"
I just wanted to report that unchecking the option "Strict QNAME Minimisation" (Services/Unbound DNS/Advanced) "solved" the problem (i.e. drill -p 53053 or drill -p 53 answer NOERROR everytime).
Thanks for you help!
Thanks for you help!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.7, 25.10 Series / Re: Erratic behaviour of bundle dnsmasq -> unbound on specific addresses
January 25, 2026, 02:02:35 PM #2
25.7, 25.10 Series / Re: Erratic behaviour of bundle dnsmasq -> unbound on specific addresses
January 12, 2026, 04:23:59 PMQuote from: Slashing on January 12, 2026, 05:56:38 AMFor drill, the order of arguments is important...
Thanks for the remark!. That changes a bit the outcome. First, unbound is giving NOERROR all time now.
Code Select
# drill -p 53053 fr.app.lgwebostv.com @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 3608
But still dnsmasq is giving NXDOMAIN
Code Select
# drill -p 53 fr.app.lgwebostv.com @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 3319
until it is restarted...
Code Select
# drill -p 53 fr.app.lgwebostv.com @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 48568
but after 15 min again NXDOMAIN
Code Select
# drill -p 53 fr.app.lgwebostv.com @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 18322
All in all it makes more sense now, and clarifies a bit better the underlying problem: after 15 min dnsmasq stops forwarding the address to unbound.
#3
25.7, 25.10 Series / Re: Erratic behaviour of bundle dnsmasq -> unbound on specific addresses
January 11, 2026, 02:54:23 PMQuoteWas that at the same moment when you have also tested :... ?
Yes, answers from both (Unbound and dnsmasq) were the same at the same moment: when one was (not) working the other was (not) working as well.
Quote- What are the results when both of them show NOERROR ?
Both of them show:
Code Select
;; ANSWER SECTION:
fr.app.lgwebostv.com. 60 IN A 52.16.45.77
fr.app.lgwebostv.com. 60 IN A 54.76.24.108Quote- Does Unbound ever show NXDOMAIN or at least something else instead of NOERROR ?
Yes, as replied above. Let me summarize it here:
Initial state:
Code Select
# drill @127.0.0.1 -p 53053 fr.app.lgwebostv.com
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 1776
# drill @127.0.0.1 -p 53 fr.app.lgwebostv.com
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 55118
After restarting Unbound service (even more than once): nothing changes (i.e. NXDOMAIN for 53 or 53053)
After restart dnsmasq service one time: nothing changes (i.e. NXDOMAIN for 53 or 53053)
After restart dnsmasq service a second time:
Code Select
# drill @127.0.0.1 -p 53053 fr.app.lgwebostv.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50781
# drill @127.0.0.1 -p 53 fr.app.lgwebostv.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 15948
After 15 min it comes back to the initial state.
I do not think this is an ISP issue since the responses are correlated with me rebooting dnsmasq.
I had tried using 1.1.1.1 and 9.9.9.9 (by unchecking "Do not forward to system defined DNS servers") and it worked with no problem.
(sorry for the long delay getting back and thanks again for your help)
#4
25.7, 25.10 Series / Re: Erratic behaviour of bundle dnsmasq -> unbound on specific addresses
January 07, 2026, 02:44:10 PM
Thanks for your answer!
Thanks again!
Quote from: nero355 on January 07, 2026, 12:21:01 AMWhen the domain both works and does not work :I hope I got your question right: the tests I've pasted before were made on the CLI of the router (sorry for not making that clearer), and also (but not showed or mentioned before) I've tested from different CLI of computers on the lan (vlan) side, and the situation was the same as on the router. What made me think that the problem is on the router side, but as I said, I'm pretty clueless with this issue.
Do you query both DNSmasqd and Unbound directly on the OPNsense Router ?
Thanks again!
#5
25.7, 25.10 Series / [SOLVED] Erratic behaviour of bundle dnsmasq -> unbound on specific addresses
January 04, 2026, 06:15:39 PM
After initially attempting to configure Unbound to forward to Dnsmasq and encountering the same issues described by others, I switched to using Dnsmasq on port 53 forwarding to Unbound (recursive) on port 53053, configuring the Domain rule as outlined in the OPNsense documentation.
Everything appeared to work correctly until I noticed that my TV was reporting errors reaching certain addresses (for example, fr.app.lgwebostv.com).
When I tested DNS name resolution, I discovered there was a problem.
It appears to be a name resolution issue. I received the same response when querying Unbound directly on port 53053.
Restarting Unbound multiple times does not change the behavior, but, interestingly, restarting Dnsmasq (sometimes not once but twice -?!-) seems to restore proper name resolution for Unbound (and consequently to Dnsmasq).
After about 15 minutes, the situation reverts to its original state and name resolution starts failing again. When the failure occurs, if I change certain dnsmasq options (for example, by enabling "Do not forward to system defined DNS servers"), DNS lookups resume working by using the DNS servers configured under System → Settings → General (if no DNS servers in this section the failure continues). This might suggest that dnsmasq is not successfully forwarding this address to Unbound. I only manage to detect this problem with the mentioned address and other two also related to lg tv.
This rather chaotic sequence of trial-and-error tests has been quite confusing, so any suggestions that could help clarify what is happening would be greatly appreciated.
Everything appeared to work correctly until I noticed that my TV was reporting errors reaching certain addresses (for example, fr.app.lgwebostv.com).
When I tested DNS name resolution, I discovered there was a problem.
Code Select
$ drill @127.0.0.1 -p 53 fr.app.lgwebostv.com
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 38756
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; fr.app.lgwebostv.com. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
lgwebostv.com. 422 IN SOA ns-951.awsdns-54.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Sun Jan 4 16:04:01 2026
;; MSG SIZE rcvd: 135It appears to be a name resolution issue. I received the same response when querying Unbound directly on port 53053.
Restarting Unbound multiple times does not change the behavior, but, interestingly, restarting Dnsmasq (sometimes not once but twice -?!-) seems to restore proper name resolution for Unbound (and consequently to Dnsmasq).
Code Select
$ drill @127.0.0.1 -p 53053 fr.app.lgwebostv.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 63796
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; fr.app.lgwebostv.com. IN A
;; ANSWER SECTION:
fr.app.lgwebostv.com. 60 IN A 52.16.45.77
fr.app.lgwebostv.com. 60 IN A 54.76.24.108
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 4 msec
;; SERVER: 127.0.0.1
;; WHEN: Sun Jan 4 16:11:58 2026
;; MSG SIZE rcvd: 70After about 15 minutes, the situation reverts to its original state and name resolution starts failing again. When the failure occurs, if I change certain dnsmasq options (for example, by enabling "Do not forward to system defined DNS servers"), DNS lookups resume working by using the DNS servers configured under System → Settings → General (if no DNS servers in this section the failure continues). This might suggest that dnsmasq is not successfully forwarding this address to Unbound. I only manage to detect this problem with the mentioned address and other two also related to lg tv.
This rather chaotic sequence of trial-and-error tests has been quite confusing, so any suggestions that could help clarify what is happening would be greatly appreciated.
Pages1
