OPNsense Forum

I use Unbound as my DNS forwarder but I've been noticing the past few weeks a lot of failed IPv6 DNS lookups - I don't use IPv6 externally on my WAN, but as far as I can tell it's enabled on many of my internal devices, but I tend to stick with IPv4. Unbound is set to forward requests to Quad9 at 9.9.9.10 using TLS

When I try to test things against my Unbound I get this:

root@MOE:~# kdig @192.168.1.1 AAAA one.one.one.one
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 15362
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; one.one.one.one.            IN      AAAA

;; Received 44 B
;; Time 2026-05-14 10:17:04 CEST
;; From 192.168.1.1@53(UDP) in 14.6 ms


If I try directly against Quad9 I get:

root@MOE:~# kdig @9.9.9.10 +tls AAAA one.one.one.one
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 56075
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; one.one.one.one.            IN      AAAA

;; ANSWER SECTION:
one.one.one.one.        43200  IN      AAAA    2606:4700:4700::1111
one.one.one.one.        43200  IN      AAAA    2606:4700:4700::1001

;; Received 100 B
;; Time 2026-05-14 10:17:09 CEST
;; From 9.9.9.10@853(TLS) in 27.1 ms


I don't see any errors on the Unbound log for such queries, this I did on OPNsense itself:

drill AAAA one.one.one.one @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 63287
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; one.one.one.one.     IN      AAAA

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 114 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu May 14 09:56:57 2026
;; MSG SIZE  rcvd: 33
2026-05-14T09:56:57Informationalunbound[63620:1] reply: 127.0.0.1 one.one.one.one. AAAA IN NOERROR 0.113617 0 33
2026-05-14T09:56:57Informationalunbound[63620:1] info: response for one.one.one.one. AAAA IN
2026-05-14T09:56:57Informationalunbound[63620:1] info: response for one.one.one.one. AAAA IN
2026-05-14T09:56:57Informationalunbound[63620:1] info: resolving one.one.one.one. AAAA IN
2026-05-14T09:56:57Informationalunbound[63620:1] query: 127.0.0.1 one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] reply: 127.0.0.1 one.one.one.one. AAAA IN NOERROR 0.035965 0 33
2026-05-14T09:48:17Informationalunbound[25115:0] info: response for one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] info: response for one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] info: resolving one.one.one.one. AAAA IN
2026-05-14T09:48:17Informationalunbound[25115:0] query: 127.0.0.1 one.one.one.one. AAAA IN


And my DNS TLS forwarding config is:

Domain:
 Server IP: 9.9.9.10
 Server Port: 853
 Forward first: Disabled
 Verify CN: dns10.quad9.net
 Description: No Malware blocking, no DNSSEC validation

Any idea what else I can check, especially commands to test on OPNsense itself as I cannot work out a way to check TLS lookups on the command line although I was able to see that traffic on port 853 was going out.

I just updated to 26.1.8_5 and it hasn't helped