Cannot resolve specific domain name from local network (unbound)

Started by Asperamanca, May 05, 2026, 11:04:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 05, 2026, 11:04:28 PM Last Edit: May 05, 2026, 11:08:53 PM by Asperamanca
Hi there,

I'm trying to find a way to diagnose a strange issue: I cannot resolve a specific domain name from my LAN, all other domain names I tested work.
Unfortunately, this is the domain of my mail provider...

manitu.de doesn't work, neither in the browser, nor via ping in the (Windows) command prompt.
All other domains I tried work.
Doesn't work on the phone, either, as long as I'm connected to my Wifi.
If I switch to mobile data only (outside my LAN), I can resolve it.
When I query a domain up/down checker service, the domain is reachable from elsewhere
When I ping the IP address, that works (so it's really a DNS issue).
When I try to ping the domain name from my OpnSense Web GUI, it can be resolved. So the firewall itself somehow resolves it correctly, but the devices from within my LAN cannot.

I have a pretty simple setup, with a local network behind the firewall, and the WAN side. I use Unbound DNS with default configuration, and I haven't changed the configuration for a long time. I also have not upgraded OpnSense since a few days ago. The domain worked until recently.

As an emergency measure, I have added the most important domains to my local 'hosts' file, so I can at least write e-mails.

How do I diagnose such an issue?
My first try is updating to the latest version (mine is less than a week old), but what after that?
Please note that I'm an IT professional, but not in the network administration field.

May 05, 2026, 11:26:37 PM #1
Quote from: Asperamanca on May 05, 2026, 11:04:28 PMI use Unbound DNS with default configuration, and I haven't changed the configuration for a long time. I
So you didn't configure any DNS blocklists and don't use Adguard?
And you don't have query forwarding enabled?
And you don't use DNS over TLS?

Also ensure that the Dnsmasq DNS & DHCP > DNS > Listen port is set to "0".

What exactly do you get if run "nslookup manitu.de" on a client machine?
Ensure the the server IP is the OPNsense interface IP.
May 05, 2026, 11:37:03 PM #2
The .de DNS zone is broken. See here, follow the links - the top two are in English:

https://forum.opnsense.org/index.php?topic=51804.0
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 12:45:24 AM #3
Quote from: Patrick M. Hausen on May 05, 2026, 11:37:03 PMThe .de DNS zone is broken. See here, follow the links - the top two are in English:

https://forum.opnsense.org/index.php?topic=51804.0

Very odd, using Unbound on OpenBSD the MX resolved.

Took a packet capture of queries from a test OPNsense installation and reviewed.

In OPNsense I then disabled:

Services -> Unbound DNS -> Advanced

- Harden Below NXDOMAIN
- Aggressive NSEC

Performed a DNS Lookup in OPNsense and received expected results.

Re-enabled the two settings above and it continues to work - perhaps the issue for .de domains is now resolved.
Today at 12:49:09 AM #4
Yes, the problem only affected verifying (DNSSEC) resolvers.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions