DNS forwarding issues
-
For some reason unbound/pfsense is not responding consistently or forwarding my queries to the upstream servers when I use it as DNS server.
For example, when ssh'ed into the pfsense (192.168.4.1) I get inconsistent results with dig:
[2.7.2-RELEASE][root@pfSense.home.arpa]/root: dig @192.168.4.1 mark.theshark.xyz ; <<>> DiG 9.18.19 <<>> @192.168.4.1 mark.theshark.xyz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52762 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1432 ;; QUESTION SECTION: ;mark.theshark.xyz. IN A ;; ANSWER SECTION: mark.theshark.xyz. 300 IN CNAME theshark.xyz. ;; Query time: 262 msec ;; SERVER: 192.168.4.1#53(192.168.4.1) (UDP) ;; WHEN: Tue Nov 26 15:08:09 CST 2024 ;; MSG SIZE rcvd: 60 [2.7.2-RELEASE][root@pfSense.home.arpa]/root: dig @127.0.0.1 mark.theshark.xyz ;; communications error to 127.0.0.1#53: timed out ; <<>> DiG 9.18.19 <<>> @127.0.0.1 mark.theshark.xyz ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17413 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;mark.theshark.xyz. IN A ;; ANSWER SECTION: mark.theshark.xyz. 298 IN CNAME theshark.xyz. theshark.xyz. 300 IN A 192.168.4.53
The former being incorrect (using the router IP as DNS) and the latter being correct (using localhost/127.0.0.1).
I can't seem to understand what is causing this inconsistency. Things I have tried/configured:
I have added an allow access list for my home dhcp cidr (192.168.0.0/24), no difference
I have tried with Services>DNS Resolver>Forwarding mode> on/off, no difference
I have confirmed only unbound is running and listening to port 53 (thus dig on 192.168.4.1 and 127.0.0.1 should be exactly the same, no?)
I have confirmed that DNS resolver>Interfaces is all for incoming/outgoingOther resolver settings (which are turned on)
General:
Respond to incoming SSL/TLS queries from local clients
Enable DNSSEC Support
Use SSL/TLS for outgoing DNS Queries to Forwarding Servers
Advanced:
d.server and hostname.bind queries are refused
version.server and version.bind queries are refused
Message cache elements are prefetched before they expire to help keep the cache up to date
DNSKEYs are fetched earlier in the validation process when a Delegation signer is encountered
DNSSEC data is required for trust-anchored zones.
Keep probing servers that are down