DNS not resolve only 1 name for all clients [Solved]

[dmdarki]

Hi all, I instaled zentyal 3 and all worked fine, yesterday i dont know what happened https pages instantly began to fail, and my thunderbird settings.

I went crazy looking,

so i notice that my balancing traffic was the problem with my https pages, so I turn it off, then I created a rule for traffic output always come out the same gateway.

then I turn on the balancing traffic, it is working now, but I do not now why stopped working, had several working days.

anyway i can't ping my email POP server or SMTP server, domain can't solve.

in my Server is working but any of my clients can do it.

I half solved this using a Forwarders in my DNS, but this allows facebook that is no longer deny in my firewall

[dmdarki]

can someone help me i try to do a nslookup in my server to mail.workname.com.mx

and i get a server fail from 127.0.0.1 trying next server

i dont know why =/ my server cant reach the adress

[christian]

what you describe is confusing, at least to me.
There is a mix of DNS, HTTP and firewall stuff, altogether thus it doesn't help to investigate.

My feeling is that your local DNS (the one running on Zentyal) is facing some problem.
I suspect you are using this DNS to redirect (fake) facebook, therefore controlling access to facebook via fake DNS entry. Why not 
This has nothing to do with firewall 

Did you try to stop/start DNS service in Zentyal GUI ?

[dmdarki]

thanks for answering, i will try to explain all.

firewall settings are default settings.

1.-I add an object with the facebook IP, then a rule in the firewall to block it at port 443.

2.-I create my dns i have mi local IP and servername as DNS.

3.-all work fine.

4.-someday the mail does not work

I try "nslookup mail.workname.com.mx" in my clients and gets a "SERVER  FAILED"

then i try it on the server and gets a "Got SERVFAIL reply from 127.0.0.1trying next server"

at end my server can reach the e-mail, do ping .... but my clients no

so a easy fix was add a forwarder 208.67.222.222 now my clients can receive and send e-mails.

but also can browse facebook.

I need to block facebook and reach my e-mail, something happen with my dns in the gui only can reboot but this is not working

note: all others names are resolved

[christian]

everything works as expected: if you add forwarder, then forwarder is checked first, even before local DNS (127.0.0.1) reason why facebook is resolved with its right IP.
This shows, as I wrote previously, that your local DNS doesn't work properly. You should try to restart DNS service.

What you experience with Facebook is a side effect of the workaround you have deploy because you don't use explicit proxy. I'm not saying you should change (this is your own choice) but at least you have to understand that there is no such thing as a free lunch: workarounds do exhibit side effect (otherwise these are not workarounds but the best solution  )

[dmdarki]

yeah i know that facebook is resolving cause the forwarder

any comand to reboot dns with console ?

i try the gui boton but dont work

[christian]

i try the gui boton but dont work

What doesn't work ? DNS service does not restart or problem is not solved ?
BTW, what's the root cause ? This perhaps deserve some investigation.
- Have a look at syslog for any suspicious message (even if Zentyal generates itself quite a lot of messages that look strange if you don't know what it means)
- can you resolve local names ?

[dmdarki]

problem is not solved with the restart button

looking at the logs,Does anyone in specific?

[dmdarki]

this is part of my log when i try nslookup

Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 208.67.222.222#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.26.92.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.5.6.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.52.178.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.41.162.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.33.14.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.55.83.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.31.80.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.43.172.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.42.93.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.12.94.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.48.79.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.35.51.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'api.cloud.zentyal.com/A/IN': 192.54.112.30#53
Sep  9 14:11:00 Ana named[25734]: error (network unreachable) resolving 'api.cloud.zentyal.com/A/IN': 2001:503:a83e::2:30#53
Sep  9 14:11:00 Ana named[25734]: error (network unreachable) resolving 'api.cloud.zentyal.com/A/IN': 2001:503:231d::2:30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'c.gtld-servers.net/AAAA/IN': 208.67.222.222#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'd.gtld-servers.net/AAAA/IN': 208.67.222.222#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'e.gtld-servers.net/AAAA/IN': 208.67.222.222#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'd.gtld-servers.net/AAAA/IN': 192.26.92.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'c.gtld-servers.net/AAAA/IN': 192.26.92.30#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'f.gtld-servers.net/AAAA/IN': 208.67.222.222#53
Sep  9 14:11:00 Ana named[25734]: error (host unreachable) resolving 'h.gtld-servers.net/AAAA/IN': 208.67.222.222#53

Sep  9 14:13:41 Ana named[25734]: success resolving 'ocsp.verisign.net/AAAA' (in 'ocsp.verisign.net'?) after reducing the advertised EDNS UDP packet size to 512 octets

I'm dropping forwarder and comment another log

[dmdarki]

Sep  9 14:27:53 Ana named[32624]: zone 168.192.in-addr.arpa/IN: loaded serial 1
Sep  9 14:27:53 Ana named[32624]: zone 1.200.192.in-addr.arpa/IN: loaded serial 2013023114
Sep  9 14:27:53 Ana named[32624]: zone 255.in-addr.arpa/IN: loaded serial 1
Sep  9 14:27:53 Ana named[32624]: zone localhost/IN: loaded serial 2
Sep  9 14:27:53 Ana named[32624]: managed-keys-zone ./IN: loaded serial 3
Sep  9 14:27:53 Ana named[32624]: running
Sep  9 14:27:53 Ana named[32624]: zone 1.200.192.in-addr.arpa/IN: sending notifies (serial 2013023114)
Sep  9 14:27:54 Ana kernel: [332023.888379] init: isc-dhcp-server main process (25780) killed by TERM signal
Sep  9 14:27:54 Ana dhcpd: Wrote 28 leases to leases file.
Sep  9 14:27:54 Ana dhcpd:
Sep  9 14:27:54 Ana dhcpd: No subnet declaration for eth1 (192.168.1.65).
Sep  9 14:27:54 Ana dhcpd: ** Ignoring requests on eth1.  If this is not what
Sep  9 14:27:54 Ana dhcpd:    you want, please write a subnet declaration
Sep  9 14:27:54 Ana dhcpd:    in your dhcpd.conf file for the network segment
Sep  9 14:27:54 Ana dhcpd:    to which interface eth1 is attached. **
Sep  9 14:27:54 Ana dhcpd:
Sep  9 14:27:54 Ana dhcpd:
Sep  9 14:27:54 Ana dhcpd: No subnet declaration for tap0 (192.100.1.1).
Sep  9 14:27:54 Ana dhcpd: ** Ignoring requests on tap0.  If this is not what
Sep  9 14:27:54 Ana dhcpd:    you want, please write a subnet declaration
Sep  9 14:27:54 Ana dhcpd:    in your dhcpd.conf file for the network segment
Sep  9 14:27:54 Ana dhcpd:    to which interface tap0 is attached. **
Sep  9 14:27:54 Ana dhcpd:
Sep  9 14:27:57 Ana named[32624]: error (network unreachable) resolving 'webmail.analyze.com.mx/A/IN': 2001:503:ba3e::2:30#53
Sep  9 14:27:57 Ana named[32624]: error (network unreachable) resolving './NS/IN': 2001:503:ba3e::2:30#53
Sep  9 14:27:57 Ana named[32624]: error (network unreachable) resolving 'webmail.analyze.com.mx/A/IN': 2001:1258::1#53
Sep  9 14:28:04 Analyze kernel: [332033.536136] ebox-firewall drop IN=eth1 OUT= MAC=01:00:5e:00:00:01:f4:c7:14:dc:6c:6c:08:00 SRC=192.168.1.254 DST=224.0.0.1 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=61648 PROTO=2 MARK=0x1
Sep  9 14:29:08 Analyze named[32624]: error (network unreachable) resolving 'clients3.google.com/A/IN': 2001:503:231d::2:30#53
Sep  9 14:29:08 Analyze named[32624]: error (network unreachable) resolving 'clients3.google.com/A/IN': 2001:503:a83e::2:30#53
Sep  9 14:29:15 Analyze named[32624]: error (network unreachable) resolving './NS/IN': 2001:500:2f::f#53
Sep  9 14:29:15 Analyze named[32624]: error (network unreachable) resolving 'ns2.cloud.zentyal.com/A/IN': 2001:500:2f::f#53
Sep  9 14:29:15 Analyze named[32624]: error (network unreachable) resolving 'ns1.cloud.zentyal.com/A/IN': 2001:500:2f::f#53
Sep  9 14:29:15 Analyze named[32624]: error (network unreachable) resolving 'ns2.cloud.zentyal.com/AAAA/IN': 2001:500:2f::f#53
Sep  9 14:29:15 Analyze named[32624]: error (host unreachable) resolving './NS/IN': 193.0.14.129#53
Sep  9 14:29:15 Analyze named[32624]: error (network unreachable) resolving 'ns1.cloud.zentyal.com/AAAA/IN': 2001:500:2f::f#53
Sep  9 14:29:15 Analyze named[32624]: error (host unreachable) resolving 'ns2.cloud.zentyal.com/A/IN': 193.0.14.129#53
Sep  9 14:29:15 Analyze named[32624]: error (host unreachable) resolving 'ns1.cloud.zentyal.com/A/IN': 193.0.14.129#53
Sep  9 14:29:15 Analyze named[32624]: error (host unreachable) resolving './NS/IN': 192.36.148.17#53

i can resolve local names even in internet like google only can't reach e-mail server.

[christian]

if you can resolve local names, then your local DNS is most likely running properly.
If you can resolve external names but few (without using forwarders obviously), then try to change DNS settings in network section and use another DNS. Perhaps the one you are relying on is faulty... 

[dmdarki]

my settings are like this in network DNS

127.0.0.1
192.168.1.254
8.8.8.8

Search domain : my domain

in the server i can reach the e-mail server but it FAIL for 127.0.0.1, 192.168.1.254 give me the resolution but my clients can't reach the e-mail server

[christian]

I suppose 192.168.1.254 is your Zentyal server? If yes, then remove it, this is useless because redundant with 127.0.0.1
If this is another local DNS server, then keep it, obviously.
You should also add another external DNS. Having only one doesn't provide reliable service  why not adding here the one you set as forwarder ?

[dmdarki]

192.168.1.254 is the gateway of my ISP

server eth1 ip 192.168.1.65
                   mask 255.255.255.0
                   gateway 192.168.1.254

[christian]

So I assume you have some DNS running there. Why not... although I would suggest that you directly rely, from Zentyal, to external / public DNS
This also means, and this was an important but missing part of your problem description, that if this DNS on your gateway doesn't work, then it will directly impact Zentyal thus associated services needing DNS, e.g. mail 
Have a closer look there then