Solved BIND 9.16.31 - Issues

I am at a loss guys.

My nameserver stopped working for no good reason. I have BIND running in a jail and having it doing dynamic DNS with my PFsense firewall.

Everything seems to be working except for general queries. I have some master zones that resolve just fine. Looks like the DDNS is being updated properly, but for whatever reason, I cannot resolve from the nameserver.

This is what I see:

vic@overkill:pts/0->/home/vic (0)
> nslookup
;; Got SERVFAIL reply from, trying next server

The logs show:

root@ns1:/ # tail -f /var/log/bind/general | grep cnn
30-Aug-2022 19:11:26.081 client @0x80780f758 ( query failed (tsig verify failure) for at query.c:7380
30-Aug-2022 19:11:26.146 client @0x80780f758 ( query failed (tsig verify failure) for at query.c:7380

Domain I am authoritative for:

root@ns1:/ # nslookup


The configuration:

root@ns1:/usr/local/etc/namedb # vi named.conf
// $FreeBSD: branches/2021Q1/dns/bind916/files/ 443607 2017-06-14 22:54:43Z mat $
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/local/share/doc/bind for more details.
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works.  Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
#acl "allowed"  {;;;;; key rndc-key.; };
acl "allowed"  {;;;;; key rndc-key; };

include "/usr/local/etc/namedb/rndc.key";
include "/usr/local/etc/namedb/host1-host3.key";

#controls {
#        inet allow { localhost; } keys { "rndc-key"; };
#        inet allow { localhost; } keys { "rndc-key"; };
#        inet allow {; } keys { "rndc-key"; };

controls {
        inet allow { localhost; } keys { "rndc-key"; };
        inet allow { localhost; } keys { "rndc-key"; };
        inet allow { localhost; } keys { "rndc-key"; };

options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/usr/local/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        version "no";

// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
        listen-on       {;; };
        #allow-query     { any; };
        recursion yes;
        allow-recursion { allowed; };
        #allow-transfer { !{ !allowed; any; }; key rndc-key. ;};
        allow-transfer { !{ !allowed; any; }; key rndc-key ;};
        dnssec-enable no;   # Just trying to get rid of the TSIG errors
        dnssec-validation no;  # Just trying to get rid of the TSIG errors

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver.  To give access to the network, specify
// an IPv6 address, or the keyword "any".
//      listen-on-v6    { ::1; };

// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
        disable-empty-zone "";
        disable-empty-zone "";
        disable-empty-zone "";

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.

        forwarders {

I have tried to troubleshoot and research this the best I can but I am coming up empty. So I am asking the pros.

This can be closed. I figured it out. Has something to do with the PFsense DNS Server Settings. When I remove the PFsense IP as a forwarder I have no issues.