OK here's our setup, we're running pfSense as our firewall/router. We have a dual-WAN with a Comcast Business Gateway and another local ISP. We're running Samba as the domain controller & Bind9/Named for DNS. Here's the issue, we just upgraded our Comcast service to a higher speed & they replaced the modem/gateway. Once they did that we could no longer browse the internet from inside the LAN over the Comcast pipe. If I disable our Comcast pipe in pfSense we can get to the internet over our other ISP. I'm pretty sure the issue is with Bind, but not changed on it when the modem was replaced. Here is some output when I run nslookup & dig on the domain controller/bind box. Both nslookup & dig work if I specify an external DNS server, but not when they use the internal DNS bind service.
[root@dc etc]# nslookup comcast.com
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find comcast.com: NXDOMAIN
[root@dc etc]# nslookup comcast.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: comcast.com
Address: 69.252.80.75
[root@dc etc]# dig comcast.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> comcast.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3360
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;comcast.com. IN A
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 11 17:08:25 PDT 2020
;; MSG SIZE rcvd: 40
[root@dc etc]# dig @8.8.8.8 comcast.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> @8.8.8.8 comcast.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26449
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;comcast.com. IN A
;; ANSWER SECTION:
comcast.com. 32 IN A 69.252.80.75
;; Query time: 4 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Apr 11 17:08:43 PDT 2020
;; MSG SIZE rcvd: 56
Also, if I disable our Comcast pipe in pfSense and do nslookup comcast.com
or dig comcast.com
over the other ISP, they return perfectly fine when using the internal DNS bind service.
Here is my named.conf file
acl mynetworks {
192.168.254.0/24;
192.168.252.0/24;
192.168.251.0/24;
192.168.250.0/24;
};
options {
listen-on port 53 { localnets; };
listen-on-v6 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; mynetworks; };
recursion yes;
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
# samba BIND9_DLZ
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel my_log_file {
file "/var/log/named/named.log" versions 3 size 3m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel my_syslog {
syslog daemon;
severity info;
print-time no;
print-severity no;
print-category no;
};
category default { my_log_file; my_syslog; };
category dnssec { my_log_file; };
category lame-servers { null; };
};
// so we can control the running named process with the rndc utility
include "/etc/rndc.key";
zone "." IN {
type hint;
file "named.ca";
};
dlz "tipping.lan" {
database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
If I connect a laptop directly to the Comcast modem, I can get to the internet just fine. Also, if I bypass our domain controller on a LAN workstation to use an external DNS server, I can access the internet over the Comcast pipe.
So why is DNS/Bind working on one pipe, but not the other? Any help would be greatly appreciated.
I was able to fix my DNS issues by putting BIND in forwarding mode & not allowing it to use the root authority servers. Seems Comcast SecurityEdge is blocking the root servers, but not 1.1.1.1 or 8.8.8.8