DNS Issues After Upgrading to 25.07
-
When you installed pfSense, the default DNS settings should work fine. No need to add/change anything.
Just one condition : your connection has to have access to Internet 'main' root DNS servers (just on of the the avaible 13 would do) and it should be able to contact the TLD servers (the tell you what domain server to contact for a give TLD (== dot com, dot org etc).Normally, you don't need a resolver like 8.8.8.8 as pfSense has its own resolver : unbound.
-
Thanks for the explanation!
Yeah, I was under the impression the default setup should work too. But after upgrading to 25.07, things started acting up when I use pfSense as the DNS, most websites don’t load. Swapping to 8.8.8.8 fixes it instantly.
I haven’t changed any DNS settings manually, so I’m wondering if the upgrade might’ve affected Unbound somehow or if there’s a new config quirk I missed.
Appreciate the input! Let me know if there's anything specific I should look into with Unbound.
-
Get back to 'DNS default', and do some testing :
The easy to read test (console or SSH, menu option 8) :
dig cnn.com +trace +nodnssecThe normal test (will include DNSSEC 'requests)
dig cnn.com +traceThe GUI test :
-
@smsigroupit If you have pfSense DNS set to forward ensure DNSSEC is unchecked.
Otherwise, is Unbound running? What do the logs show?
-
; <<>> DiG 9.20.6 <<>> cnn.com +trace +nodnssec
;; global options: +cmd
. 85484 IN NS l.root-servers.net.
. 85484 IN NS m.root-servers.net.
. 85484 IN NS a.root-servers.net.
. 85484 IN NS b.root-servers.net.
. 85484 IN NS c.root-servers.net.
. 85484 IN NS d.root-servers.net.
. 85484 IN NS e.root-servers.net.
. 85484 IN NS f.root-servers.net.
. 85484 IN NS g.root-servers.net.
. 85484 IN NS h.root-servers.net.
. 85484 IN NS i.root-servers.net.
. 85484 IN NS j.root-servers.net.
. 85484 IN NS k.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms;; UDP setup with 2001:500:2d::d#53(2001:500:2d::d) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:500:2d::d#53(2001:500:2d::d) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:500:2d::d#53(2001:500:2d::d) for cnn.com failed: host unreachable.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 832 bytes from 192.5.5.241#53(f.root-servers.net) in 7 mscnn.com. 172800 IN NS ns-587.awsdns-09.net.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
;; Received 189 bytes from 192.33.14.30#53(b.gtld-servers.net) in 201 mscnn.com. 60 IN A 151.101.195.5
cnn.com. 60 IN A 151.101.3.5
cnn.com. 60 IN A 151.101.67.5
cnn.com. 60 IN A 151.101.131.5
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-587.awsdns-09.net.
;; Received 237 bytes from 205.251.198.116#53(ns-1652.awsdns-14.co.uk) in 64 ms; <<>> DiG 9.20.6 <<>> cnn.com +trace
;; global options: +cmd
. 85421 IN NS f.root-servers.net.
. 85421 IN NS g.root-servers.net.
. 85421 IN NS h.root-servers.net.
. 85421 IN NS i.root-servers.net.
. 85421 IN NS j.root-servers.net.
. 85421 IN NS k.root-servers.net.
. 85421 IN NS l.root-servers.net.
. 85421 IN NS m.root-servers.net.
. 85421 IN NS a.root-servers.net.
. 85421 IN NS b.root-servers.net.
. 85421 IN NS c.root-servers.net.
. 85421 IN NS d.root-servers.net.
. 85421 IN NS e.root-servers.net.
. 85421 IN RRSIG NS 8 0 518400 20250823170000 20250810160000 46441 . EG7MMAxQxsKwvVN7K1EjgrnErzUrneBhrtyPG68RViCvIEDfZ9sSbStx 6hrXftXXN4v9ZP2MfMyL2ETXnt67MqGr8hoEBS5Goy9I4pKzap6shB2r tesUJh/Ji8eMszZfEI7MWMGaokzlsrafcCI5jCmcpE0dVEcge2tDskgv ChUFzs7e0TQR9YnyYtotoa3CY7iO7RTsPO8fhSRf4qByejUrSsWG7mPa 53QfDBlq2My53tZfk77jXJYAsvwZyuBHAvAoi+IjcBO9LHQNp642r1eJ CPuur9rgnY+T3BZoKWH4pbOTJjktc/Ed61QWn9JNnw7mTZuh9c2zoVZj 2sJuRA==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms;; UDP setup with 2001:500:2::c#53(2001:500:2::c) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:500:2::c#53(2001:500:2::c) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:500:2::c#53(2001:500:2::c) for cnn.com failed: host unreachable.
;; UDP setup with 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) for cnn.com failed: host unreachable.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 20250823170000 20250810160000 46441 . XgpyS1RVIAmg/rWR0PDlBDHQKbbXaDYaSNQd9vuQB5g9medQb5/NOymr D/EpA7c0KGkP5y6RNcfEiE2RC9y0u4KKkfCrRSra3LZIS68DXS22dgLc CRr0X7O1H9O4g+k5ER9v0WkJ6y30fek7jAKBzZksz68WGqirSRoGKVMS UY/PiCMM9sJwat2+mZrOI46YfYGjHz/t97St1Ej4gQZTrvkJqQ0AWp8X 4q0pFgGpdeRRiNO6v7phKwU07VTz/MNzLbMG6mVOsSdeUmwZpPEFHgLx LCaKMtTzCuj3LiNZfwhJDVD2156HlO8wUHZ/+Vs2afB07D00smJPCuJ2 fVkCdw==
;; Received 1167 bytes from 192.203.230.10#53(e.root-servers.net) in 7 ms;; UDP setup with 2001:503:83eb::30#53(2001:503:83eb::30) for cnn.com failed: host unreachable.
cnn.com. 172800 IN NS ns-587.awsdns-09.net.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250815002515 20250807231515 20545 com. 6n1Mw975eAQUE3zMR5u6LB4NhjV6kmtV7cKxWS6hCh86zHo3e7MdaC2y k1G786DdwL4TXk0PHnLpwiuG63x89Q==
FVT7IKJ9C0BTF07HNDO4FLBRB7D7NCL2.com. 900 IN NSEC3 1 1 0 - FVT7K43DJ0K7KJ384M71US54D3690VUI NS DS RRSIG
FVT7IKJ9C0BTF07HNDO4FLBRB7D7NCL2.com. 900 IN RRSIG NSEC3 13 2 900 20250816012853 20250809001853 20545 com. 0afRonASH5vKKxyBxzPqwOS3DMKhEpoCuBnWuKh4qCeSlaa5xA2YZpHz y/wj2VEI7qXN2PQQCLJD64EH1P74eg==
;; Received 546 bytes from 192.48.79.30#53(j.gtld-servers.net) in 177 ms;; UDP setup with 2600:9000:5306:7400::1#53(2600:9000:5306:7400::1) for cnn.com failed: host unreachable.
;; UDP setup with 2600:9000:5302:4b00::1#53(2600:9000:5302:4b00::1) for cnn.com failed: host unreachable.
cnn.com. 60 IN A 151.101.195.5
cnn.com. 60 IN A 151.101.67.5
cnn.com. 60 IN A 151.101.131.5
cnn.com. 60 IN A 151.101.3.5
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-587.awsdns-09.net.
;; Received 237 bytes from 205.251.198.116#53(ns-1652.awsdns-14.co.uk) in 88 ms
-
-
I just upgraded to 25.07 a couple of hours ago.
Unbound (non-forwarding) has been causing me a headache since. Intermittent DNS loss with no errors or cause in the logs. Only a restart of the service, numerous times, is resolving it.I run pfBlockefNG-dev also.
Hopefully this isn't an ongoing bug because it's pretty crippling.
-
So dig - who resolves itself without using unbound (the resolver) works fine.
So : resolving from pFsense would work for you.
Just onething :;; UDP setup with 2001:503:83eb::30#53(2001:503:83eb::30) for cnn.com failed: host unreachable.
dig also tries to use IPv6 - and that failed.
is your pfSense IPv6 setup working correctly ?Your GUI lookup test : was this using forwarding or resolving ?
Normally, you don't need all these :
There are 13 main root servers build into unbound, and hundreds of TLDs avaible.
127.0.0.1 (and ::1) will do just fine.If you are forwarding, disable DNSSEC.
@xana :
Same remarks :
Are you (pfSense, unbound) using IPv6 ?
Is unbound running all the time ? ( I presume I listed above how to test that)
Are all your NIC always (like always !) up, or going up and down like a dance party ? (thus restarting unbound all the time == DNS loss)
Is your Internet connection ok ? Unbound just need to reach one of the 3 root servers, these are never down. If you can reach none of the 13.... consider that a massive problem.
Show the dig test
Show the nslookup test (while resolving, not forwarding)
Etc.Normally ^^ it should be hard to get a stable DNS, and for a simple reason : hundreds of thousands installed and use pfSense with the default settings, and they didn't change (or add) any DNS addresses and/or settings. Nothing. And it works fine. Why would Netgate wants you to 'do something' with DNS ? They would mention that in the installation guide. They didn't because it isn't needed.
The thing is : people do change DNS settings for 'some reason' and suddenly they have issues
Btw : I presume you have and open non restricted access to the Internet.
-
Hi @Gertjan
Thank you for the response.
Are you (pfSense, unbound) using IPv6 ?
- im not using IPv6
If you are forwarding, disable DNSSEC.
- is this under the DNS resolver? what do you mean by forwarding (DNS forwarder)?
Show the dig test, Show the nslookup test (while resolving, not forwarding)
- how to do dig test and nslookup test while resolving?
I presume you have and open non restricted access to the Internet.
- im running pfblockerng, suricata
Before upgrading to pfSense Plus 25.07, everything was working fine on pfSense Plus 24.11.
After the upgrade to pfSense Plus 25.07, I began experiencing repeated crash reports. Details are as follows:
The only change made was switching DNS-BL mode to Python mode, which resolved the issue.
System Information:
Architecture: amd64 Version: 15.0-CURRENT Build: FreeBSD 15.0-CURRENT #0 plus-RELENG_25_07-n256508-719054fb1f90 (Mon Jul 28 16:47:59 UTC 2025)Crash Report (PHP Errors):
[06-Aug-2025 09:33:47 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
[06-Aug-2025 09:34:23 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
[06-Aug-2025 09:35:13 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
[06-Aug-2025 09:35:45 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
[06-Aug-2025 09:36:18 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528
[06-Aug-2025 09:37:43 Asia/Manila] PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /usr/local/bin/kea2unbound on line 528Thank you.
-
@smsigroupit said in DNS Issues After Upgrading to 25.07:
If you are forwarding, disable DNSSEC.
- is this under the DNS resolver? what do you mean by forwarding (DNS forwarder)?
DNS Resolver by default looks up answers by itself. It can be configured to forward requests to other name servers such as Quad9 or Cloudflare. Leaving DNSSEC enabled can cause errors when also forwarding.
-
-
@smsigroupit said in DNS Issues After Upgrading to 25.07:
how to do dig test and nslookup test while resolving?
As shown above. See my second post.
Also run this command on the command line (console or SSH, menu option 8 )
grep 'info: start' /var/log/resolver.logthis shows you how often the resolver (re) starts.
A restating resolver can't resolve ;)
That said, a restart typically uses a couple of seconds.@smsigroupit said in DNS Issues After Upgrading to 25.07:
The only change made was switching DNS-BL mode to Python mode, which resolved the issue.
Yeah, that one pops up all the time now.
The new way how KEA transmits leases into the DNS (unbound) is by parsing the actual unbound local cache, and inserting only new DNS info, and removing old lease info.
If the old classic pfBlockerng DNSBL method is uses (= one big file with all the DNSBL info in one go) this cache can become very big. Unbound will also take a lot of time to read and parse this file on every startup. During this startup, DNS doesn't work.
That's one of the reason the python mode was invented : it's better faster and asks less resources.
I really thought everybody wanted that, and everybody who was using pfBlockerng and DNSBL, was using python mode by now. Apparently ... not everybody. Anyway, you solved that now. -
grep 'info: start' /var/log/resolver.log
Aug 11 00:55:11 shoemakersfw unbound[29460]: [29460:0] info: start of service (unbound 1.23.0).
Aug 11 06:39:58 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:03 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:08 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:14 shoemakersfw unbound[10691]: [10691:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:22 shoemakersfw unbound[42672]: [42672:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:28 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:33 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:46 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
Aug 11 06:40:55 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
Aug 11 06:41:00 shoemakersfw unbound[55348]: [55348:0] info: start of service (unbound 1.23.0).
Aug 11 06:43:07 shoemakersfw unbound[61105]: [61105:0] info: start of service (unbound 1.23.0).
Aug 11 06:44:40 shoemakersfw unbound[29989]: [29989:0] info: start of service (unbound 1.23.0).
Aug 11 06:44:58 shoemakersfw unbound[29989]: [29989:0] info: start of service (unbound 1.23.0).
Aug 11 06:45:21 shoemakersfw unbound[16934]: [16934:0] info: start of service (unbound 1.23.0).
Aug 11 06:45:26 shoemakersfw unbound[16934]: [16934:0] info: start of service (unbound 1.23.0).
Aug 11 06:47:00 shoemakersfw unbound[38812]: [38812:0] info: start of service (unbound 1.23.0).
Aug 11 06:47:06 shoemakersfw unbound[38812]: [38812:0] info: start of service (unbound 1.23.0).
Aug 11 06:47:13 shoemakersfw unbound[2075]: [2075:0] info: start of service (unbound 1.23.0).
Aug 11 06:47:18 shoemakersfw unbound[2075]: [2075:0] info: start of service (unbound 1.23.0).
Aug 11 13:19:57 shoemakersfw unbound[61466]: [61466:0] info: start of service (unbound 1.23.0).
Aug 11 13:20:03 shoemakersfw unbound[61466]: [61466:0] info: start of service (unbound 1.23.0).
Aug 11 13:26:19 shoemakersfw unbound[37451]: [37451:0] info: start of service (unbound 1.23.0).
Aug 11 13:26:25 shoemakersfw unbound[37451]: [37451:0] info: start of service (unbound 1.23.0).
Aug 11 13:26:49 shoemakersfw unbound[64440]: [64440:0] info: start of service (unbound 1.23.0).
Aug 11 13:26:56 shoemakersfw unbound[64440]: [64440:0] info: start of service (unbound 1.23.0).
Aug 11 13:45:50 shoemakersfw unbound[41576]: [41576:0] info: start of service (unbound 1.23.0).
Aug 11 13:46:33 shoemakersfw unbound[90435]: [90435:0] info: start of service (unbound 1.23.0).
Aug 11 13:48:57 shoemakersfw unbound[90435]: [90435:0] info: start of service (unbound 1.23.0).
Aug 11 13:57:33 shoemakersfw unbound[40816]: [40816:0] info: start of service (unbound 1.23.0).
Aug 11 13:57:33 shoemakersfw unbound[40816]: [40816:0] info: start of service (unbound 1.23.0).
Aug 12 00:03:21 shoemakersfw unbound[4089]: [4089:0] info: start of service (unbound 1.23.0).
Aug 12 00:04:11 shoemakersfw unbound[4089]: [4089:0] info: start of service (unbound 1.23.0).
Aug 12 06:27:26 shoemakersfw unbound[4089]: [4089:0] info: start of service (unbound 1.23.0).
Aug 12 06:27:33 shoemakersfw unbound[52402]: [52402:0] info: start of service (unbound 1.23.0).
Aug 12 06:27:39 shoemakersfw unbound[52402]: [52402:0] info: start of service (unbound 1.23.0).dig cnn.com +trace
; <<>> DiG 9.20.6 <<>> cnn.com +trace
;; global options: +cmd
. 57054 IN NS g.root-servers.net.
. 57054 IN NS h.root-servers.net.
. 57054 IN NS i.root-servers.net.
. 57054 IN NS j.root-servers.net.
. 57054 IN NS k.root-servers.net.
. 57054 IN NS l.root-servers.net.
. 57054 IN NS m.root-servers.net.
. 57054 IN NS a.root-servers.net.
. 57054 IN NS b.root-servers.net.
. 57054 IN NS c.root-servers.net.
. 57054 IN NS d.root-servers.net.
. 57054 IN NS e.root-servers.net.
. 57054 IN NS f.root-servers.net.
. 57054 IN RRSIG NS 8 0 518400 20250824200000 20250811190000 46441 . Ch2FL9ZmmZExl/aFERtrjuInzUz1gfMiVPS3jsoz3PBaNmKS50N/dfFq 5R2Irct7wBLVAHdgKKFjPvTSFSrznKZSKPg4muqMsS4+CJ55di/GUNhh lSCOp6ZBElRqfPTM464L2wDSaTn6JQ6ZICxrIAPaBPjdKLIE8kVY6XJP wq5RsTCUXUnEkZEmanLLOiAMaNHTIAZ83nSiyraQ0rTG8rbvcooHA54C FU7B9MLpCnDVII/qUYb/M/lqFYSoi3uobopqwTnhYnlwfF62Ao/K6LC/ +eMguMIfLJ5rs+8C/8EYZtzmJPPAGNaK/FFq19mRbKMQ0ZleX/7clH5+ b4PgTg==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms;; UDP setup with 2001:500:12::d0d#53(2001:500:12::d0d) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:500:12::d0d#53(2001:500:12::d0d) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:500:12::d0d#53(2001:500:12::d0d) for cnn.com failed: host unreachable.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 20250825050000 20250812040000 46441 . DVTu+B/+DFQ/7N53YKXuJdaUtPomtpmH9++OS2K5Z4xf2SGpVuwZi4H8 47FmcUFd68+sXU61DCEj+jYMPKUsQYbr8ymtXZMSpC/9NRV2BQn+1D7E KhAMMPU/ltt14DU0j0+hYt2p6ABoSy9FpNaCLvfjwnKPMApf5jYpzFfD FmM6Q5PpQNthq2mKmBcJWZjuTvA32Iys15nJot+Zg1tcVD88T03Wm+F8 ojU0ecjCU+1U28GgibVuhCMZwDKzhNI83a2Cetdxi7hKyYQllnpq/SOt PLTmgqPkZk6w5NS9csKycoXyolW0UFNGVV6osjGUE1FIiA0LRUDoYEC2 7X4R6Q==
;; Received 1167 bytes from 170.247.170.2#53(b.root-servers.net) in 47 mscnn.com. 172800 IN NS ns-587.awsdns-09.net.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20250819002508 20250811231508 20545 com. IgcCaCYvFc9ADNjiGojHLa7mrwCn9mzzwOxHxHdhhypOuigpHPHtbgA2 CoMOVJ38n57s7Kkh7iP2/fdKRX9Shg==
FVT7IKJ9C0BTF07HNDO4FLBRB7D7NCL2.com. 900 IN NSEC3 1 1 0 - FVT7K43DJ0K7KJ384M71US54D3690VUI NS DS RRSIG
FVT7IKJ9C0BTF07HNDO4FLBRB7D7NCL2.com. 900 IN RRSIG NSEC3 13 2 900 20250816012853 20250809001853 20545 com. 0afRonASH5vKKxyBxzPqwOS3DMKhEpoCuBnWuKh4qCeSlaa5xA2YZpHz y/wj2VEI7qXN2PQQCLJD64EH1P74eg==
;; Received 546 bytes from 192.31.80.30#53(d.gtld-servers.net) in 205 ms;; UDP setup with 2600:9000:5304:da00::1#53(2600:9000:5304:da00::1) for cnn.com failed: host unreachable.
;; UDP setup with 2600:9000:5306:7400::1#53(2600:9000:5306:7400::1) for cnn.com failed: host unreachable.
cnn.com. 60 IN A 151.101.131.5
cnn.com. 60 IN A 151.101.3.5
cnn.com. 60 IN A 151.101.195.5
cnn.com. 60 IN A 151.101.67.5
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-587.awsdns-09.net.
;; Received 237 bytes from 205.251.194.75#53(ns-587.awsdns-09.net) in 27 ms; <<>> DiG 9.20.6 <<>> cnn.com +trace +nodnssec
;; global options: +cmd
. 56974 IN NS f.root-servers.net.
. 56974 IN NS g.root-servers.net.
. 56974 IN NS h.root-servers.net.
. 56974 IN NS i.root-servers.net.
. 56974 IN NS j.root-servers.net.
. 56974 IN NS k.root-servers.net.
. 56974 IN NS l.root-servers.net.
. 56974 IN NS m.root-servers.net.
. 56974 IN NS a.root-servers.net.
. 56974 IN NS b.root-servers.net.
. 56974 IN NS c.root-servers.net.
. 56974 IN NS d.root-servers.net.
. 56974 IN NS e.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for cnn.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 2001:7fe::53#53(2001:7fe::53) for cnn.com failed: host unreachable.
;; UDP setup with 2001:500:a8::e#53(2001:500:a8::e) for cnn.com failed: host unreachable.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
;; Received 860 bytes from 192.36.148.17#53(i.root-servers.net) in 34 ms;; UDP setup with 2001:502:8cc::30#53(2001:502:8cc::30) for cnn.com failed: host unreachable.
cnn.com. 172800 IN NS ns-587.awsdns-09.net.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
;; Received 189 bytes from 192.5.6.30#53(a.gtld-servers.net) in 207 ms;; UDP setup with 2600:9000:5306:7400::1#53(2600:9000:5306:7400::1) for cnn.com failed: host unreachable.
cnn.com. 60 IN A 151.101.131.5
cnn.com. 60 IN A 151.101.67.5
cnn.com. 60 IN A 151.101.3.5
cnn.com. 60 IN A 151.101.195.5
cnn.com. 172800 IN NS ns-1242.awsdns-27.org.
cnn.com. 172800 IN NS ns-1652.awsdns-14.co.uk.
cnn.com. 172800 IN NS ns-378.awsdns-47.com.
cnn.com. 172800 IN NS ns-587.awsdns-09.net.
;; Received 237 bytes from 205.251.196.218#53(ns-1242.awsdns-27.org) in 26 ms -
About the (restarts) :
Check with the system log what happened, why unbound was told to restart.
A very common reason is : an interface used by unbound was taken down for a moment.
If possible, stop this from happening.About the dig : dig bypasses the resolver (unbound), it does all the work 'itself'.
As it get back DNS records with IPv6 addresses, it will use these to 'check' them. Because your don't have Ipv6 support, these will fail.A cleaner result can be obtained by specifying dig to use IPv4 only :
dig -4 cnn.com +traceBut dig isn't the resolver.
There are special options for unbound that you can specify here :
so you can inform unbound not to use Ipv6 (just to be sure).
-
-
-
Thank you for your assistance. I will continue to monitor the system status.
