going toward my domain gets: query-errors: debug 1: client 10.47.0.14#36368 (heise.de): view LAN-View: query failed (SERVFAIL) for heise.de/IN/A at query.c:6981

    Do you have any idea what could be the problem?

    Here my generated named.conf

    #Bind pfsense configuration
    #Do not edit this file!!!
    
     key "rndc-key" {
            algorithm hmac-md5;
            secret "ji6Vp5Nw/NtmJS4cQ8Ft4Q==";
     };
    
     controls {
            inet 127.0.0.1 port 953
                    allow { 127.0.0.1; } keys { "rndc-key"; };
     };
    
    options {
            directory "/etc/namedb";
            pid-file "/var/run/named/pid";
            statistics-file "/var/log/named.stats";
            max-cache-size 256M;
            listen-on { 10.47.0.1; 192.168.40.47;  };
            forwarders { 192.168.0.23; };
            dnssec-validation no;
    };
    
    logging {
            channel custom {
                    syslog daemon;
                    print-time no;
                    print-severity yes;
                    print-category yes;
                    severity debug 5;
                    };
            category default { custom; };
            category general { custom; };
            category database { custom; };
            category security { custom; };
            category config { custom; };
            category resolver { custom; };
            category xfer-in { custom; };
            category xfer-out { custom; };
            category notify { custom; };
            category client { custom; };
            category unmatched { custom; };
            category queries { custom; };
            category network { custom; };
            category update { custom; };
            category dispatch { custom; };
            category dnssec { custom; };
            category lame-servers { custom; };
    };
    
    acl "ZSO-Net" {
            192.168.0.0/16;
    };
    
    acl "dgi.dev" {
            10.47.0.0/24;
    };
    
    view "WAN-View" {
            recursion yes;
            match-clients { ZSO-Net; };
            allow-recursion { ZSO-Net; };
    
            zone "dgi.dev" {
                    type master;
                    file "/etc/namedb/master/WAN-View/dgi.dev.DB";
                    allow-query { any; };
                    allow-transfer { any; ZSO-Net; };
                    allow-update { none; };
            };
    
            zone "." {
                    type hint;
                    file "/etc/namedb/named.root";
            };
    
    };
    view "LAN-View" {
            recursion yes;
            match-clients { dgi.dev; };
            allow-recursion { dgi.dev; };
            forwarders {
                           192.168.0.23;
                    };
    
            zone "dgi.dev" {
                    type master;
                    file "/etc/namedb/master/LAN-View/dgi.dev.DB";
                    allow-query { any; };
                    allow-transfer { none; };
                    allow-update { none; };
            };
    
            zone "." {
                    type hint;
                    file "/etc/namedb/named.root";
            };
    
    };
    
    


  • Please try to use the option: forward only;