Hi there,
I'm trying to find a way to diagnose a strange issue: I cannot resolve a specific domain name from my LAN, all other domain names I tested work.
Unfortunately, this is the domain of my mail provider...
manitu.de doesn't work, neither in the browser, nor via ping in the (Windows) command prompt.
All other domains I tried work.
Doesn't work on the phone, either, as long as I'm connected to my Wifi.
If I switch to mobile data only (outside my LAN), I can resolve it.
When I query a domain up/down checker service, the domain is reachable from elsewhere
When I ping the IP address, that works (so it's really a DNS issue).
When I try to ping the domain name from my OpnSense Web GUI, it can be resolved. So the firewall itself somehow resolves it correctly, but the devices from within my LAN cannot.
I have a pretty simple setup, with a local network behind the firewall, and the WAN side. I use Unbound DNS with default configuration, and I haven't changed the configuration for a long time. I also have not upgraded OpnSense since a few days ago. The domain worked until recently.
As an emergency measure, I have added the most important domains to my local 'hosts' file, so I can at least write e-mails.
How do I diagnose such an issue?
My first try is updating to the latest version (mine is less than a week old), but what after that?
Please note that I'm an IT professional, but not in the network administration field.
Quote from: Asperamanca on May 05, 2026, 11:04:28 PMI use Unbound DNS with default configuration, and I haven't changed the configuration for a long time. I
So you didn't configure any DNS blocklists and don't use Adguard?
And you don't have query forwarding enabled?
And you don't use DNS over TLS?
Also ensure that the
Dnsmasq DNS & DHCP > DNS > Listen port is set to "0".
What exactly do you get if run "nslookup manitu.de" on a client machine?
Ensure the the server IP is the OPNsense interface IP.
The .de DNS zone is broken. See here, follow the links - the top two are in English:
https://forum.opnsense.org/index.php?topic=51804.0
Quote from: Patrick M. Hausen on May 05, 2026, 11:37:03 PMThe .de DNS zone is broken. See here, follow the links - the top two are in English:
https://forum.opnsense.org/index.php?topic=51804.0
Very odd, using Unbound on OpenBSD the MX resolved.
Took a packet capture of queries from a test OPNsense installation and reviewed.
In OPNsense I then disabled:
Services -> Unbound DNS -> Advanced
- Harden Below NXDOMAIN
- Aggressive NSEC
Performed a DNS Lookup in OPNsense and received expected results.
Re-enabled the two settings above and it continues to work - perhaps the issue for .de domains is now resolved.
Yes, the problem only affected verifying (DNSSEC) resolvers.