Unbound DNS appends local domain to external FQDNs

Started by c90k, July 09, 2025, 01:23:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 09, 2025, 01:23:40 PM
Hi everyone,

I recently ran into a strange issue where some devices in my network were unable to use certain apps (in particular, Android-based POS devices). After some troubleshooting, I checked the Unbound DNS logs on my OPNsense firewall and noticed that in several cases, the local domain was being appended to external FQDNs.

Here is an example
Time         Domain                  Action   Source      Return Code   Resolve time   TTL
2025-07-09 12:59:55   api.sunmi.com.               Pass   Cache      NOERROR      0ms      27   
2025-07-09 12:59:50   api.sunmi.com.               Pass   Recursion   NOERROR      394ms      32   
2025-07-09 12:58:45   api.sunmi.com.               Pass   Recursion   NOERROR      15ms      50   
2025-07-09 12:58:45   api.sunmi.com.domainname.local.                   Pass   Recursion   NXDOMAIN   14ms      85   

Or Attached u can find a Screenshot

As you can see, the query api.sunmi.com resolves correctly. However, there's also a request for api.sunmi.com.domainname.local, which fails with NXDOMAIN. This seems to be causing issues with app connectivity and delays.
Now I'm wondering:
Is this a client-side issue, or is Unbound responsible for appending the local domain?
For years I've used domainname.at as the system domain under System > Settings > General. Recently I changed it to domainname.local for testing, but the behavior still occurs.
If anyone has seen this before or knows how to prevent Unbound from appending the local domain to fully qualified hostnames, I'd really appreciate your input.
Let me know if you need more details!

Thanks, Chris
July 09, 2025, 03:15:54 PM #1
Your clients do this. An recursive DNS server only tries to answer what the client asks it - verbatim.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 10, 2025, 10:24:48 AM #2
Ok i see.
I cannot filter this behavior on Opnsense/Unbound site or ?
And is it sure that the client asks for the full "false" domain name? Or does he send a incomplete request which is completed by Unbound ?

Regards, Christoph
 
July 10, 2025, 10:32:57 AM #3
DNS servers never "complete" requests. The resolver library on the client does that.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions