NXDOMAIN for specific website in unbound forwarder, but not public DNS

Gooberpatrol66 · Apr 16, 2024, 7:25 PM

I'm using Quad9 + unbound forwarding mode

$ nslookup myaccounts.capitalone.com 9.9.9.9
Server:         9.9.9.9
Address:        9.9.9.9#53

Non-authoritative answer:
myaccounts.capitalone.com       canonical name = easeweb-prod-glb.aws-stsd.capitalonegslbex.com.
easeweb-prod-glb.aws-stsd.capitalonegslbex.com  canonical name = d3f7gxcse81xel.cloudfront.net.
Name:   d3f7gxcse81xel.cloudfront.net
Address: 18.245.124.37
Name:   d3f7gxcse81xel.cloudfront.net
Address: 18.245.124.71
Name:   d3f7gxcse81xel.cloudfront.net
Address: 18.245.124.18
Name:   d3f7gxcse81xel.cloudfront.net
Address: 18.245.124.100

$ nslookup myaccounts.capitalone.com 10.0.0.1
Server:         10.0.0.1
Address:        10.0.0.1#53

** server can't find myaccounts.capitalone.com: NXDOMAIN

I have turned off pfblocker and restarted unbound, which didn't fix it. Pinging the domain with diagnostics > ping didn't work. Telnet didn't work.

servers
9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::9

How to troubleshoot this?

johnpoz · Apr 16, 2024, 7:32 PM

@Gooberpatrol66 if you are in forwarding mode - did you disable dnssec? But that should return servfail not nx.

ping and telnet have nothing to do with resolving the fqdn to an IP via dns..

What are you trying to ask pfsense from? What does pfsense actually show when you do a dns lookup in the gui under diagnostics?

Gooberpatrol66 · Apr 17, 2024, 3:07 AM

@johnpoz DNSSEC is enabled
I'm running nslookup from a computer in my network

full router reboot didn't fix

SteveITS · Apr 17, 2024, 3:07 AM

@Gooberpatrol66 disable DNSSEC, see the blue note at https://quad9dns.github.io/documentation/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/

Gertjan · Apr 17, 2024, 6:46 AM

@Gooberpatrol66 said in NXDOMAIN for specific website in unbound forwarder, but not public DNS:

full router reboot didn't fix

What router ? pfSense ?

I did the same test :

and like your : nothing to fix, as it showed the correct answer.

Your issue is probably something like this :
The device you use (first post) can access 9.9.9.9 direcly, and you receive an answer.
But when you use 10.0.0.1, and I presume 10.0.0.1 is your pfSense LAN IP, you get a NXDOMAIN.

Because the message is NXDOMAIN, I presume that unbound actually received the request, and handled it.
You can see what unbound does with the request : if it received it, if it forwarded it, what it did with the answer etc. by :

Go here Services > DNS Resolver > Advanced Settings
and select level 3 :

from now on, Status > System Logs > System > DNS Resolver will show massive log details.

Stop unbound on the Dashboard.
Count to 3.
Start unbound.
Now do a test on your LAN device.
What did you saw in the logs ?

Btw : remove pfBlockerng from your system, just to be save.

You have this :

right ?

johnpoz · Apr 17, 2024, 6:47 AM

^exactly - in no scenario does it make any sense to set unbound to try and do dnssec if your forwarding - its going to be problematic.

Where you forward is either doing dnssec or its not, that setting only makes sense if your actually resolving..

But I would think the failure mode would return a servfail vs a nx..

Also a setting that can cause problems with forwarding is if you have qname min set especially strict.. But again if your forwarding that setting is pointless.. Its a resolver setting.. So they should not be enabled if your forwarding.

Gooberpatrol66 · Apr 18, 2024, 10:23 PM

@SteveITS Disabling DNSSEC seemed to solve it, thank you