# DNS server not serving LAN queries



## Thurisaz (Jun 2, 2022)

On the updated FreeBSD 13.1-releng I have installed a DNS bind9.16.29 as caching resolver. It's serving its own queries (`dig gmail.com` states `NOERROR`), though `nslookup gmail.com` on any Windows client in its LAN returns `DNS request timed out` persistently with any domain used.
Option `listen-on` is set to loopback and LAN interface. File /etc/resolv.conf contains the loopback address and the server's domain name.
Recursion is enabled and explicitly limited to LAN IPs and localhost by the `allow-recursion` statement.
ISP DNS forwarders are set correctly, the default `forward first` behavior preserved. DNSSEC validation and IPv6 are both disabled to avoid a crapton of lame events due to ISP DNS stripping DNSSEC off.
Gateway function is enabled.

This error reproduces on any hardware configuration, so this can be a misnomer somewhere in the config files. Could anyone tell me where the error lurks?


----------



## covacat (Jun 2, 2022)

try to query isp dns from the windows/lan box, see if works
tcpdump 
dig Lan-ip gmail.com a (from the bsd box)


----------



## zirias@ (Jun 2, 2022)

Thurisaz said:


> [listen-on] is set to loopback and LAN interface.


Verify it's indeed listening with `sockstat -l`.

If yes, a _timeout_ is a clear indication for a networking problem (it wouldn't occur if your server would _reject_ the query), so check your network, don't forget firewalls if applicable.


----------



## Thurisaz (Jun 2, 2022)

The cause was revealed itself and it's for ROFL! Simply an _unconfigured firewall_: when I've enabled ipnat and created a mapping ruleset for it, this erratic behavior vanished as if it never existed!


----------

