migration to new isp - now private addresses showing up publicly?

Tue May 23 11:22:54 UTC 2023

Hi,

I've got a very strange problem that has emerged somehow after migrating 
my isp.

My setup previously used 2x servers in master/slave configuration for my 
public "view" and then had 3x servers for the "internal" view. This was 
working fine for years and I have been regularly testing using online 
dns healthcheck sites such as mxtoolbox etc...

Now when I try to run any type of check from mxtoolbox or other site eg. 
https://dnschecker.org/ I am getting my private IP's showing instead of 
the public ones?

Initially it started off by my external zone files not transferring 
which I managed to see that the information was trying to traverse my 
NAT (I know, not the best practice to have all dns servers on the same 
network).

As a result external emails from my mail server are not working too well 
with a hit and miss type thing going on right now.

Just to go over, my zone files are fine as the 'external' ones only have 
public ip addresses in them and do not include any type of internal 
addressing whatsoever.

Here's an example of the config in named.conf for the master:

view "external" {
     match-clients { !internals; any; };
     allow-recursion {
                 127.0.0.1;
                 };

         zone "domain.com" {
         type master;
         file "/var/named/var/named/domain-external.db";
         notify yes;
         also-notify { pub_dns2; pub_dns3; };
         allow-transfer { pub_dns2; pub_dns3; };
         allow-query { pub_dns2; pub_dns3; !internals; any; };
         };

...

;

This shows the slave:

view "external" {
     match-clients { !internals; any; };
     allow-recursion {
                 127.0.0.1;
                 };

         zone "domain.com" {
         type slave;
         file "/var/named/var/named/domain-external.db";
         masters { pub_dns1; };
         allow-notify { pub_dns1; };
         allow-query { pub_dns1; !internals; any; };
         };

...

;

Both have the !internals macro there, so the servers should not throw up 
anything from the 'internal' view. It doesn't make sense that mxtoolbox 
and others, even sending mail from Google sees the private address of 
the machine? There's no chroot environment either contrary to the file 
path... I converted this back to normal many years ago when I started 
using Jails.

Additionally for the domain to transfer using the internal (private) 
network, do I need to change the 'allow-transfer' portion to the private 
addresses? I have read around a little bit but wasn't quite sure, though 
someone did suggest to use the 'notify explicit' statement, though I'm 
not sure of the difference exactly. Closest read on that I could find is 
from here: https://www.zytrax.com/books/dns/ch7/xfer.html#notify

Is it possible to suggest anything to get my servers working properly 
again? I'm running version 9.16.40 on the master and 9.16.39 on both 
slaves all built from FreeBSD ports.

Regards,

Kaya