If you're using an alternate DNS root server such as OpenNIC, and your network uses a pfSense-based router, you may find that clients are, strangely, unable to resolve unofficial TLDs, getting
There are 3 ways I can think of to quickly solve this problem for the whole network, listed here in increasing order of complication:
1. Disable the DNS resolver
Go to Services > DNS Resolver > Enable, and uncheck it. Then save, reload, and re-connect your clients, and they'll be using your configured DNS servers directly and without asking pfSense to be an intermediary!
2. Set the DNS resolver to forwarding mode
Simply change the following two settings, save, and reload:
- Services > DNS Resolver > Advanced Settings > Advanced Resolver Options >
This will make it (1) actually use your configured DNS servers instead of bootstrapping all its queries from the root hints, and (2) not return
SERVFAIL when it fails to find an IANA DNSSEC chain leading to OpenNIC's homesteaded bit of the root zone.
First, go to Diagnostics > Shell Prompt > Execute Shell Command and execute:
dig NS . @220.127.116.11 | tee /var/unbound/opennic.root
Then, go to Services > DNS Resolver > General Settings > Custom Options and add the following:
Finally, go to Services > DNS Resolver > Advanced Settings > Advanced Resolver Options >
[TODO: get any
trust-anchor-*: option working…]