When I say MTA, I mean the BOX your MTA is running on.. Not the process that will actually do the query..
But again its is NOT the responsibility of unbound to hand back the A record of the MX record.. That is the responsibility of the client asking for the MX to also query for the A if it needs it..
Set your zone to be static if you do not want pfsense to do querys for stuff it has no records or cache of.. This wold be done in the same box where you add the MX and A records that your trying to override..
Where is the query that your seeing this come back from pfsense... List the cache records in pfsense that show this external IP.. Simple enough to view records in the cache for any specific domain just do a grep on the dump_cache command. And then show the query to pfsense where it hands back this info..
As I brought up over 2 years ago... You sure this box running MTA just doesn't list another NS for dns that is might be asking and getting this other info you are wanting to override?
Here is example... Unbound out of the box has min response default as yes.
I do a query for the MX records of netgate.com to SOA ns of netgate.. I get back additional records..
E:\>dig @ns1.netgate.com netgate.com mx
; <<>> DiG 9.12.3 <<>> @ns1.netgate.com netgate.com mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5860
;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 5
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netgate.com. IN MX
;; ANSWER SECTION:
netgate.com. 3600 IN MX 30 aspmx5.googlemail.com.
netgate.com. 3600 IN MX 10 aspmx.l.google.com.
netgate.com. 3600 IN MX 20 alt2.aspmx.l.google.com.
netgate.com. 3600 IN MX 20 alt1.aspmx.l.google.com.
netgate.com. 3600 IN MX 30 aspmx2.googlemail.com.
netgate.com. 3600 IN MX 30 aspmx4.googlemail.com.
netgate.com. 3600 IN MX 30 aspmx3.googlemail.com.
;; AUTHORITY SECTION:
netgate.com. 3600 IN NS ns2.netgate.com.
netgate.com. 3600 IN NS ns1.netgate.com.
;; ADDITIONAL SECTION:
ns1.netgate.com. 3600 IN A 208.123.73.80
ns1.netgate.com. 3600 IN AAAA 2610:160:11:11::80
ns2.netgate.com. 3600 IN A 162.208.119.38
ns2.netgate.com. 3600 IN AAAA 2610:1c1:3::108
;; Query time: 37 msec
;; SERVER: 208.123.73.80#53(208.123.73.80)
;; WHEN: Tue Dec 11 04:15:32 Central Standard Time 2018
;; MSG SIZE rcvd: 340
E:\>
If I ask pfsense for the same mx - the additional are not given..
E:\>dig @192.168.9.253 netgate.com mx
; <<>> DiG 9.12.3 <<>> @192.168.9.253 netgate.com mx
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6624
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;netgate.com. IN MX
;; ANSWER SECTION:
netgate.com. 3445 IN MX 20 alt1.aspmx.l.google.com.
netgate.com. 3445 IN MX 10 aspmx.l.google.com.
netgate.com. 3445 IN MX 30 aspmx5.googlemail.com.
netgate.com. 3445 IN MX 30 aspmx4.googlemail.com.
netgate.com. 3445 IN MX 20 alt2.aspmx.l.google.com.
netgate.com. 3445 IN MX 30 aspmx3.googlemail.com.
netgate.com. 3445 IN MX 30 aspmx2.googlemail.com.
;; Query time: 0 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Tue Dec 11 04:20:33 Central Standard Time 2018
;; MSG SIZE rcvd: 216
E:\>
So lets see this query or cache from unbound showing you the wrong info..
BTW you also Notice that while I got back additional info from ns1.netgate.com - it is NOT the A records of the MX records!!! Since the A records the MX point to it is not authoritative for... But if I ask ns1.google.com for gmail.com mx it does send back the A records.
E:\>dig @ns1.google.com gmail.com MX
; <<>> DiG 9.12.3 <<>> @ns1.google.com gmail.com MX
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22942
;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 10
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;gmail.com. IN MX
;; ANSWER SECTION:
gmail.com. 3600 IN MX 40 alt4.gmail-smtp-in.l.google.com.
gmail.com. 3600 IN MX 20 alt2.gmail-smtp-in.l.google.com.
gmail.com. 3600 IN MX 5 gmail-smtp-in.l.google.com.
gmail.com. 3600 IN MX 10 alt1.gmail-smtp-in.l.google.com.
gmail.com. 3600 IN MX 30 alt3.gmail-smtp-in.l.google.com.
;; ADDITIONAL SECTION:
alt4.gmail-smtp-in.l.google.com. 300 IN A 74.125.193.27
alt4.gmail-smtp-in.l.google.com. 300 IN AAAA 2a00:1450:400b:c01::1b
alt2.gmail-smtp-in.l.google.com. 300 IN A 172.217.204.27
alt2.gmail-smtp-in.l.google.com. 300 IN AAAA 2607:f8b0:400c:c15::1a
gmail-smtp-in.l.google.com. 300 IN A 173.194.197.27
gmail-smtp-in.l.google.com. 300 IN AAAA 2607:f8b0:4001:c1b::1b
alt1.gmail-smtp-in.l.google.com. 300 IN A 173.194.66.27
alt1.gmail-smtp-in.l.google.com. 300 IN AAAA 2607:f8b0:400d:c01::1b
alt3.gmail-smtp-in.l.google.com. 300 IN A 172.217.192.27
alt3.gmail-smtp-in.l.google.com. 300 IN AAAA 2800:3f0:4003:c02::1a
;; Query time: 21 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Tue Dec 11 04:21:55 Central Standard Time 2018
;; MSG SIZE rcvd: 370
E:\>
But if I then ask unbound the same.. No additional records given.
E:\>dig @192.168.9.253 gmail.com MX
; <<>> DiG 9.12.3 <<>> @192.168.9.253 gmail.com MX
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46825
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gmail.com. IN MX
;; ANSWER SECTION:
gmail.com. 3069 IN MX 10 alt1.gmail-smtp-in.l.google.com.
gmail.com. 3069 IN MX 40 alt4.gmail-smtp-in.l.google.com.
gmail.com. 3069 IN MX 5 gmail-smtp-in.l.google.com.
gmail.com. 3069 IN MX 20 alt2.gmail-smtp-in.l.google.com.
gmail.com. 3069 IN MX 30 alt3.gmail-smtp-in.l.google.com.
;; Query time: 0 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Tue Dec 11 04:23:49 Central Standard Time 2018
;; MSG SIZE rcvd: 161
E:\>
BTW you also left in the actual domain your trying to override in your dig command... Which testing with asking outside dns like 8888 or quad9 or 1111 does not return additional for... ONLY when you ask the authoritative NS do you get back additional... And again if I ask unbound for this - even without any overrides you do not get back the additional... Even when its cached!!!
0_1544525152437_unboundquery.png
It would be much easier to talk about your overrides and what gets returned from the SOA of the domain and what gets returned by unbound if we could just actually use the domain... But since you have be hiding it - I kept it hidden as well, even though you missed it in your dig ;)
edit
Your running 2.4.4 release.. Unbound was UPDATED in 2.4.4p1 -- maybe there was issue with previous unbound not using the default of yes with min-responses?