However when I want to query local addresses or reverse dns it doesn't work on the EFA server.
Test dns forwarding on the EFA server
Code: Select all
dig test.uribl.com.multi.uribl.com txt +short
"permanent testpoint"
Code: Select all
dig 2.0.0.127.zen.spamhaus.org +short
127.0.0.4
127.0.0.2
127.0.0.10
Code: Select all
dig sambaad.example.com +short
Code: Select all
dig -x 172.16.1.117 +short
The working setup: (No need to mention that the network/Zones must match your configuration )
In my network I have 3 DNS servers.
1.The primary DNS, SAMBA4 AD server running Bind-9. Authoritative for Example.com and forwarding to The PFsense server.
2.The secondairy DNS and gateway: PFsense also running Unbound for DNS and forwarding to my providers DNS servers.
3.The EFA server forwarding everything to the first 2 DNS servers depending on the zones.
All servers have muliple interfaces in different zones but I will remove the other interfaces and zones from this example.
The Ip addresses are not the actual Ip's, but just for making sense in this example.
SAMBA4 AD requires to be the primary DNS server to function properly, since AD and DNS are very close related
It took me some time to get DNS working to resolve internal zones.
On all my internal networks IPv6 is disabled.
On the primary SAMBA4 AD Server Running BIND-9:
Code: Select all
acl internals {
127/8;
172.16.0.0/16; AKA LAN Network
};
Code: Select all
cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver 172.16.1.117 # SAMBA4 AD
nameserver 172.16.1.61 # PFSENSE
Forward all queries to the pfsense box
Code: Select all
cat /etc/unbound/conf.d/forwarders.conf
name: "."
forward-addr: 172.16.1.61 # PFSENSE
forward-first: yes
Modifications in /etc/unbound/unbound.conf
# restrict DNS EFA
interface: 127.0.0.1
outgoing-interface: 172.16.1.115 # LAN Interface EFA
# Enable IPv4, "yes" or "no".
do-ip4: yes
# Enable IPv6, "yes" or "no".
do-ip6: no
control-interface: 127.0.0.1
# Forward zones
forward-zone:
name: "example.com"
forward-addr: 172.16.1.117 # SAMBA4 AD
forward-first: yes
server:
local-zone: "16.172.in-addr.arpa." nodefault
stub-zone:
name: "16.172.in-addr.arpa."
stub-addr: 172.16.1.117 # SAMBA4 AD
Restart Unbound and try:
Code: Select all
for i in $(seq 1 5); do dig +noall +answer +stats A sambaad.example.com | sed -n '1,2p'; done
Code: Select all
dig sambaad.example.com
Code: Select all
dig -x 172.16.1.117