Text only | Text with Images

OPNsense Forum

English Forums => 26.1 Series => Topic started by: Netlearn on February 23, 2026, 09:46:18 PM

Title: Unbound Query Forwarding .internal domains working intermittently
Post by: Netlearn on February 23, 2026, 09:46:18 PM
Hi all:

I'm having a weird behavior in Unbound in one of the five firewalls I manage.

There are a Wireguard VPN between two of them that works perfectly. I have configured several "Query Forwardings" to resolve the remote .internal domains, for example:

On SiteA:

SiteB.internal > 192.168.30.254

On SiteB:

SiteA.internal > 172.26.0.254

Also, in "Services > Unbound > Advanced > Private Domains", all the internal domains are configured.

Everything works as expected in all firewalls (Unbounds), except one. When Unbound is restarted, it works. After a while (some minutes) it stops making the forwarding and sends the query to the root servers, where it obviously fails.

All the Unbounds are configured as recursive. There are no DNS servers in "System > Settings > General > DNS servers"

Made some traffic captures (domain redacted). I don't know where to go from here to find more clues.


After rebooting Unbound:

Code Select
drill host.mydomain.internal @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 37658
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; host.mydomain.internal.  IN      A

;; ANSWER SECTION:
host.mydomain.internal.     3189    IN      A       192.168.31.124

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Feb 23 21:23:44 2026
;; MSG SIZE  rcvd: 52


Code Select
tcpdump -ni wg1 host 172.26.0.254 and port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg1, link-type NULL (BSD loopback), snapshot length 262144 bytes
21:16:53.076588 IP 10.30.172.2.16968 > 172.26.0.254.53: 19515+ [1au] A? host.mydomain.internal. (47)
21:16:53.094071 IP 172.26.0.254.53 > 10.30.172.2.16968: 19515* 1/0/1 A 192.168.31.124 (63)


When it's failing:

Code Select
drill host.mydomain.internal @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 15877
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; host.mydomain.internal.  IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
.       3115    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2026022301 1800 900 604800 86400

;; ADDITIONAL SECTION:

;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Feb 23 21:15:57 2026
;; MSG SIZE  rcvd: 111


Code Select
tcpdump -ni wg1 host 172.26.0.254 and port 53
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on wg1, link-type NULL (BSD loopback), snapshot length 262144 bytes
Text only | Text with Images