DNS fails on only a few sites.

[LisaMT]

I'm a new user and running OPNsense in the default mode. 

Centurylink router on 192.168.1.1.  OPNsense gets 192.168.1.205 for the WAN.
Local network LAN is on 192.168.10.0/24 with a Ubuntu DNS server on 10.6. 
Client computers get DNS only from 10.6 fine with a couple exceptions;
  https://aviationweather.gov/ fails, as does https://travel.state.gov

The DNS server has 8.8.8.8 as a forward, and on my computer I can edit /etc/resolv.conf and change the nameserver to 8.8.8.8 and those sites work fine on my computer.  DHCP issues only 10.6 as the DNS server like I want it to.  Seems to be something to do with passing DNS through OPNsense.

Any help would be appreciated.

Lisa

[meyergru]

Could be an MTU issue, since Centurylink explicitely says they use 1492 bytes. So, if you have your OpnSense on 1500, which is the default, it might not go to plan sometimes.

[LisaMT]

Thanks for responding,
I tried unchecking Override MTU.  Same thing.  Tried setting MTU to 1492.  No change.  This must be a problem with Ubuntu 24.04 server and bind.
; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> @localhost aviationweather.gov
...
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

and

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> @8.8.8.8 aviationweather.gov
...
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

I noticed on sites that fail that "flags: qr rd ra ad;" has the 'ad' where sites that work fine don't have that.
I'll keep looking into the DNS server.

[cookiemonster]

DNSSEC in use?

[LisaMT]

YES!  Found the issue.  I had to edit named.conf.options and add this line.  Now all sites resolve.

   dnssec-validation yes;