If you're using an alternate DNS root server such as OpenNIC, and your network uses a pfSense-based router, you may find that clients are, strangely, unable to resolve unofficial TLDs, getting SERVFAIL or NXDOMAIN.

There are 3 ways I can think of to quickly solve this problem for the whole network, listed here in increasing order of complication:

1. Disable the DNS resolver

Go to Services > DNS Resolver > Enable, and uncheck it. Then save, reload, and re-connect your clients, and they'll be using your configured DNS servers directly and without asking pfSense to be an intermediary!

2. Set the DNS resolver to forwarding mode

Simply change the following two settings, save, and reload:

  • Services > DNS Resolver > Advanced Settings > Advanced Resolver Options >

This will make it (1) actually use your configured DNS servers instead of bootstrapping all its queries from the root hints, and (2) not return SERVFAIL when it fails to find an IANA DNSSEC chain leading to OpenNIC's homesteaded bit of the root zone.

3. Set the root-hints file

First, go to Diagnostics > Shell Prompt > Execute Shell Command and execute:

dig NS . @ | tee /var/unbound/opennic.root

Then, go to Services > DNS Resolver > General Settings > Custom Options and add the following:

root-hints: opennic.root

Finally, go to Services > DNS Resolver > Advanced Settings > Advanced Resolver Options >

[TODO: get any trust-anchor-*: option working…]

Leave a Reply

Your email address will not be published. Required fields are marked *

Warning: This site uses Akismet to filter spam. Until or unless I can find a suitable replacement anti-spam solution, this means that (per their indemnification document) all commenters' IP addresses will be sent to Automattic, Inc., who may choose to share such with 3rd parties.
If this is unacceptable to you, I highly recommend using an anonymous proxy or public Wi-Fi connection when commenting.