Solved BIND 9.16.31 - Issues

I am at a loss guys.

My nameserver stopped working for no good reason. I have BIND running in a jail and having it doing dynamic DNS with my PFsense firewall.

Everything seems to be working except for general queries. I have some master zones that resolve just fine. Looks like the DDNS is being updated properly, but for whatever reason, I cannot resolve cnn.com from the nameserver.

This is what I see:

Code:
vic@overkill:pts/0->/home/vic (0)
> nslookup cnn.com
;; Got SERVFAIL reply from 192.168.0.3, trying next server

The logs show:

Code:
root@ns1:/ # tail -f /var/log/bind/general | grep cnn
30-Aug-2022 19:11:26.081 client @0x80780f758 192.168.0.3#47046 (cnn.com): query failed (tsig verify failure) for cnn.com/IN/A at query.c:7380
30-Aug-2022 19:11:26.146 client @0x80780f758 192.168.0.3#18605 (cnn.com): query failed (tsig verify failure) for cnn.com/IN/AAAA at query.c:7380

Domain I am authoritative for:

Code:
root@ns1:/ # nslookup yeaguy.com
Server:         192.168.0.3
Address:        192.168.0.3#53

Name:   yeaguy.com
Address: 192.168.10.3

The configuration:

Code:
root@ns1:/usr/local/etc/namedb # vi named.conf
// $FreeBSD: branches/2021Q1/dns/bind916/files/named.conf.in 443607 2017-06-14 22:54:43Z mat $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/local/share/doc/bind for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works.  Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
#acl "allowed"  { 127.0.0.1; 10.0.0.0/8; 192.168.1.0/24; 192.168.0.0/16; 127.0.3.1; key rndc-key.; };
acl "allowed"  { 127.0.0.1; 10.0.0.0/8; 192.168.1.0/24; 192.168.0.0/16; 127.0.3.1; key rndc-key; };

include "/usr/local/etc/namedb/rndc.key";
include "/usr/local/etc/namedb/host1-host3.key";

#controls {
#        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
#        inet 127.0.3.1 allow { localhost; } keys { "rndc-key"; };
#        inet 192.168.0.3 allow { 192.168.1.54; } keys { "rndc-key"; };
#};

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
        inet 127.0.3.1 allow { localhost; } keys { "rndc-key"; };
        inet 192.168.0.3 allow { localhost; } keys { "rndc-key"; };
};



options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        version "no";



// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
        listen-on       { 192.168.0.3; 127.0.3.1; };
        #allow-query     { any; };
        recursion yes;
        allow-recursion { allowed; };
        #allow-transfer { !{ !allowed; any; }; key rndc-key. ;};
        allow-transfer { !{ !allowed; any; }; key rndc-key ;};
        dnssec-enable no;   # Just trying to get rid of the TSIG errors
        dnssec-validation no;  # Just trying to get rid of the TSIG errors


// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
//      listen-on-v6    { ::1; };

// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
        disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
        disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.

        forwarders {
                192.168.10.69;
        };

I have tried to troubleshoot and research this the best I can but I am coming up empty. So I am asking the pros.

Thanks.
 
This can be closed. I figured it out. Has something to do with the PFsense DNS Server Settings. When I remove the PFsense IP as a forwarder I have no issues.
 
Top