Forward zone to neth7 and srvfail

Hello everyone, what I’m showing you is a custom on dnsresolver of pfsense.

Server:

Local-data: "smtp.internal2.lan. IN A 192.168.3.83"

Local-data: "internal2.lan. IN MX 10 smtp.internal2.lan."

Local-data-ptr: "192.168.3.83 smtp.internal2.lan."

Local-data: "_ldap._tcp.internal2.lan. IN SRV 0 100 389 ad.internal2.lan."

Local-data: "_kerberos._udp.internal2.lan. IN SRV 0 100 88 ad.internal2.lan."

Local-data: "_ldap._tcp.gc._msdcs.internal2.lan. IN SRV 0 100 3268 ad.internal2.lan."

Local-data: "_kerberos._tcp.internal2.lan. IN SRV 0 100 88 ad.internal2.lan."

Log-queries: no

Server:

Local-data: "ns8.internal.lan. IN A 192.168.3.76"

Local-data: "internal.lan. IN MX 10 ns8.internal.lan."

Local-data-ptr: "192.168.3.76 ns8.internal.lan."

Local-data: "_kerberos._tcp.internal.lan. IN SRV 0 100 88 dc1.ad.internal.lan."

Local-data: "_kerberos._udp.internal.lan. IN SRV 0 100 88 dc1.ad.internal.lan."

Local-data: "_ldap._tcp.gc._msdcs.internal.lan. IN SRV 0 100 3268 dc1.ad.internal.lan."

Local-data: "_ldap._tcp.internal.lan. IN SRV 0 100 389 dc1.ad.internal.lan."

Log-queries: no

Local-data: "ns8.internal.lan. IN A 192.168.3.76"

Local-data-ptr: "192.168.3.76 ns8.internal.lan."

Local-data: "dc1.ad.internal.lan. IN A 192.168.3.76"

Local-data-ptr: "192.168.3.76 dc1.ad.internal.lan."

The AD servers are ns8 and neth7 . All hosts have as primary dos pihole which in turn has only an upstream des which is the pfsense, which in addition to other custom options that I have listed, forwards the Queries to the competent domains.

This happens

If I run a nslookup for the area ad.internal.lan

Root@pi-hole:~# nslookup w10pro2.ad.internal.lan

Server:		 127.0.0.1

Address:	 127.0.0.1#53

Non-authoritative answer:

Name:	 W10pro2.ad.internal.lan

Address: 192.168.3.194

If I follow a Query for the internal2.lan (neth7) zone this happens

Root@pi-hole:~# nslookup guacamole.internal2.lan

Server:		 127.0.0.1

Address:	 127.0.0.1#53

Non-authoritative answer:

Name:	 Guacamole.internal2.lan

Address: 192.168.3.197

** server can't find guacamole.internal2.lan: SERVFAIL

Solve the same name but from srv fail , due to a probable ttl0 in the answers of samba ???

Maybe you need to add a conditional forwarder on the pfsense that points to your samba DNS?

It should be possible, see Pfsense as conditional forwarder | Netgate Forum

hi markuz , i’have a domain overwrite :

ad.internal2.lan 	192.168.3.78 	Active directory ad.internal2.lan 	 
7.168.192.in-addr.arpa 	192.168.3.83 	Reverse lan to neh7  	 
internal3.lan 	192.168.3.84 	Domain 2019  	 
ad.internal.lan 	192.168.3.76 	internal AD 	 
internal.lan 	192.168.3.76 	Dns internal.lan 	 
3.168.192.in-addr.arpa 	192.168.3.83 	Zone inverse rete 192.168.3.0/24 	 
internal2.lan 	192.168.3.83 	Zone internal2.lan 

This is the Log of a bash script for the forwarding verification of the zones of the domains managed by pfsense:

DNS Check — 2025-09-05 19:54:58

==========================

[A] smtp.internal2.lan… 192.168.3.83

[MX] internal2.lan… 10 smtp.internal2.lan.

[PTR] 192.168.3.83… smtp.internal2.lan.

quantico.ddns.net.

[SRV] _ldap._tcp.internal2.lan… 0 100 389 ad.internal2.lan.

[SRV] _kerberos._tcp.internal2.lan… 0 100 88 ad.internal2.lan.

[SRV] _kerberos._udp.internal2.lan… 0 100 88 ad.internal2.lan.

[SRV] _ldap._tcp.gc._msdcs.internal2.lan… 0 100 3268 ad.internal2.lan.

[A] ns8.internal.lan… 192.168.3.76

[MX] internal.lan… 10 ns8.internal.lan.

[PTR] 192.168.3.76… dc1.ad.internal.lan.

ns8.internal.lan.

[A] dc1.ad.internal.lan… 192.168.3.76

[SRV] _ldap._tcp.internal.lan… 0 100 389 dc1.ad.internal.lan.

[SRV] _kerberos._tcp.internal.lan… 0 100 88 dc1.ad.internal.lan.

[SRV] _kerberos._udp.internal.lan… 0 100 88 dc1.ad.internal.lan.

[SRV] _ldap._tcp.gc._msdcs.internal.lan… 0 100 3268 dc1.ad.internal.lan.

Fine verifica

Hi mark, I want to send you the same these two those performed with a dns tool. Maybe know what you think. Thank you

IMG_2999257368DE-11170×1239 134 KB

IMG_37B2B79CEAB2-11170×1329 127 KB

Do you use the pihole app or some other pihole installation?

Does it help to set up the conditional forwarding in pihole?

I’m going to try to reproduce the issue the next days…

Hi Mark, pihole as written before is the primary dns, and use as upstream pfsense. I have been trying to insert the conditional forward for the zones for a long time and it works regularly but with the exception that the mx records are not resolved by nethserver. Example if I enable for the internal.lan and internral2.lan zones the respective competence domains , the servfail error does not occur . But from any client if I query host -t mx internal2.lan the result is null , so no mx for the internal2.lan area . Reason why I created the custom on dnsresolv of pfense (unbounbd), the records of my interest. However, this problem that in the end is not really blocking, it alone with neth7 and not on ns8. I don’t understand why if I request the internal2.lan zone from pihole and therefore not directing it to the pfsense upstream, the mx record on neth7 is missing. The script that I showed you indeed the results it shows are the pihole queries that it sends to pfsense that responds correctly for the resolutions declared in the custom file. As you wrote, you want to try to perform tests, but my goal is to understand why neth7 or pfsense respond with servfail! Thank you as always for your availability.

Screenshot 2025-09-08 alle 12.00.441060×872 89.9 KB

Which DNS server are the NS7 and the NS8 are using?
If you use a DNS conditional forward for internal2.lan to NS7 and the NS7 upstream DNS is an external one and not the pfsense, then you get no result for “internal2.lan” because the external DNS doesn’t provide the MX record for internal2.lan and NS7/NS8 don’t provide MX records by default.

Hi , As for neth7 I use 1.1.1.1 but I think I also tried with pihole (the default 192168.3.123 for everyone that relaunches to pfsense ) Ns8 use :

[root@ns8 ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search internal
nameserver 192.168.3.123