Specific website cannot be reached

[Edwin70]

Hi All,

I have a strange issue. There is one specific site/service that I cannot reach through OPNsense. The site my.dhlcommerce.nl fails to load and als the app which connects to the same domain does not work.

When I look in the unbound log I see the following log entries when starting the app:

Code Select Expand

2025-12-22T13:52:54 Informational unbound [92545:1] reply: *.*.*.* my.dhlecommerce.nl. HTTPS IN SERVFAIL 0.174887 0 36
2025-12-22T13:52:54 Informational unbound [92545:1] info: validation failure <my.dhlecommerce.nl. HTTPS IN>: no signatures from 86.54.11.201
2025-12-22T13:52:54 Informational unbound [92545:3] reply: *.*.*.* my.dhlecommerce.nl. A IN SERVFAIL 0.158761 0 36
2025-12-22T13:52:54 Informational unbound [92545:3] info: validation failure <my.dhlecommerce.nl. A IN>: no signatures from 86.54.11.201
2025-12-22T13:52:54 Informational unbound [92545:2] reply: *.*.*.* my.dhlecommerce.nl. AAAA IN SERVFAIL 0.139982 0 36
2025-12-22T13:52:54 Informational unbound [92545:2] info: validation failure <my.dhlecommerce.nl. AAAA IN>: no signatures from 86.54.11.201
2025-12-22T13:52:54 Informational unbound [92545:3] query: *.*.*.* my.dhlecommerce.nl. A IN
2025-12-22T13:52:54 Informational unbound [92545:2] query: *.*.*.* my.dhlecommerce.nl. AAAA IN
2025-12-22T13:52:54 Informational unbound [92545:1] query: *.*.*.* my.dhlecommerce.nl. HTTPS IN

I also have some logging from Firefox console when trying to load the website:
[codee]
HTTPS-First Mode: Upgrading insecure speculative TCP connection "http://dhlcommerce.nl/" to use "https".
HTTPS-First Mode: Upgrading insecure request "http://dhlcommerce.nl/" to use "https".
HTTPS-First Mode: Upgrading insecure request "https://dhlcommerce.nl/" failed. Downgrading to "http" again.
HTTPS-First Mode: Adding exception to temporarily prevent further attempts to automatically load "http://dhlcommerce.nl" securely.
[/code]

It looks like a problem with the certificate (?)

When I connect to the website using a VPN or a different network, everything works fine. So the service itself is OK.

I have a pretty simple setup: OPNsense 25.7.10 with Unbound as the resolver with DNS over TLS enabled. I also use a blocklist; disabling that does not make a difference. The internet connection is through a Ziggo Cable modem in bridge mode.

Any ideas? I have no problems with other websites. Any help is greatly appreciated.

[OPNenthu]

Since this isn't getting replies I'll take a shot.  The only reason I'm hesitant is because you're getting cert errors from Firefox too, so I might be wrong about the cause.

I *think* the Unbound log could be due to a DNSSEC validation error.  The fact that it works on VPN could be due to a different DNS server being used by the VPN client which is maybe ignoring or hiding the DNSSEC failure, as those don't get passed back to Unbound in that case.

When I used to use Ubound in recursive mode I would encounter websites that I could not access, sometimes important ones like government sites that do not set up DNSSEC properly.  It's hard to know if the issue is due to misconfiguration or a genuine case of DNS cache poisoning / spoofing.

These days I use Unbound in forwarding mode and I trust the upstream resolver to do validation checks.  It's not perfect but I encounter the issue less often now, and at least trusting a 3rd party to validate is better than me disabling it completely out of frustration or having to toggle it.

Why has the frequency reduced?  I don't really know.  It could be that validation fails at the upstream resolver as well but they have additional intelligence to pass the domain as safe anyway.  It could be that they're lying and exposing me to potential harm.  It could also be that site operators have largely fixed the misconfigurations.

I hope this offered something useful.

[OPNenthu]

... annnnd, scratch my theory.  I missed that you said you have DNS over TLS, lol.