Unbound: Instant (0ms) SERVFAIL for IPv6-only authoritative NS + No Logs for Query

lef

Hi all,

I'm running into a persistent issue with Unbound on pfSense 2.7.2-RELEASE CE and would greatly appreciate some insights.

The Core Problem:
When running an IPv6 test (e.g., from test-ipv6.com), my setup fails the "Test if your ISP's DNS server uses IPv6." This test queries a domain like ds.v6ns.amsterdam.test-ipv6.com, which has IPv6-only authoritative name servers.

When I test this directly from the pfSense box (via SSH, as admin/root) using dig, I get an immediate SERVFAIL/Timed out:

;; communications error to 127.0.0.1#53: timed out
;; communications error to 127.0.0.1#53: timed out

; <<>> DiG 9.18.19 <<>> AAAA ds.v6ns.amsterdam.test-ipv6.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24305
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;ds.v6ns.amsterdam.test-ipv6.com. IN    AAAA

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon May 26 04:47:50 BST 2025
;; MSG SIZE  rcvd: 60

Other IPv6 connectivity tests on test-ipv6.com pass, and general DNS resolution via Unbound to IPv4 (e.g., dig A www.google.com @127.0.0.1) works correctly.

Test with IPv4 DNS record
ok (0.043s) using ipv4
Test with IPv6 DNS record
ok (0.058s) using ipv6
Test with Dual Stack DNS record
ok (0.027s) using ipv6
Test for Dual Stack DNS and large packet
ok (0.028s) using ipv6
Test IPv6 large packet
ok (0.059s) using ipv6
Test if your ISP's DNS server uses IPv6
bad (0.095s) - sometimes this is timeout.
Find IPv4 Service Provider
ok (0.062s) using ipv4 ASN 201838
Find IPv6 Service Provider
ok (0.074s) using ipv6 ASN 201838

My Unbound Setup (pfSense DNS Resolver):

Configured as a recursive resolver (not using DNS Query Forwarding).
IPv6 is enabled for Unbound (do-ip6: yes).
DNSSEC is enabled (auto-trust-anchor-file: /var/unbound/root.key and validator module loaded).
Unbound is listening on 127.0.0.1:53 and relevant LAN interfaces.
Access lists permit queries from 127.0.0.1 and LANs.
No domain overrides or host entries that would affect this test domain.
Log verbosity is set to 5 in unbound.conf.
"Outgoing Network Interfaces" in the GUI is currently set to "All".
Troubleshooting Steps Performed (all still result in the 0ms SERVFAIL for the test domain):

Initial State: Unbound was sometimes timing out for dig @127.0.0.1 for this query, but now it consistently responds with SERVFAIL in 0ms.
DNSSEC Toggle: Temporarily disabled "Enable DNSSEC Support" via the GUI. After Unbound restarted, the SERVFAIL (0ms) persisted. DNSSEC has been re-enabled.
Outgoing Network Interfaces: Changed this from "WAN" to "All" in the GUI. The SERVFAIL (0ms) persisted.
pfBlockerNG Python Module: (Disabled the python module and disabled DNSBL in the PFBlockerNG Package) The SERVFAIL (0ms) persisted even without the Python module loaded.

The Main Puzzles:

Instantaneous SERVFAIL: The "Query time: 0 msec" is highly unusual. Unbound isn't timing out against external servers; it's failing immediately.
No Logs for the Failing Query: Despite verbosity: 5 being set in unbound.conf and confirmed active, when the SERVFAIL occurs for ds.v6ns.amsterdam.test-ipv6.com, I see no corresponding log entries in Status > System Logs > Resolver. Logs do appear for other working queries like www.google.com at this verbosity level. It's as if Unbound receives the query, decides to SERVFAIL instantly, but doesn't log anything about this specific transaction.

My Questions:

Any ideas why Unbound would return an instant (0ms) SERVFAIL for this specific type of query (domain with IPv6-only authoritative NS) when DNSSEC and pfBlockerNG's Python module seem to have been ruled out as the direct cause by the tests above?
More importantly, why would there be no logs generated by Unbound for this specific failing query, even at verbosity: 5, when other queries are logged verbosely?
What further diagnostic steps can I take to understand the reason for this immediate SERVFAIL and the lack of logging?
I can provide the full /var/unbound/unbound.conf and the contents of my include files (access_lists.conf, domainoverrides.conf, host_entries.conf - though the latter two are blank or only contain local entries not relevant to the test domain).

Interface Configurations:
WAN IPV6 Configuration Type: DHCP6
WAN DHCPv6 Prefix Delegation size: 56
LAN IPv6 Configuration Type: Track Interface
LAN IPv6 Interface: WAN
LAN IPv6 Prefix ID: 0
SMARTLINK IPv6 Configuration Type: Track Interface
SMARTLINK IPv6 Prefix ID: 1

Any assistance or suggestions would be greatly appreciated!

Thanks.

Gertjan

@lef

Check if unbound is listening on 127.0.0.1 (and ::1) etc :

[25.03-BETA][root@pfSense.bhf.tld]/root: sockstat | grep 'unbound'
unbound  unbound    45089 3   udp6   *:53                  *:*
unbound  unbound    45089 4   tcp6   *:53                  *:*
unbound  unbound    45089 5   udp4   *:53                  *:*
unbound  unbound    45089 6   tcp4   *:53                  *:*
.....

This means : unbound listens on all activated interfaces, this includes the two "localhost".

This is the default unbound (resolver behavior) :

And, sorry, have to ask : firewall rules aren't blocking DNS traffic ? ^^