[closed] Unbound fails to contact root servers? 26.1.7_1

[passeri]

update: Further testing has not reproduced the following so I have marked the topic closed. Cause of the original issue is unknown.

After upgrading to 26.1.7_1 from 26.1.6_2 I found I could no longer resolve DNS names although connectivity was otherwise fine for cached names or for direct IP addresses. Incoming mail to our server also arrived normally during this time.

I added quad9 in System->Settings->General then ticked Override in Services->Unbound->Query forwarding, after which names resolved normally. Switching back to no override stopped it again.

Currently I am functional with the override in place, wondering whether this is a product glitch or something more I need to follow up here?

[lmoore]

I added quad9 in System->Settings->General then ticked Override in Services->Unbound->Query forwarding, after which names resolved normally. Switching back to no override stopped it again.

Interesting. In my environment I've restricted access to DNS servers, and currently only allow select systems access to the Quad9 DNS servers which perform threat-blocking with DNSSEC.

On my test system, setting the DNS server in System -> Settings -> General -> DNS Servers to 127.0.0.1, Unbound is attempting to connect to the root servers - this is what you are expecting.

What is your setting for System -> Settings -> General -> DNS server options -> Allow DNS server list to be overridden by DHCP/PPP on WAN?

I've attempted to configure Unbound to forward all other zones, i.e., not local, to an upstream DNS server but this doesn't seem possible in OPNsense - I'll need to do further reading.

In short, I can't set a forward zone of "." to an upstream DNS server such as Quad9.

I'll reconfigure my production firewall to allow the tests system unrestricted external access for DNS and verify if it can resolve queries using the root servers.

[Edit] Missed the update from the original poster - I'll move on.