DNS doens't resolv this addresses

jperezme

Hello.
I don't know what happens that I can't navigate to several web pages such as:
https://ec.europa.eu/taxation_customs/dds2/taric/taric_consultation.jsp?Lang=es or
https://trade.ec.europa.eu/access-to-markets/en/content/welcome-access2markets-market-access-database-users
I get this error: DNS_PROBE_FINISHED_NXDOMAIN
Pfsense forwards the request to my provider's dns .

The outbound is not able to resolve the domain. If I exit via pfsense and write a command nslookup ec.europa.eu I get:
C:\Users\Morning Shift>nslookup ec.europa.eu
Server: UnKnown
Address: 10.0.201.1

Name: ec.europa.eu
Addresses: 2a01:7080:14:666:30
2a01:7080:24:666:30

And if I skip to pfsense and connect directly to my router then if it works and I get with nslookup this: Server: 250.red-80-58-61.staticip.rima-tde.net
Address: 80.58.61.250

Non-authoritative answer:
Name: ec.europa.eu
Addresses: 2a01:7080:14:666:30
2a01:7080:24:666:30
147.67.210.30
147.67.34.30

Any one knows what can be happen?
Thanks.

johnpoz

@jperezme resolves here just fine

$ dig ec.europa.eu

; <<>> DiG 9.16.34 <<>> ec.europa.eu
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48952
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ec.europa.eu.                  IN      A

;; ANSWER SECTION:
ec.europa.eu.           3600    IN      A       147.67.34.30
ec.europa.eu.           3600    IN      A       147.67.210.30

;; Query time: 617 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Thu Nov 17 05:46:12 Central Standard Time 2022
;; MSG SIZE  rcvd: 73

I would do a dig ec.europa.eu +trace on pfsense and see where its failing.

[22.05-RELEASE][admin@sg4860.local.lan]/: dig ec.europa.eu +trace

; <<>> DiG 9.16.26 <<>> ec.europa.eu +trace
;; global options: +cmd
.                       9532    IN      NS      b.root-servers.net.
.                       9532    IN      NS      j.root-servers.net.
.                       9532    IN      NS      k.root-servers.net.
.                       9532    IN      NS      g.root-servers.net.
.                       9532    IN      NS      m.root-servers.net.
.                       9532    IN      NS      f.root-servers.net.
.                       9532    IN      NS      e.root-servers.net.
.                       9532    IN      NS      h.root-servers.net.
.                       9532    IN      NS      l.root-servers.net.
.                       9532    IN      NS      i.root-servers.net.
.                       9532    IN      NS      a.root-servers.net.
.                       9532    IN      NS      d.root-servers.net.
.                       9532    IN      NS      c.root-servers.net.
.                       9532    IN      RRSIG   NS 8 0 518400 20221129050000 20221116040000 18733 . 01x/Y1LMFAUiVkQQowiXLki57+TJuH0TgeK0tcGWK/AFvrIXOIvQfO/V 07oVUjk+jSWU5QkpqRDupthHYri9Iny5SleAr10c1S7euPe0ouxa5fyp O0w3I3vb5pTYAam+R+SGzcSQr+nFoQpQpgRSQyivwASKFPikpk8aNcHV yTm4c/hDd6w0tGzPTqcBX7/BUjG4yVEnG3ViF/URqOZhuueCcQhW94zW 3nn6ta+luOYeFwq2TJMPA9ou85IwQGGaucYOxqn8BsWSr7okXUGhglNw 3O4erFRFGFHVGvMPBVNAGA7AKCVj/JXcYQXEAE/LGClj5/DhDKD7sJYY l+jVHg==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

eu.                     172800  IN      NS      w.dns.eu.
eu.                     172800  IN      NS      x.dns.eu.
eu.                     172800  IN      NS      y.dns.eu.
eu.                     172800  IN      NS      be.dns.eu.
eu.                     172800  IN      NS      si.dns.eu.
eu.                     86400   IN      DS      59479 8 2 5DBAA81BC0BEFE921886D8DA28498D9FD441B457FB0E3642A0B2F981 1C8E15E0
eu.                     86400   IN      RRSIG   DS 8 1 86400 20221130050000 20221117040000 18733 . 1MMtnNZLGzfw59fz16+9ZQFVMoaNRHgUt+H7xX+/Fuw3P9LuCcfaMRq0 PBLmk2QER6hruM+SJQbzx/cAkQRsJhG3u4cQklaCs8nvR3dmKqlUD29d dts9TvHPmNFvzXSuvAvcP4NyYqfCg1ZLcHLKTe3oNtm308BArfoEFANM uI+kABs2weuJfybh6faC9Zlq5w3x1ZxV3ofz3fABfagqR3qJUa5Nw93q UyXb6hAAoDoCAYcBZgQKBMP8dRW6EUf69/WcuoJLdxuaZd9EMCxSW+p/ P+lOYV3q+C1pkAIKEGtCzkdO+MGNUIMfvdX5ZDbWD+qo8ol95JnQnbeQ p6UlDw==
;; Received 682 bytes from 2001:500:2d::d#53(d.root-servers.net) in 24 ms

europa.eu.              86400   IN      NS      ns3lux.europa.eu.
europa.eu.              86400   IN      NS      ns2lux.europa.eu.
europa.eu.              86400   IN      NS      ans2.cw.net.
europa.eu.              86400   IN      NS      ans1.cw.net.
europa.eu.              86400   IN      NS      ns2bru.europa.eu.
europa.eu.              86400   IN      NS      ns1lux.europa.eu.
europa.eu.              86400   IN      NS      ns2eu.bt.net.
europa.eu.              86400   IN      NS      ns1bru.europa.eu.
europa.eu.              86400   IN      NS      ns3bru.europa.eu.
europa.eu.              86400   IN      NS      ns1.bt.net.
europa.eu.              86400   IN      NS      ns4az1.europa.eu.
europa.eu.              86400   IN      DS      14845 8 2 9EF3C28F5B3A3D33756D61715B1BDBDBB07E0555598D30256D1F2B71 95324846
europa.eu.              86400   IN      DS      6250 8 2 0186EEFF28A83D2C950963CEEF2F2070DC0885AC8AD7106B03A9741C 25DC6B82
europa.eu.              86400   IN      RRSIG   DS 8 2 86400 20221121190658 20221114184157 22080 eu. EIb3l1VC/Q53H8kj3yN0BfjiRFMs/hGHYxjL9Z+B5OwDP1xTcNo4V0JI AOgDqVV0IwN8NycvOlyi1v3NXj89RDpVkXfqkMyCL5eNC9q6AoWFEpeF Vg1qtGO3yBdwvYO+Bego9Cko0MBYhcAF+vdPWUXr1oYf7OmxBLrXjtUL Ro0=
;; Received 758 bytes from 193.2.221.62#53(si.dns.eu) in 193 ms

ec.europa.eu.           300     IN      A       147.67.34.30
ec.europa.eu.           300     IN      A       147.67.210.30
ec.europa.eu.           300     IN      RRSIG   A 8 3 300 20221125041823 20221117095812 23809 europa.eu. krKnOUdtyNeNFUupreifKgrbhw+0RmqskySTE2B3Ov/Qbtg55duy6R+F jqfmQdtzLQv2lqrTLKSUB7djAjE+pTf/Htb4OxZdYKFcdeK/2pAuq3vP Vig7x4nFq9qKPFetiTHE0P5PuLp+9I7BSBPMYUAOtRaeoVW0Dk7ed/Kx HGjC4VkUafGGXbK6qiKVp0FYFButgpy/6heM5fhAChHUb2erPfHvavzt V0RDdiHlYp3jYoGFCn04LoYnER/uILAN5nA72fngkyh+LjkPSmPWmfKE 0LVJ+19QMvFN5yOXo7Z+bA4i2JFdUyxiKJe6Gtg4LE5ne238g/K8MuAR gXEcLA==
ec.europa.eu.           300     IN      RRSIG   A 8 3 300 20221127205755 20221117095828 33483 europa.eu. IfB75c+f61hZU5sAZJmtKcIvTLMBsFZnx42AxL3WnXn4bqz1awB4L8gm i9ybCZw83mimjzJWs4Z/ZxBXioKhWZOy63reEn6ntZFiWvwVDCqUJTkW mwhErJ69xBOzv9p0lxj5/l2Gp6AvWux4zOMDO0RbBWi7gbUXJfqRZTmX KjPDqBQUPAblHye+B7Z3H4siZ/96JLiwdk+65dFiKT5qLjc3170BMF0b urwcIpPJNA1YK6BCBkhtJlTSSIErvOeua7t430UFe9v+kup7FrsqABWD Vy4OYqs1Q4IMWNKw3W87VoqIXXYK6djPyZPXxnsKOmpxkiu8PZRWQ3Xq zxBrUw==
;; Received 695 bytes from 2a01:7080:24:101::2#53(ns3lux.europa.eu) in 210 ms

[22.05-RELEASE][admin@sg4860.local.lan]/: 

I do show some issues with this domain
https://dnsviz.net/d/ec.europa.eu/dnssec/

And also you have some sort of issue with your setup that nslookup does not return the fqdn of your NS your using - that unknown for your NS shows something is not right in your setup. If you were pointing to pfsense, it should always return its own name..

$ nslookup
Default Server:  pi.hole
Address:  192.168.3.10

> server 192.168.9.253
Default Server:  sg4860.local.lan
Address:  192.168.9.253

> www.google.com
Server:  sg4860.local.lan
Address:  192.168.9.253

Non-authoritative answer:
Name:    www.google.com
Addresses:  2607:f8b0:4009:817::2004
          142.250.191.100

See how both my pihole and pfsense return their own fqdn when use them as NS..

jperezme

@johnpoz This is dig result and 10.0.0.1 is my lan address of pfsense. I testing from this network.

This is my unbound settings:

johnpoz

@jperezme well your forwarding... I don't even you see you listening on any interfaces from what you posted.

And why 10.0.201.1. in one query and 10.0.20.1 in another?

Do the trace on pfsense directly - but not really going to matter because your forwarding..

jperezme

@johnpoz First I tried from a computer connected to a vlan 10.0.201.1 and then I tried with another connected to the 10.0.0.1 lan.
Now I can't access from the console but I can execute the command from gui. From gui it works:
; <<>> DiG 9.16.23 <<>> ec.europa.eu +trace
;; global options: +cmd
. 85926 IN NS l.root-servers.net.
. 85926 IN NS m.root-servers.net.
. 85926 IN NS a.root-servers.net.
. 85926 IN NS b.root-servers.net.
. 85926 IN NS c.root-servers.net.
. 85926 IN NS d.root-servers.net.
. 85926 IN NS e.root-servers.net.
. 85926 IN NS f.root-servers.net.
. 85926 IN NS g.root-servers.net.
. 85926 IN NS h.root-servers.net.
. 85926 IN NS i.root-servers.net.
. 85926 IN NS j.root-servers.net.
. 85926 IN NS k.root-servers.net.
. 85926 IN RRSIG NS 8 0 518400 20221130050000 20221117040000 18733 . k4bOiDFhLmswfp/e/DG26SKpAfN+xF393SZYKxSyV5Rrq6QyIQYeRgm/ u69T6jcDP5nfwQ7uxwX9r0w7h/Zrz6gvgDSIAmsnzQ7OaI7TGmq19tMU nCRCDruMjzMvpMyFhRD4Bdo7EErvr19/ezLytIU1oUS/DL87ePrVRIVa accVjpu/lSu0XeYq/ucLRf4+lp9lOt3E95qnQuCcW+jz6L8xBl06kehQ wE9wMhelUOnQEPTYDBkVeB9ObzNkJVp3rR0zfJY+rEaod4XOgS08iMqw WhR+aZ/6sNNLIGP9caZV6C9aLcFg+sIKrQaKxuHLnoVei8pLJqZyi5x0 BcM0WA==
;; Received 1025 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

eu. 172800 IN NS w.dns.eu.
eu. 172800 IN NS x.dns.eu.
eu. 172800 IN NS y.dns.eu.
eu. 172800 IN NS be.dns.eu.
eu. 172800 IN NS si.dns.eu.
eu. 86400 IN DS 59479 8 2 5DBAA81BC0BEFE921886D8DA28498D9FD441B457FB0E3642A0B2F981 1C8E15E0
eu. 86400 IN RRSIG DS 8 1 86400 20221130050000 20221117040000 18733 . 1MMtnNZLGzfw59fz16+9ZQFVMoaNRHgUt+H7xX+/Fuw3P9LuCcfaMRq0 PBLmk2QER6hruM+SJQbzx/cAkQRsJhG3u4cQklaCs8nvR3dmKqlUD29d dts9TvHPmNFvzXSuvAvcP4NyYqfCg1ZLcHLKTe3oNtm308BArfoEFANM uI+kABs2weuJfybh6faC9Zlq5w3x1ZxV3ofz3fABfagqR3qJUa5Nw93q UyXb6hAAoDoCAYcBZgQKBMP8dRW6EUf69/WcuoJLdxuaZd9EMCxSW+p/ P+lOYV3q+C1pkAIKEGtCzkdO+MGNUIMfvdX5ZDbWD+qo8ol95JnQnbeQ p6UlDw==
;; Received 710 bytes from 199.9.14.201#53(b.root-servers.net) in 38 ms

europa.eu. 86400 IN NS ns1.bt.net.
europa.eu. 86400 IN NS ns4az1.europa.eu.
europa.eu. 86400 IN NS ans1.cw.net.
europa.eu. 86400 IN NS ns2bru.europa.eu.
europa.eu. 86400 IN NS ns2eu.bt.net.
europa.eu. 86400 IN NS ans2.cw.net.
europa.eu. 86400 IN NS ns1lux.europa.eu.
europa.eu. 86400 IN NS ns1bru.europa.eu.
europa.eu. 86400 IN NS ns2lux.europa.eu.
europa.eu. 86400 IN NS ns3bru.europa.eu.
europa.eu. 86400 IN NS ns3lux.europa.eu.
europa.eu. 86400 IN DS 14845 8 2 9EF3C28F5B3A3D33756D61715B1BDBDBB07E0555598D30256D1F2B71 95324846
europa.eu. 86400 IN DS 6250 8 2 0186EEFF28A83D2C950963CEEF2F2070DC0885AC8AD7106B03A9741C 25DC6B82
europa.eu. 86400 IN RRSIG DS 8 2 86400 20221121190658 20221114184157 22080 eu. EIb3l1VC/Q53H8kj3yN0BfjiRFMs/hGHYxjL9Z+B5OwDP1xTcNo4V0JI AOgDqVV0IwN8NycvOlyi1v3NXj89RDpVkXfqkMyCL5eNC9q6AoWFEpeF Vg1qtGO3yBdwvYO+Bego9Cko0MBYhcAF+vdPWUXr1oYf7OmxBLrXjtUL Ro0=
;; Received 758 bytes from 185.151.141.1#53(x.dns.eu) in 38 ms

ec.europa.eu. 300 IN A 147.67.34.30
ec.europa.eu. 300 IN A 147.67.210.30
ec.europa.eu. 300 IN RRSIG A 8 3 300 20221125041823 20221117095812 23809 europa.eu. krKnOUdtyNeNFUupreifKgrbhw+0RmqskySTE2B3Ov/Qbtg55duy6R+F jqfmQdtzLQv2lqrTLKSUB7djAjE+pTf/Htb4OxZdYKFcdeK/2pAuq3vP Vig7x4nFq9qKPFetiTHE0P5PuLp+9I7BSBPMYUAOtRaeoVW0Dk7ed/Kx HGjC4VkUafGGXbK6qiKVp0FYFButgpy/6heM5fhAChHUb2erPfHvavzt V0RDdiHlYp3jYoGFCn04LoYnER/uILAN5nA72fngkyh+LjkPSmPWmfKE 0LVJ+19QMvFN5yOXo7Z+bA4i2JFdUyxiKJe6Gtg4LE5ne238g/K8MuAR gXEcLA==
ec.europa.eu. 300 IN RRSIG A 8 3 300 20221127205755 20221117095828 33483 europa.eu. IfB75c+f61hZU5sAZJmtKcIvTLMBsFZnx42AxL3WnXn4bqz1awB4L8gm i9ybCZw83mimjzJWs4Z/ZxBXioKhWZOy63reEn6ntZFiWvwVDCqUJTkW mwhErJ69xBOzv9p0lxj5/l2Gp6AvWux4zOMDO0RbBWi7gbUXJfqRZTmX KjPDqBQUPAblHye+B7Z3H4siZ/96JLiwdk+65dFiKT5qLjc3170BMF0b urwcIpPJNA1YK6BCBkhtJlTSSIErvOeua7t430UFe9v+kup7FrsqABWD Vy4OYqs1Q4IMWNKw3W87VoqIXXYK6djPyZPXxnsKOmpxkiu8PZRWQ3Xq zxBrUw==
;; Received 695 bytes from 147.67.250.3#53(ns2bru.europa.eu) in 39

johnpoz

@jperezme so that trace is how it would look when you resolve, that output from your nslookup should be forwarding.

Are you doing any sort of filtering with pfblocker or your own configs in unbound? If the lookup works on pfsense directly - that your getting servfail from a client would be odd. Unless there was some sort of acl or filtering - but acl should hand back refused.

You could up your debug level and log the queries and requests on unbound and see if that shed some light..

jperezme

@johnpoz Logs are /var/log/resolver.log, it's true ?

johnpoz

@jperezme you might want to bump up the verbosity from the default, and add these to customs

server:
log-queries: yes
log-replies: yes

jperezme

This post is deleted!

jperezme

@jperezme
I found the problem in the logs
Nov 17 20:48:23 proxy unbound[13963]: [13963:4] error: SERVFAIL <ec.europa.eu. A IN>: all the configured stub or forward servers failed, at zone . from 172.23.144.5 got REFUSED
Nov 17 20:48:23 proxy unbound[13963]: [13963:4] reply: 10.0.0.10 ec.europa.eu. A IN SERVFAIL 0.281635 0 30
Nov 17 20:48:23 proxy unbound[13963]: [13963:5] info: iterator operate: query ec.europa.eu. A IN
Nov 17 20:48:23 proxy unbound[13963]: [13963:5] info: response for ec.europa.eu. A IN
Nov 17 20:48:23 proxy unbound[13963]: [13963:5] error: SERVFAIL <ec.europa.eu. A IN>: all the configured stub or forward servers failed, at zone . from 172.23.144.5 got REFUSED
Nov 17 20:48:23 proxy unbound[13963]: [13963:5] reply: 10.0.0.10 ec.europa.eu. A IN SERVFAIL 0.159601 0 30

From what I understand and correct me if I'm wrong the dns server 172.23.144.5. Is it what is preventing the resolution of the name?

jperezme

@jperezme said in DNS doens't resolv this addresses:

error: SERVFAIL <ec.europa.eu. A IN>: all the configured stub or forward servers failed, at zone .

Does anyone know if I can modify something in unbound to solve the problem or should something be modified in my provider's dns?

Thanks in advance and specially to @johnpoz

johnpoz

@jperezme from a quick look at that, looks like they refused to answer your query.. Are you running through a vpn?

But a quick work around for something that is not resolving for you, but works via say asking 8.8.8.8 is to do a domain override in unbound for that domain, so vs it trying to resolve it - it will forward to where you set for that specific domain.

Who is that? 172.23.144.5

That is a rfc1918 address. So your forwarding in unbound to them? In no scenario when resolving would unbound be talking to a rfc1918 address..

jperezme

@johnpoz 172.23.144.5 It is the dns of my provider and I cannot use another one. They only allow us to use that dns

johnpoz

@jperezme said in DNS doens't resolv this addresses:

They only allow us to use that dns

so your forwarding.. You can not query say 8.8.8.8 for example..

Well then if your only allowed to use their NS, and they do not allow you to talk to any other NS on the internet then you would be out of luck.

But that is not what your trace shows, your +trace showed you talking to other NS.. and it resolve just fine.

jperezme

@johnpoz Right. I can not use 8.8.8.8 google dns. If you remember, when I connect to the pfsense console and connect directly to the wan without going through unbound then it resolves the address well which is what you show in this last log. I suppose that would be it. The problem is when unbound forwards to 172.23.144.5
Is it possible that what you say is that 172.23.144.5 dns consult another dns later?

Now I'm not in the office and I can't access the console but if via the web and from the gui I get this so it's correct:
; <<>> DiG 9.16.23 <<>> ec.europa.eu +trace
;; global options: +cmd
. 58208 IN NS d.root-servers.net.
. 58208 IN NS e.root-servers.net.
. 58208 IN NS f.root-servers.net.
. 58208 IN NS g.root-servers.net.
. 58208 IN NS h.root-servers.net.
. 58208 IN NS i.root-servers.net.
. 58208 IN NS j.root-servers.net.
. 58208 IN NS k.root-servers.net.
. 58208 IN NS l.root-servers.net.
. 58208 IN NS m.root-servers.net.
. 58208 IN NS a.root-servers.net.
. 58208 IN NS b.root-servers.net.
. 58208 IN NS c.root-servers.net.
. 58208 IN RRSIG NS 8 0 518400 20221202170000 20221119160000 18733 . oH2GJb8bpAq6s7cA3s7yheKbw8BaOhiykWmYZGR9FNuGCqCfJsDF1WRL pHgqGOiyCVQtoamQZeufqMNTsyFHb+3X3MGM1oLB9RPNek8Kf3IWUcXX 6aoyNRCK7T7Qx+AJUgcZSvAq08sJi54UVR4NNYh8L1P3nEvraQSunnjG xqhUYOeZ4e0ekr/Vr5tgmjVknUB13bCFf+oDNFGk95NsJDQSTPlkHM2X 43p19snc1s5RbhQ9h4Aaib9GoIOpe/q7s0v4DgTh9asWNxhF5vNvaphF pR3X89YTDrfr12EoT/97Xtr4JLc3xtgqvxj5/xJog449JWJKJt//S1bm y9nYLQ==
;; Received 1025 bytes from 127.0.0.1#53(127.0.0.1) in 13 ms

eu. 172800 IN NS w.dns.eu.
eu. 172800 IN NS x.dns.eu.
eu. 172800 IN NS y.dns.eu.
eu. 172800 IN NS be.dns.eu.
eu. 172800 IN NS si.dns.eu.
eu. 86400 IN DS 35926 8 2 89B9EF0445904E7C6074B5BECE823C3E264FBD91C103D10BDE603412 343CE70C
eu. 86400 IN DS 59479 8 2 5DBAA81BC0BEFE921886D8DA28498D9FD441B457FB0E3642A0B2F981 1C8E15E0
eu. 86400 IN RRSIG DS 8 1 86400 20221203050000 20221120040000 18733 . YrQOnGCtvEXMJ8Jn4xL/HHAWZy4pRHNhvMEjF9rMLusU/klnzewYj3sE z4KiTjK3JN0WU/RcwH1dZJUQ9SN0wexImt8Vubc63V5/Ed/9UnO89XcR vB4gc3SB7J8hgirM2YXkHE63ZUpPVwJkV3ap4FrS363Z+vMR92L0uNi4 r9paJEdGdb9q0r4uwvwTmOwLKeIMegbF6Y6L4sZqTQeL0btXKgqVAIMx 3kKuzBTuW2QKSshvCNYnh641bSwrIJD0lKzXUd7MBq2Tip1upAiXG58m zksP9B57OZ8mv5rES7zPI0N96E0VnTrP4Kz+L9i0Tm2FYcmy810XNBF2 5xy01w==
;; Received 758 bytes from 199.9.14.201#53(b.root-servers.net) in 38 ms

europa.eu. 86400 IN NS ns4az1.europa.eu.
europa.eu. 86400 IN NS ns1lux.europa.eu.
europa.eu. 86400 IN NS ns2bru.europa.eu.
europa.eu. 86400 IN NS ns2lux.europa.eu.
europa.eu. 86400 IN NS ans1.cw.net.
europa.eu. 86400 IN NS ns3lux.europa.eu.
europa.eu. 86400 IN NS ns1.bt.net.
europa.eu. 86400 IN NS ns2eu.bt.net.
europa.eu. 86400 IN NS ns1bru.europa.eu.
europa.eu. 86400 IN NS ns3bru.europa.eu.
europa.eu. 86400 IN NS ans2.cw.net.
europa.eu. 86400 IN DS 6250 8 2 0186EEFF28A83D2C950963CEEF2F2070DC0885AC8AD7106B03A9741C 25DC6B82
europa.eu. 86400 IN DS 14845 8 2 9EF3C28F5B3A3D33756D61715B1BDBDBB07E0555598D30256D1F2B71 95324846
europa.eu. 86400 IN RRSIG DS 8 2 86400 20221127000852 20221120000653 21819 eu. g+3rLbUzTImI31N1McC5u6FvCER5iREqlIU1BOODdbnhQ7O9GKNU80lY SUuVUgNFAI/0KlRLzF3mDbBVSQV+F5Q7TPTCYNyD2mNJpTvibR0sYFiM 4cHGpn7WjD9es5bDvSjTUAG8h/Aa0fg8n6nvNPjPsTiFwm7Yw8n/IZ1I 8JM=
;; Received 758 bytes from 185.151.141.1#53(x.dns.eu) in 39 ms

ec.europa.eu. 300 IN A 147.67.210.30
ec.europa.eu. 300 IN A 147.67.34.30
ec.europa.eu. 300 IN RRSIG A 8 3 300 20221202083905 20221118083318 33483 europa.eu. PD0SduTKxbjbOSwO4x/aMKpMQ8RRPVAgN3WSdv/xgeBofAcxARXPKhSF fybxUgTU29mS8swUT2pJ8LJGnInwp06U7BQWLgXlEzHox3FT6FaFL5za iULmPttV/4uylNkHx/VWu4ELQVQSXbTs69kAy3YZht2pWvJ2DNzfr9Zj Kr4O2Ag4Sg0XgZ2RJ88Bv+nL7GVEAOq7mn/Kg3LA0XzM7vV35clW+46y 0ZSxNy2mpxA7/FBIRkY2MBMC6XxkoT8DdDcoHPXdDxYf5xKM6ZyRDTZr z1gqK1o+UzJr3WkL8uomhU4nVby6NHbbXZya/9VBdc4UIAqE5zViSs8L rqdVeQ==
ec.europa.eu. 300 IN RRSIG A 8 3 300 20221208192143 20221118083302 23809 europa.eu. qXjcj+14uiincMWRJb0y0NiTo+1PxHkZ+VyYVNQPvb9WSrW29ClXE/sZ LILEjBx/25jp5M4jOJpnxvOVwb3F1jjVUmpGx89oo3DlErkjd6syXU8f vl+aDgU9iIfyOebfm87T5Ywn43fCjMJomGMsIUA1wegz2Hg3motj5IjZ vupwwKrPwxs/NupIbUtg57d8nj231fHFDaSXB+gFtuj2z1KxY5BTfoce Tp59jOMMJ+1kmI4/qo3I5E78l5hhV2kdYDrh0arlwBR95ps63jehHjH0 4vRqc9VQetWiAaLtS6fpJ/eWNrRNTGAAEWC86JV2Mm5uxSA9/D0jSODK KjEDIQ==
;; Received 695 bytes from 147.67.12.2#53(ns1lux.europa.eu) in 36 ms

johnpoz

@jperezme said in DNS doens't resolv this addresses:

The problem is when unbound forwards to 172.23.144.5

Then don't forward to them.. Out of the box pfsense resolves.. Just like in that trace you show - it talks to roots, hey roots ns for .com hey .com ns, what is ns for domain.com - hey domain.com ns what is the IP address of www.domain.com

You have zero need of your isp dns server..

Your trace shows that unbound can clearly resolve and talk to the different NS involved in looking up that record - so why are you forwarding to some isp nameserver?

jperezme

@johnpoz I am hallucinating indeed I see that I can use other dns that are not those of my provider. I don't know if it's their mistake or they have changed their policy and now they allow us to use others. If so, this has solved my problem. Ufff!
Thank you very much for your help.