Problem with unbound after update

[yduan]

I upgraded from opnsense 23.7.4 to 23.7.5 this week and started noticing a problem with unbound.

Some domains that are not in cache it does not resolve and the "Server Fail" error appears, but if I go to the "DNS Lookup" tool it resolves normally.

https://ibb.co/80zj5K6
https://ibb.co/8PL7krZ

[CJ]

What happens if you put 127.0.0.1 in the DNS Lookup tool?

What does your Unbound config look like?  The DNS settings under the general settings screen?

Have you turned on the serve fail reasons and logging for Unbound?  What do the logs show?

[yduan]

127.0.0.1 https://prnt.sc/dp3T_FzoZ80F


Before updating I had enabled DNSSEC, but I thought it could be causing the unbound problems and I disabled it, but to no avail.
unbound > general https://prnt.sc/aFNuu-geWof3


Settings > General https://prnt.sc/zzh6P6rZW730


Can you tell me where I activate these records?

I've already checked the unbound logs, but only device name information appears.
https://prnt.sc/9pU6oG45DGf_

[newsense]

I'd rather look at look at uploaded screenshots rather than clicking on some potential dodgy URLs

[yduan]

How can I attach images here?  When I click to attach I only get a <img> tag

prnt.sc links are from the Lightshot tool, but that's ok

[Patrick M. Hausen]

Click on "Attachments and other options" below.

[yduan]

I can't attach them all in one post, I'll split them up.

[yduan]

Others here

[yduan]

.

[newsense]

Others here

Network Interfaces - change to ALL and enable DNSSEC always

[newsense]

.

Check if those devices actually use your DNS settings or they default to something else, either in the browser or system settings.


https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/

[CJ]

I can't attach them all in one post, I'll split them up.

I said to put 127.0.0.1 in the Server field, not the Host field.  The previous screens you posted didn't show a result from the local DNS server.

[CJ]

.

You don't have to select every option.  Whatever level you select will automatically show all higher levels as well.

[CJ]

Network Interfaces - change to ALL and enable DNSSEC always

Agreed on the interfaces.  I feel like there needs to be a pop up in the UI and/or putting the Interfaces selector behind the Advanced toggle.

I assume the DNSSEC recommendation is for general practice and not due to this issue?

Check if those devices actually use your DNS settings or they default to something else, either in the browser or system settings.

https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/

If they're seeing the domain show up in reporting, then the device should be using Unbound to resolve.

[yduan]

.

Check if those devices actually use your DNS settings or they default to something else, either in the browser or system settings.


https://www.howtogeek.com/795644/how-to-enable-secure-private-dns-on-android/

Yes, my devices are using local DNS, I have rules to force them to use only them.

DNSSEC enabled and enabled on all interfaces.