I am at a loss guys.
My nameserver stopped working for no good reason. I have BIND running in a jail and having it doing dynamic DNS with my PFsense firewall.
Everything seems to be working except for general queries. I have some master zones that resolve just fine. Looks like the DDNS is being updated properly, but for whatever reason, I cannot resolve cnn.com from the nameserver.
This is what I see:
The logs show:
Domain I am authoritative for:
The configuration:
I have tried to troubleshoot and research this the best I can but I am coming up empty. So I am asking the pros.
Thanks.
My nameserver stopped working for no good reason. I have BIND running in a jail and having it doing dynamic DNS with my PFsense firewall.
Everything seems to be working except for general queries. I have some master zones that resolve just fine. Looks like the DDNS is being updated properly, but for whatever reason, I cannot resolve cnn.com from the nameserver.
This is what I see:
Code:
vic@overkill:pts/0->/home/vic (0)
> nslookup cnn.com
;; Got SERVFAIL reply from 192.168.0.3, trying next server
The logs show:
Code:
root@ns1:/ # tail -f /var/log/bind/general | grep cnn
30-Aug-2022 19:11:26.081 client @0x80780f758 192.168.0.3#47046 (cnn.com): query failed (tsig verify failure) for cnn.com/IN/A at query.c:7380
30-Aug-2022 19:11:26.146 client @0x80780f758 192.168.0.3#18605 (cnn.com): query failed (tsig verify failure) for cnn.com/IN/AAAA at query.c:7380
Domain I am authoritative for:
Code:
root@ns1:/ # nslookup yeaguy.com
Server: 192.168.0.3
Address: 192.168.0.3#53
Name: yeaguy.com
Address: 192.168.10.3
The configuration:
Code:
root@ns1:/usr/local/etc/namedb # vi named.conf
// $FreeBSD: branches/2021Q1/dns/bind916/files/named.conf.in 443607 2017-06-14 22:54:43Z mat $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/local/share/doc/bind for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
#acl "allowed" { 127.0.0.1; 10.0.0.0/8; 192.168.1.0/24; 192.168.0.0/16; 127.0.3.1; key rndc-key.; };
acl "allowed" { 127.0.0.1; 10.0.0.0/8; 192.168.1.0/24; 192.168.0.0/16; 127.0.3.1; key rndc-key; };
include "/usr/local/etc/namedb/rndc.key";
include "/usr/local/etc/namedb/host1-host3.key";
#controls {
# inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
# inet 127.0.3.1 allow { localhost; } keys { "rndc-key"; };
# inet 192.168.0.3 allow { 192.168.1.54; } keys { "rndc-key"; };
#};
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
inet 127.0.3.1 allow { localhost; } keys { "rndc-key"; };
inet 192.168.0.3 allow { localhost; } keys { "rndc-key"; };
};
options {
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "/usr/local/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
version "no";
// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
listen-on { 192.168.0.3; 127.0.3.1; };
#allow-query { any; };
recursion yes;
allow-recursion { allowed; };
#allow-transfer { !{ !allowed; any; }; key rndc-key. ;};
allow-transfer { !{ !allowed; any; }; key rndc-key ;};
dnssec-enable no; # Just trying to get rid of the TSIG errors
dnssec-validation no; # Just trying to get rid of the TSIG errors
// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword "any".
// listen-on-v6 { ::1; };
// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
forwarders {
192.168.10.69;
};
I have tried to troubleshoot and research this the best I can but I am coming up empty. So I am asking the pros.
Thanks.