tobias@rpi3B:~ $ dig fail01.dnssec.works @127.0.0.1 -p 5335
; <<>> DiG 9.16.33-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26949
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works. IN A
;; Query time: 3499 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Dec 06 15:18:39 CET 2022
;; MSG SIZE rcvd: 48
tobias@rpi3B:~ $ dig dnssec.works @127.0.0.1 -p 5335
; <<>> DiG 9.16.33-Debian <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56748
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnssec.works. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Dec 06 15:18:39 CET 2022
;; MSG SIZE rcvd: 41
First command looks ok (SERVFAIL), second however shows fail (should be NOERROR). What could be wrong? Something about DNSSEC?
EDIT: I previously added those rules in firewall in MikroTik:
/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53
...to force all DNS go through pihole. However when I disable those rules off, I've got this from unbound tests:
; <<>> DiG 9.16.33-Debian <<>> dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached
I'm confused.