Hi,
i'm on 25.4.3 Business and the Unbound DNS on one of our customers Firewalls is showing a strange behaviour.
DNS resolution works fine for everything, but there is one domain that doe not get resolved.
Domain is stuttgart.de and its subdomain e.g. vergabe.stuttgart.de
Client gets a timeout and the Unbound Reporting shows the following entries:
2025-10-20 12:52:23 CLIENT.IP.ADDRESS A vergabe.stuttgart.de. Drop Local SERVFAIL 0ms 0
2025-10-20 12:52:23 CLIENT.IP.ADDRESS AAAA vergabe.stuttgart.de.localdomain.local. Pass Recursion NXDOMAIN 16ms 3600
2025-10-20 12:52:23 CLIENT.IP.ADDRESS A vergabe.stuttgart.de.localdomain.local. Pass Recursion NXDOMAIN 44ms 3600
2025-10-20 12:52:23 CLIENT.IP.ADDRESS AAAA vergabe.stuttgart.de. Drop Local SERVFAIL 0ms 0
As a workaround, i made a Query Forwarding to 8.8.8.8 and then it works.
DNS blacklisting is completely disabled, no idea where to dig here...
It seems like your clients have a local search domain (garcke.local) configured. This is being added to the queried domain name and thus gets an NXDOMAIN answer. The normal query fails.
Maybe your firewall uses some kind of blocking (e.g. DNSBL, suricata, Zenarmor, crowdsec) that already blocks the SOA or nameservers of the domain in question (i.e. Arcor name servers).
You could verify by trying to resolve "arcor.de", which uses the same name servers.
The local search domain is always added by the windows server ia am using, but nevertheless the name resolution for other domains works. In that case, the reporting shows both entries, with and without the local domain.
I do not have any DNS filtering on the OPNSense, but i tried arcor.de and it gives me the same error. I tried from a windows server that is not doamain joines to eliminate the local domain
2025-10-20 13:51:04 CLIENT.IP.ADDRESS AAAA arcor.de. Drop Local SERVFAIL 0ms 0
That suggests you cannot reach ns1.arcor-ip.de for whatever reason, like I said. Look at your rules and/or blocks on why this is blocked or what is blocking it.
False negatives are not that uncommon for any type of blocking mechanism.
Even diagnostics on localhost fails
2025-10-20 16:00:11 localhost MX arcor.de. Drop Local SERVFAIL 0ms 0
I have really no idea where to look deeper. Firewall log is green all the way.
Backend Log:
2025-10-20T16:00:17 Notice configd.py [dfd56303-501c-4d9e-89b5-b9cc2f3b9d86] query dns records 127.0.0.1 arcor.de
Unbound Log since last service restrt
2025-10-20T14:07:47 Informational unbound [6209:0] info: dnsbl_module: successfully opened pipe
2025-10-20T14:07:47 Informational unbound [6209:0] info: dnsbl_module: attempting to open pipe
2025-10-20T14:07:46 Notice unbound Backgrounding unbound logging backend.
2025-10-20T14:07:46 Informational unbound [6209:0] info: start of service (unbound 1.23.1).
Append screendumps of your Unbound general and advanced settings. You have to use "reply", not "quick reply" for that.
You did leave "Harden DNSSEC Data", "Aggressive NSEC" and "Strict QNAME Minimisation" unchecked, right?
Thanks for the quick reply, i was already out of the office yesterday.
"Harden DNSSEC Data", "Aggressive NSEC" and "Strict QNAME Minimisation" are unchecked.
Screendumps are attached.
I also set the log levels higher and added the resolver.log for my latest attempt to resolve arcor.de
Those settings seem mostly right, but some are unexpected. IDK if those can cause problems. Here are mine for reference.
I adopted your settings, unfortunately it did not solve the problem.
I set the option "Use System Nameservers" in the Query Forwarding settings. I am now able to resolve anything, but with the price of losing the cache if i am right...