Intermittent NXDOMAIN and NOERROR without ANSWER being turned

[jamespavett]

Describe the bug
Frequently I am getting NOERRORS without ANSWERs being returned for known working domains.

To reproduce
Steps to reproduce the behavior:

dig rexia.pl @10.44.3.2 -p 53

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> rexia.pl @10.44.3.2 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12278
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;rexia.pl.                      IN      A

;; Query time: 0 msec
;; SERVER: 10.44.3.2#53(10.44.3.2) (UDP)
;; WHEN: Mon Mar 25 00:37:10 GMT 2024
;; MSG SIZE  rcvd: 37

hole  | [1711316977] unbound[337:0] debug: svcd callbacks start
pihole  | [1711316977] unbound[337:0] debug: worker svcd callback for qstate 0x559e08be40
pihole  | [1711316977] unbound[337:0] debug: mesh_run: start
pihole  | [1711316977] unbound[337:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
pihole  | [1711316977] unbound[337:0] info: iterator operate: query rexia.pl. DS IN
pihole  | [1711316977] unbound[337:0] debug: process_response: new external response event
pihole  | [1711316977] unbound[337:0] info: scrub for pl. NS IN
pihole  | [1711316977] unbound[337:0] info: response for rexia.pl. DS IN
pihole  | [1711316977] unbound[337:0] info: reply from <pl.> 204.61.217.4#53
pihole  | [1711316977] unbound[337:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
pihole  | ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0
pihole  | ;; QUESTION SECTION:
pihole  | rexia.pl.     IN      DS
pihole  |
pihole  | ;; ANSWER SECTION:
pihole  |
pihole  | ;; AUTHORITY SECTION:
pihole  | pl.   3600    IN      SOA     a-dns.pl. dnsmaster.nask.pl. 1711265609 900 300 2592000 3600
pihole  | pl.   3600    IN      RRSIG   SOA 8 1 86400 20240423214647 20240324204647 42684 pl. vLJ3mrnB4kcJWrAZD4bFBR1cedQf9SIL3cim2SpnsSNT7CR5j4y5N1VGZbxflOX8L5nh9CtpD2bbvNC9L0XFb07aATsPnZOFmftyHMs+0sPTeUxZTC0/I/ziFnIJRrc84Xcmu+BlqHuHs1Mcvkn0bj5EdM9mLvW16nRK2wHumBtiUHrE3X7td4hFggatPuj9kxZ4dkfrl9iXnrPf1TRoY+mJlpvDqdqaT8HfQ1mFSsGiZHLyHtzJGQ1pnsS76if5C9tUeTa1q1bO2EKNBnCprEZ0/rA25YJj+23GzJtcGJ2NQyDWazTQGFePKF0JS8zurmKB+J9+RS9TX2SHmIOIng== ;{id = 42684}
pihole  | IPA5B67CG4GFUU3J100432SH3Q0DE317.pl.  3600    IN      NSEC3   1 1 12 1A3877168C105498 ipa6isvp2432kqvm7nl8hjoptq10q1a3 NS SOA TXT RRSIG DNSKEY NSEC3PARAM ;{flags: optout}
pihole  | IPA5B67CG4GFUU3J100432SH3Q0DE317.pl.  3600    IN      RRSIG   NSEC3 8 2 3600 20240416120000 20240317120000 42684 pl. zVTknQxRDGxO+K1LFtdua95tuxFrb/7eOcxZo+dZPqITRUEJVE6wHk5IBtPIPIT/GnHgQq/snMQ9V2b9JCGeT79MezW6LEtlfjv+TLK2MATZLgaBIUgea/FVcSdI2PNKhhPBu7Oi3Bad+zRdA4+XMBW6IcC9aHIK5ZU3SWwVSgAHbdAHPQv3AsSq/KK5ACjhC0+k5vOxrddheQrVh/c8RbLqbH+mjS9Oun1q/3psgosxluptHyYFsxbMjqeQpR50VGBmfazSGRam4V1lpQHMJlcL4c8l5buA1JxyevkvbmGpXsAskU9CQb7SJ/wZmE4sN/CgRDTdRs+q9XI8ECw3Uw== ;{id = 42684}
pihole  | 7RD5CTLDIMRJFE2IL4J31ECR6PSH2H42.pl.  3600    IN      NSEC3   1 1 12 1A3877168C105498 7rda43gcspo3spkv1dn02v63cjvsrq1v NS DS RRSIG ;{flags: optout}
pihole  | 7RD5CTLDIMRJFE2IL4J31ECR6PSH2H42.pl.  3600    IN      RRSIG   NSEC3 8 2 3600 20240416120000 20240317120000 42684 pl. kJ7h/Mz4/ZGmX7dqcLUJiI0pgUmSf7H6DEArXr3jVrHt84qyHyLksKDyyNc6xx5cnIYSsWzpVgh1Huxh1Zr3cJXw2Cgb+mSl7sC1mqm/WrGZSLcftnrgMSToMqZdYTz6ek4J9EQVP7i67oJ9Ws/qKh4bSox2j+otFltdeOrzhkAGxyX33ExN85QGPARfdNgPWLS0agvS19TCU0Wbsnmwh5C3JHdy76J3qX+ZcRDnRck7aX66brDiTlv2E68IYAGRc4DImVeq63xoOMmBq2Zi6Kg5bP9tAecmNHCpdyu6ez4M98eMpix/TByh5jVYh3SjIOqgnM0cPmExI09NMmRDMQ== ;{id = 42684}
pihole  |
pihole  | ;; ADDITIONAL SECTION:
pihole  | ;; MSG SIZE  rcvd: 1128
pihole  |
pihole  | [1711316977] unbound[337:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
pihole  | [1711316977] unbound[337:0] info: query response was nodata ANSWER
pihole  | [1711316977] unbound[337:0] debug: iter_handle processing q with state FINISHED RESPONSE STATE
--
pihole  | [1711316977] unbound[337:0] debug: outnet tcp pkt was written event
pihole  | [1711316977] unbound[337:0] debug: outnet tcp writes done, wait
error from daemon in stream: Error grabbing logs: invalid character '\x00' looking for beginning of value

Getting NORROR returned without an ANSWER.

10.44.3.2 is my pihole DNS server which is using Unbound to resolve DNS queries.

I have also been getting NXDOMAINs errors returned as well, and these errors both manifest themselves as NXDOMAIN when viewing via Chrome.

dig otclient.ovh @10.44.3.2 -p 53

; <<>> DiG 9.18.24-1-Debian <<>> otclient.ovh @10.44.3.2 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6033
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;otclient.ovh.                  IN      A

;; AUTHORITY SECTION:
ovh.                    305     IN      SOA     a.nic.fr. dnsmaster.afnic.fr. 2223610891 3600 1800 3600000 600

;; Query time: 0 msec
;; SERVER: 10.44.3.2#53(10.44.3.2) (UDP)
;; WHEN: Mon Mar 25 01:00:52 GMT 2024
;; MSG SIZE  rcvd: 106

pihole  | [1711316994] unbound[337:0] info: iterator operate: query otclient.ovh. A IN
pihole  | [1711316994] unbound[337:0] debug: process_response: new external response event
pihole  | [1711316994] unbound[337:0] info: scrub for . NS IN
pihole  | [1711316994] unbound[337:0] info: response for otclient.ovh. A IN
pihole  | [1711316994] unbound[337:0] info: reply from <.> 192.58.128.30#53
pihole  | [1711316994] unbound[337:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 0
pihole  | ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 0
pihole  | ;; QUESTION SECTION:
pihole  | otclient.ovh. IN      A
pihole  |
pihole  | ;; ANSWER SECTION:
pihole  |
pihole  | ;; AUTHORITY SECTION:
pihole  | ovh.  3600    IN      SOA     a.nic.fr. dnsmaster.afnic.fr. 2223610751 3600 1800 3600000 600
pihole  | ovh.  3600    IN      RRSIG   SOA 13 1 3600 20240523214903 20240324204903 60475 ovh. HXYCPJUDBCt/Z9hpbXrwfE41APHsX+dk7lc4dmAd/9A4VfFN0qNqYGDIQw5z9uwkerUfSy76QZeIxA9VLxOm+Q== ;{id = 60475}
pihole  | HQ4QGMR0HM4EVU0OO4VCKGPOQV1MUHMV.ovh. 3600    IN      NSEC3   1 1 0 - hq4rrgpi2vu50761bke3t0vlbff1jbhh NS SOA TXT RRSIG DNSKEY NSEC3PARAM ;{flags: optout}
pihole  | HQ4QGMR0HM4EVU0OO4VCKGPOQV1MUHMV.ovh. 3600    IN      RRSIG   NSEC3 13 2 600 20240427062242 20240227053409 60475 ovh. ZVPP8E1A5wcNdZZWMqR8ekJRU0EIGSxUHshwI80gpRBl5SOpcV5Ko4fdpC0LNTDr/f1RVGZQb5qnzi11ANkTtg== ;{id = 60475}
pihole  | F6N96D672G2P26KT94VB803JNI8F1CTU.ovh. 3600    IN      NSEC3   1 1 0 - f6npgg0rdu3gcaph3loqekvdknqhhvp7 NS DS RRSIG ;{flags: optout}
pihole  | F6N96D672G2P26KT94VB803JNI8F1CTU.ovh. 3600    IN      RRSIG   NSEC3 13 2 600 20240427035650 20240227034147 60475 ovh. ENdqESkztHEGrtNi7Vc5r/4w0dsxt7lya6d+oc/6Imr29Nx9FUYHpBwmfkJ2t32aQql91uFX51JN+BhDIvLyiA== ;{id = 60475}
pihole  | TN8A2A59HFPGJ77LVCR26A77E6O9K8QP.ovh. 3600    IN      NSEC3   1 1 0 - tn91irvjoim6q6h3vcdibtrugog40ijb NS DS RRSIG ;{flags: optout}
pihole  | TN8A2A59HFPGJ77LVCR26A77E6O9K8QP.ovh. 3600    IN      RRSIG   NSEC3 13 2 600 20240428033417 20240228023857 60475 ovh. a2dckdNz9+wheEaDM5mLGV7t/m1dMVqAtgGAd65bVzR6bzHR4iWZvJlBOfA5cEOuzS7zB22CKmGF0jpUDJsh0g== ;{id = 60475}
pihole  |
pihole  | ;; ADDITIONAL SECTION:
pihole  | ;; MSG SIZE  rcvd: 724
pihole  |
pihole  | [1711316994] unbound[337:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
pihole  | [1711316994] unbound[337:0] info: query response was NXDOMAIN ANSWER
pihole  | [1711316994] unbound[337:0] debug: iter_handle processing q with state FINISHED RESPONSE STATE
pihole  | [1711316994] unbound[337:0] info: finishing processing for otclient.ovh. A IN
pihole  | [1711316994] unbound[337:0] debug: mesh_run: iterator module exit state is module_finished
pihole  | [1711316994] unbound[337:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
pihole  | [1711316994] unbound[337:0] info: validator operate: query otclient.ovh. A IN
pihole  | [1711316994] unbound[337:0] debug: validator: nextmodule returned
pihole  | [1711316994] unbound[337:0] debug: val handle processing q with state VAL_INIT_STATE
pihole  | [1711316994] unbound[337:0] debug: validator classification nameerror
pihole  | [1711316994] unbound[337:0] info: signer is ovh. TYPE0 CLASS0
pihole  | [1711316994] unbound[337:0] debug: val handle processing q with state VAL_FINISHED_STATE
pihole  | [1711316994] unbound[337:0] debug: mesh_run: validator module exit state is module_finished
pihole  | [1711316994] unbound[337:0] debug: query took 0.013931 sec

Expected behaviour

When switching over to public DNS servers, i.e. Cloudfare, Quad9, I correctly get an ANSWER back:

This also seems to respond correct intermittently when using Unbound as the upstream DNS.

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> rexia.pl @10.44.3.2 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26898
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;rexia.pl.                      IN      A

;; ANSWER SECTION:
rexia.pl.               78      IN      A       51.83.238.28

;; Query time: 0 msec
;; SERVER: 10.44.3.2#53(10.44.3.2) (UDP)
;; WHEN: Mon Mar 25 00:46:59 GMT 2024
;; MSG SIZE  rcvd: 53

I'm not sure if there is something wrong I'm doing here but any help would really be appreciated. Even though I having just given one domain here, I have been having similar issues with facebook.com, hub.docker.com, and numerous other domains since adopting unbound.

System:

• Unbound version: Tried 1.13 and 1.19.3
• OS: Debian
• unbound -V output:

Version 1.19.3

Configure line:
Linked libs: mini-event internal (it uses select), OpenSSL 1.1.1w 11 Sep 2023
Linked modules: dns64 respip validator iterator

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Additional information
Add any other information that you may have gathered about the issue here.

My unbound configuration:

server:
    # log verbosity
    verbosity: 5

    # logfile
    logfile: /dev/stdout
    use-syslog: no
    log-queries: yes
    log-servfail: yes
    
    interface: 0.0.0.0
    interface: ::0
    
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # For docker, disable daemon mode
    do-daemonize: no

    # enable to not answer id.server and hostname.bind queries.
    hide-identity: yes

    # enable to not answer version.server and version.bind queries.
    hide-version: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # the time to live (TTL) value lower bound, in seconds. Default 0.
    # If more than an hour could easily give trouble due to stale data.
    cache-min-ttl: 3600

    # the time to live (TTL) value cap for RRsets and messages in the
    # cache. Items are not cached for longer. In seconds.
    cache-max-ttl: 86400

    minimal-responses: yes
    qname-minimisation: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    root-hints: "/usr/local/etc/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 4096

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    # Be aware that if enabled (requires CAP_NET_ADMIN or privileged), the kernel buffer must have the defined amount of memory, if not, a warning will be raised.
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

[gthess]

Unbound usually does not alter answers from upstream. After some initial security scrubbing (removing irrelevant or poisonous records) there are some options that could remove RRSETs from a response (like private-address: and harden-glue:) but probably not the case in this particular scenario.

The first log output is not very helpful as it is for the rexia.pl. IN DS query which returns a NOERROR/NODATA.

The second log output is interesting as it shows a reply from root (info: reply from <.> 192.58.128.30#53) but the reply has information not found in the root zone:

;; AUTHORITY SECTION:
ovh.  3600    IN      SOA     a.nic.fr. dnsmaster.afnic.fr. 2223610751 3600 1800 3600000 600

this indicates that probably there is something between Unbound and the Internet interacting with DNS traffic.
If you haven't configured anything then probably your upstream (ISP?) is doing things.

[jamespavett]

Potentially for the first log I grapped the wrong snippet. Could have been from when I was trying to work around. In the below there are entries for rexia.pl. IN DS and rexia.pl. IN HTTPS

pihole  | [1711316977] unbound[337:0] debug: close fd 8
pihole  | [1711316977] unbound[337:0] debug: answer cb
pihole  | [1711316977] unbound[337:0] debug: Incoming reply id = 9473
pihole  | [1711316977] unbound[337:0] debug: Incoming reply addr = ip4 199.9.14.201 port 53 (len 16)
pihole  | [1711316977] unbound[337:0] debug: lookup size is 4 entries
pihole  | [1711316977] unbound[337:0] debug: received udp reply.
pihole  | [1711316977] unbound[337:0] debug: udp message[37:0] 94738090000100000000000105726578696102706C00004100010000290200000080000000
pihole  | [1711316977] unbound[337:0] debug: outnet handle udp reply
pihole  | [1711316977] unbound[337:0] debug: serviced query: EDNS works for ip4 199.9.14.201 port 53 (len 16)
pihole  | [1711316977] unbound[337:0] debug: measured roundtrip at 16 msec
pihole  | [1711316977] unbound[337:0] debug: svcd callbacks start
pihole  | [1711316977] unbound[337:0] debug: worker svcd callback for qstate 0x559e0b7ef0
pihole  | [1711316977] unbound[337:0] debug: mesh_run: start
pihole  | [1711316977] unbound[337:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
pihole  | [1711316977] unbound[337:0] info: iterator operate: query rexia.pl. HTTPS IN
pihole  | [1711316977] unbound[337:0] debug: process_response: new external response event
pihole  | [1711316977] unbound[337:0] info: scrub for . NS IN
pihole  | [1711316977] unbound[337:0] info: response for rexia.pl. HTTPS IN
pihole  | [1711316977] unbound[337:0] info: reply from <.> 199.9.14.201#53
pihole  | [1711316977] unbound[337:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
pihole  | ;; flags: qr ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
pihole  | ;; QUESTION SECTION:
pihole  | rexia.pl.     IN      HTTPS
pihole  |
pihole  | ;; ANSWER SECTION:
pihole  |
pihole  | ;; AUTHORITY SECTION:
pihole  |
pihole  | ;; ADDITIONAL SECTION:
pihole  | ;; MSG SIZE  rcvd: 26
pihole  |
pihole  | [1711316977] unbound[337:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
pihole  | [1711316977] unbound[337:0] debug: iter_handle processing q with state QUERY TARGETS STATE
pihole  | [1711316977] unbound[337:0] info: processQueryTargets: rexia.pl. HTTPS IN
pihole  | [1711316977] unbound[337:0] debug: processQueryTargets: targetqueries 2, currentqueries 0 sentcount 1
pihole  | [1711316977] unbound[337:0] info: DelegationPoint<.>: 13 names (7 missing), 4 addrs (4 result, 0 avail) parentNS
pihole  | [1711316977] unbound[337:0] info:   k.root-servers.net. * A
pihole  | [1711316977] unbound[337:0] info:   c.root-servers.net.
pihole  | [1711316977] unbound[337:0] info:   l.root-servers.net.
pihole  | [1711316977] unbound[337:0] info:   j.root-servers.net. *
pihole  | [1711316977] unbound[337:0] info:   d.root-servers.net.
--
pihole  | [1711316977] unbound[337:0] debug: close fd 11
pihole  | [1711316977] unbound[337:0] debug: answer cb
pihole  | [1711316977] unbound[337:0] debug: Incoming reply id = 3599
pihole  | [1711316977] unbound[337:0] debug: Incoming reply addr = ip4 199.9.14.201 port 53 (len 16)
pihole  | [1711316977] unbound[337:0] debug: lookup size is 3 entries
pihole  | [1711316977] unbound[337:0] debug: received udp reply.
pihole  | [1711316977] unbound[337:0] debug: udp message[37:0] 35998090000100000000000105726578696102706C00000100010000290200000080000000
pihole  | [1711316977] unbound[337:0] debug: outnet handle udp reply
pihole  | [1711316977] unbound[337:0] debug: serviced query: EDNS works for ip4 199.9.14.201 port 53 (len 16)
pihole  | [1711316977] unbound[337:0] debug: measured roundtrip at 17 msec
pihole  | [1711316977] unbound[337:0] debug: svcd callbacks start
pihole  | [1711316977] unbound[337:0] debug: worker svcd callback for qstate 0x559e0abec0
pihole  | [1711316977] unbound[337:0] debug: mesh_run: start
pihole  | [1711316977] unbound[337:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
pihole  | [1711316977] unbound[337:0] info: iterator operate: query rexia.pl. A IN
pihole  | [1711316977] unbound[337:0] debug: process_response: new external response event
pihole  | [1711316977] unbound[337:0] info: scrub for . NS IN
pihole  | [1711316977] unbound[337:0] info: response for rexia.pl. A IN
pihole  | [1711316977] unbound[337:0] info: reply from <.> 199.9.14.201#53
pihole  | [1711316977] unbound[337:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
pihole  | ;; flags: qr ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
pihole  | ;; QUESTION SECTION:
pihole  | rexia.pl.     IN      A
pihole  |
pihole  | ;; ANSWER SECTION:
pihole  |
pihole  | ;; AUTHORITY SECTION:
pihole  |
pihole  | ;; ADDITIONAL SECTION:
pihole  | ;; MSG SIZE  rcvd: 26
pihole  |
pihole  | [1711316977] unbound[337:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
pihole  | [1711316977] unbound[337:0] debug: iter_handle processing q with state QUERY TARGETS STATE
pihole  | [1711316977] unbound[337:0] info: processQueryTargets: rexia.pl. A IN
pihole  | [1711316977] unbound[337:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 1
pihole  | [1711316977] unbound[337:0] info: DelegationPoint<.>: 13 names (10 missing), 3 addrs (2 result, 1 avail) parentNS
pihole  | [1711316977] unbound[337:0] info:   k.root-servers.net.
pihole  | [1711316977] unbound[337:0] info:   c.root-servers.net.
pihole  | [1711316977] unbound[337:0] info:   l.root-servers.net. * A
pihole  | [1711316977] unbound[337:0] info:   j.root-servers.net.
pihole  | [1711316977] unbound[337:0] info:   d.root-servers.net.
--
pihole  | [1711316977] unbound[337:0] debug: opened UDP if=0 port=53243
pihole  | [1711316977] unbound[337:0] debug: comm point start listening 10 (-1 msec)
pihole  | [1711316977] unbound[337:0] debug: answer cb
pihole  | [1711316977] unbound[337:0] debug: Incoming reply id = 1151
pihole  | [1711316977] unbound[337:0] debug: Incoming reply addr = ip4 192.36.148.17 port 53 (len 16)
pihole  | [1711316977] unbound[337:0] debug: lookup size is 2 entries
pihole  | [1711316977] unbound[337:0] debug: received udp reply.
pihole  | [1711316977] unbound[337:0] debug: udp message[99:0] 11518180000100000001000105726578696102706C0000410001C00C000600010000070800320464616E65026E730A636C6F7564666C61726503636F6D0003646E73C02E8B44953D000027100000096000093A80000007080000290200000080000000
pihole  | [1711316977] unbound[337:0] debug: outnet handle udp reply
pihole  | [1711316977] unbound[337:0] debug: measured roundtrip at 22 msec
pihole  | [1711316977] unbound[337:0] debug: svcd callbacks start
pihole  | [1711316977] unbound[337:0] debug: worker svcd callback for qstate 0x559e0b7ef0
pihole  | [1711316977] unbound[337:0] debug: mesh_run: start
pihole  | [1711316977] unbound[337:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
pihole  | [1711316977] unbound[337:0] info: iterator operate: query rexia.pl. HTTPS IN
pihole  | [1711316977] unbound[337:0] debug: process_response: new external response event
pihole  | [1711316977] unbound[337:0] info: scrub for . NS IN
pihole  | [1711316977] unbound[337:0] info: response for rexia.pl. HTTPS IN
pihole  | [1711316977] unbound[337:0] info: reply from <.> 192.36.148.17#53
pihole  | [1711316977] unbound[337:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
pihole  | ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
pihole  | ;; QUESTION SECTION:
pihole  | rexia.pl.     IN      HTTPS
pihole  |
pihole  | ;; ANSWER SECTION:
pihole  |
pihole  | ;; AUTHORITY SECTION:
pihole  | rexia.pl.     3600    IN      SOA     dane.ns.cloudflare.com. dns.cloudflare.com. 2336527677 10000 2400 604800 1800
pihole  |
pihole  | ;; ADDITIONAL SECTION:
pihole  | ;; MSG SIZE  rcvd: 88
pihole  |
pihole  | [1711316977] unbound[337:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
pihole  | [1711316977] unbound[337:0] info: query response was nodata ANSWER
pihole  | [1711316977] unbound[337:0] debug: iter_handle processing q with state FINISHED RESPONSE STATE
pihole  | [1711316977] unbound[337:0] info: finishing processing for rexia.pl. HTTPS IN
pihole  | [1711316977] unbound[337:0] debug: mesh_run: iterator module exit state is module_finished
pihole  | [1711316977] unbound[337:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
pihole  | [1711316977] unbound[337:0] info: validator operate: query rexia.pl. HTTPS IN
pihole  | [1711316977] unbound[337:0] debug: validator: nextmodule returned
pihole  | [1711316977] unbound[337:0] debug: val handle processing q with state VAL_INIT_STATE
--
pihole  | [1711316977] unbound[337:0] debug: Incoming reply addr = ip4 202.12.27.33 port 53 (len 16)
pihole  | [1711316977] unbound[337:0] debug: lookup size is 1 entries
pihole  | [1711316977] unbound[337:0] debug: received udp reply.
pihole  | [1711316977] unbound[337:0] debug: udp message[1139:0] 01DD8180000100000006000105726578696102706C00002B0001C0120006000100000E10002D05612D646E73C01209646E736D6173746572046E61736BC01265FFD749000003840000012C00278D0000000E10204950413542363743473447465555334A31303034333253483351304445333137C0120032000100000E10002B0101000C081A3877168C1054981496546973F911062A6BF63DEA88CF19EE820D0543000722008000000290203752443543544C44494D524A464532494C344A33314543523650534832483432C0120032000100000E10002A0101000C081A3877168C105498143EDAA20E0CE6703E669F0B6E017CC364FFCDE83F000620000000
pihole  | [1711316977] unbound[337:0] debug: udp message[1139:256] 0012C012002E000100000E100116000608010001518066282C4766009137A6BC02706C00BCB2779AB9C1E247095AB0190F86C5051D5C79D41FF5220BDDC8A6D92A67B12353EC24798F8CB937554665BC5F94E5FC2F99E1F42B690F66DBBCD0BD2F45C56F4EDA013B0F9D938599FB721CCB3ED2C3D3794C594C2D3F23FCE216720946B73CE17726BBE065A87B87B3531CBE49F46E3E4474CF662EF5B5EA744ADB01EE981B62507AC4DD7EED7788458206AD3EE8FD9316787647EB97D8979EB3DFD5346863E989969BC3A9DA9A4FC1DF4359854AC1A26472F21EDCC9190D699EC4BBEA27F90BDB547936B5AB56CED8428D0670A9AC4674FEB036E58263FB6DC6CC
pihole  | [1711316977] unbound[337:0] debug: udp message[1139:512] 9B5C189D8D4320D66B34D018578F285D094BCCEEAE6281F89F7E452F535F64879883889EC053002E000100000E1001160032080200000E10661E684065F6DB40A6BC02706C00CD54E49D0C510C6C4EF8AD4B16D76E6BDE6DBB116B6FFEDE39CC59A3E7593EA213454109544EB01E4E4806D3C83C84FF1A71E042AFEC9CC43D5766FD24219E4FBF4C7B35BA2C4B657E3BFE4CB2B63004D92E068121481E6BF155712748D8F34A8613C1BBB3A2DC169DFB345D038F973015BA21C0BD68720AE59537496C154A00076DD0073D0BF702C4AAFCA2B90028E10B4FA4E6F3B1ADD761790AD587F73C45B2EA6C7FA68D2F4EBA7D6AFF7A6C828B3196EA6D1F2605B316CC
pihole  | [1711316977] unbound[337:0] debug: udp message[1139:768] 8EA790A51E745460667DACD21916A6E15D65A501CC26570BE1CF25E5BB80D49C727AF92F6E61A95EC02C914F4241BED227FC19984E2C37F0A04434DD46CFAAF5723C102C3753C0AB002E000100000E1001160032080200000E10661E684065F6DB40A6BC02706C00909EE1FCCCF8FD91A65FB76A70B509888D298149927FB1FA0C402B5EBDE356B1EDF38AB21F22E4B0A0F2C8D73AC71E5C9C8612B16CE95608751EEC61D59AF77095F0D8281BFA64A5EEC0B59AA9BF5AB19948B71FB67AE03124E832A65D613CFA7A4E09F444153FB8BAEE827D5ACFEA2A1E1B4A8C768FEA2D165B5D78EAF3864006C725F7DC4C4DF394063C045F74D80F58B4B46A0BD2D7D4
pihole  | [1711316977] unbound[337:0] debug: udp message[1139:1024] C253459BB279B08790B7247772EFA277A97F997110E745C93B697EBA6EB0E24E5BF613AF086001917380C89957AAEB7C6838C981AB6662E8A8396CFF6D01E7263470A9772BBA7B3E0CF7C78CA62C7F4C1CA1E635588774A320EAA09CCD1C3E6131234F4D326443310000290200000080000000
pihole  | [1711316977] unbound[337:0] debug: outnet handle udp reply
pihole  | [1711316977] unbound[337:0] debug: measured roundtrip at 12 msec
pihole  | [1711316977] unbound[337:0] debug: svcd callbacks start
pihole  | [1711316977] unbound[337:0] debug: worker svcd callback for qstate 0x559e08be40
pihole  | [1711316977] unbound[337:0] debug: mesh_run: start
pihole  | [1711316977] unbound[337:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
pihole  | [1711316977] unbound[337:0] info: iterator operate: query rexia.pl. DS IN
pihole  | [1711316977] unbound[337:0] debug: process_response: new external response event
pihole  | [1711316977] unbound[337:0] info: scrub for . NS IN
pihole  | [1711316977] unbound[337:0] info: response for rexia.pl. DS IN
pihole  | [1711316977] unbound[337:0] info: reply from <.> 202.12.27.33#53
pihole  | [1711316977] unbound[337:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
pihole  | ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0
pihole  | ;; QUESTION SECTION:
pihole  | rexia.pl.     IN      DS
pihole  |
pihole  | ;; ANSWER SECTION:
pihole  |
pihole  | ;; AUTHORITY SECTION:
pihole  | pl.   3600    IN      SOA     a-dns.pl. dnsmaster.nask.pl. 1711265609 900 300 2592000 3600
pihole  | pl.   3600    IN      RRSIG   SOA 8 1 86400 20240423214647 20240324204647 42684 pl. vLJ3mrnB4kcJWrAZD4bFBR1cedQf9SIL3cim2SpnsSNT7CR5j4y5N1VGZbxflOX8L5nh9CtpD2bbvNC9L0XFb07aATsPnZOFmftyHMs+0sPTeUxZTC0/I/ziFnIJRrc84Xcmu+BlqHuHs1Mcvkn0bj5EdM9mLvW16nRK2wHumBtiUHrE3X7td4hFggatPuj9kxZ4dkfrl9iXnrPf1TRoY+mJlpvDqdqaT8HfQ1mFSsGiZHLyHtzJGQ1pnsS76if5C9tUeTa1q1bO2EKNBnCprEZ0/rA25YJj+23GzJtcGJ2NQyDWazTQGFePKF0JS8zurmKB+J9+RS9TX2SHmIOIng== ;{id = 42684}
pihole  | IPA5B67CG4GFUU3J100432SH3Q0DE317.pl.  3600    IN      NSEC3   1 1 12 1A3877168C105498 ipa6isvp2432kqvm7nl8hjoptq10q1a3 NS SOA TXT RRSIG DNSKEY NSEC3PARAM ;{flags: optout}
pihole  | IPA5B67CG4GFUU3J100432SH3Q0DE317.pl.  3600    IN      RRSIG   NSEC3 8 2 3600 20240416120000 20240317120000 42684 pl. zVTknQxRDGxO+K1LFtdua95tuxFrb/7eOcxZo+dZPqITRUEJVE6wHk5IBtPIPIT/GnHgQq/snMQ9V2b9JCGeT79MezW6LEtlfjv+TLK2MATZLgaBIUgea/FVcSdI2PNKhhPBu7Oi3Bad+zRdA4+XMBW6IcC9aHIK5ZU3SWwVSgAHbdAHPQv3AsSq/KK5ACjhC0+k5vOxrddheQrVh/c8RbLqbH+mjS9Oun1q/3psgosxluptHyYFsxbMjqeQpR50VGBmfazSGRam4V1lpQHMJlcL4c8l5buA1JxyevkvbmGpXsAskU9CQb7SJ/wZmE4sN/CgRDTdRs+q9XI8ECw3Uw== ;{id = 42684}
pihole  | 7RD5CTLDIMRJFE2IL4J31ECR6PSH2H42.pl.  3600    IN      NSEC3   1 1 12 1A3877168C105498 7rda43gcspo3spkv1dn02v63cjvsrq1v NS DS RRSIG ;{flags: optout}
pihole  | 7RD5CTLDIMRJFE2IL4J31ECR6PSH2H42.pl.  3600    IN      RRSIG   NSEC3 8 2 3600 20240416120000 20240317120000 42684 pl. kJ7h/Mz4/ZGmX7dqcLUJiI0pgUmSf7H6DEArXr3jVrHt84qyHyLksKDyyNc6xx5cnIYSsWzpVgh1Huxh1Zr3cJXw2Cgb+mSl7sC1mqm/WrGZSLcftnrgMSToMqZdYTz6ek4J9EQVP7i67oJ9Ws/qKh4bSox2j+otFltdeOrzhkAGxyX33ExN85QGPARfdNgPWLS0agvS19TCU0Wbsnmwh5C3JHdy76J3qX+ZcRDnRck7aX66brDiTlv2E68IYAGRc4DImVeq63xoOMmBq2Zi6Kg5bP9tAecmNHCpdyu6ez4M98eMpix/TByh5jVYh3SjIOqgnM0cPmExI09NMmRDMQ== ;{id = 42684}
pihole  |
pihole  | ;; ADDITIONAL SECTION:
pihole  | ;; MSG SIZE  rcvd: 1128
pihole  |
pihole  | [1711316977] unbound[337:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
pihole  | [1711316977] unbound[337:0] info: query response was nodata ANSWER
pihole  | [1711316977] unbound[337:0] debug: processDSNSFind
pihole  | [1711316977] unbound[337:0] info: fetch nameservers pl. NS IN
--
pihole  | [1711316977] unbound[337:0] debug: Incoming reply addr = ip4 204.61.217.4 port 53 (len 16)
pihole  | [1711316977] unbound[337:0] debug: lookup size is 1 entries
pihole  | [1711316977] unbound[337:0] debug: received udp reply.
pihole  | [1711316977] unbound[337:0] debug: udp message[1139:0] D18E8180000100000006000105726578696102706C00002B0001C0120006000100000E10002D05612D646E73C01209646E736D6173746572046E61736BC01265FFD749000003840000012C00278D0000000E10204950413542363743473447465555334A31303034333253483351304445333137C0120032000100000E10002B0101000C081A3877168C1054981496546973F911062A6BF63DEA88CF19EE820D0543000722008000000290203752443543544C44494D524A464532494C344A33314543523650534832483432C0120032000100000E10002A0101000C081A3877168C105498143EDAA20E0CE6703E669F0B6E017CC364FFCDE83F000620000000
pihole  | [1711316977] unbound[337:0] debug: udp message[1139:256] 0012C012002E000100000E100116000608010001518066282C4766009137A6BC02706C00BCB2779AB9C1E247095AB0190F86C5051D5C79D41FF5220BDDC8A6D92A67B12353EC24798F8CB937554665BC5F94E5FC2F99E1F42B690F66DBBCD0BD2F45C56F4EDA013B0F9D938599FB721CCB3ED2C3D3794C594C2D3F23FCE216720946B73CE17726BBE065A87B87B3531CBE49F46E3E4474CF662EF5B5EA744ADB01EE981B62507AC4DD7EED7788458206AD3EE8FD9316787647EB97D8979EB3DFD5346863E989969BC3A9DA9A4FC1DF4359854AC1A26472F21EDCC9190D699EC4BBEA27F90BDB547936B5AB56CED8428D0670A9AC4674FEB036E58263FB6DC6CC
pihole  | [1711316977] unbound[337:0] debug: udp message[1139:512] 9B5C189D8D4320D66B34D018578F285D094BCCEEAE6281F89F7E452F535F64879883889EC053002E000100000E1001160032080200000E10661E684065F6DB40A6BC02706C00CD54E49D0C510C6C4EF8AD4B16D76E6BDE6DBB116B6FFEDE39CC59A3E7593EA213454109544EB01E4E4806D3C83C84FF1A71E042AFEC9CC43D5766FD24219E4FBF4C7B35BA2C4B657E3BFE4CB2B63004D92E068121481E6BF155712748D8F34A8613C1BBB3A2DC169DFB345D038F973015BA21C0BD68720AE59537496C154A00076DD0073D0BF702C4AAFCA2B90028E10B4FA4E6F3B1ADD761790AD587F73C45B2EA6C7FA68D2F4EBA7D6AFF7A6C828B3196EA6D1F2605B316CC
pihole  | [1711316977] unbound[337:0] debug: udp message[1139:768] 8EA790A51E745460667DACD21916A6E15D65A501CC26570BE1CF25E5BB80D49C727AF92F6E61A95EC02C914F4241BED227FC19984E2C37F0A04434DD46CFAAF5723C102C3753C0AB002E000100000E1001160032080200000E10661E684065F6DB40A6BC02706C00909EE1FCCCF8FD91A65FB76A70B509888D298149927FB1FA0C402B5EBDE356B1EDF38AB21F22E4B0A0F2C8D73AC71E5C9C8612B16CE95608751EEC61D59AF77095F0D8281BFA64A5EEC0B59AA9BF5AB19948B71FB67AE03124E832A65D613CFA7A4E09F444153FB8BAEE827D5ACFEA2A1E1B4A8C768FEA2D165B5D78EAF3864006C725F7DC4C4DF394063C045F74D80F58B4B46A0BD2D7D4
pihole  | [1711316977] unbound[337:0] debug: udp message[1139:1024] C253459BB279B08790B7247772EFA277A97F997110E745C93B697EBA6EB0E24E5BF613AF086001917380C89957AAEB7C6838C981AB6662E8A8396CFF6D01E7263470A9772BBA7B3E0CF7C78CA62C7F4C1CA1E635588774A320EAA09CCD1C3E6131234F4D326443310000290200000080000000
pihole  | [1711316977] unbound[337:0] debug: outnet handle udp reply
pihole  | [1711316977] unbound[337:0] debug: measured roundtrip at 12 msec
pihole  | [1711316977] unbound[337:0] debug: svcd callbacks start
pihole  | [1711316977] unbound[337:0] debug: worker svcd callback for qstate 0x559e08be40
pihole  | [1711316977] unbound[337:0] debug: mesh_run: start
pihole  | [1711316977] unbound[337:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply

I don't have anything knowingly on my side that could be interacting with DNS traffic. It seems a bit weird to say that it could be my ISP doing things though. I'm with probably the largest ISP in the UK, and have been having this issue intermittently for the last week. While this is just an example domain, I have been getting this errors all over the place on some domains (i.e. facebook.com, hub.docker.com), and until Unbound is restarted I just get the above errors. Weirdly restarting Unbound seems to resolve the issue for a few minutes each time, before it then proceeds to just not return anything again. Also find it weird that pointing to just public DNS servers seems to resolve the issue, as everything loads without a problem then.

At this point its just bugging me not knowing what is causing the problem. When so many other people seem to use Unbound without any problem at all.

[gthess]

I'll take an example from your log:

pihole  | [1711316977] unbound[337:0] info: scrub for . NS IN
pihole  | [1711316977] unbound[337:0] info: response for rexia.pl. HTTPS IN
pihole  | [1711316977] unbound[337:0] info: reply from <.> 192.36.148.17#53
pihole  | [1711316977] unbound[337:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
pihole  | ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
pihole  | ;; QUESTION SECTION:
pihole  | rexia.pl.     IN      HTTPS
pihole  |
pihole  | ;; ANSWER SECTION:
pihole  |
pihole  | ;; AUTHORITY SECTION:
pihole  | rexia.pl.     3600    IN      SOA     dane.ns.cloudflare.com. dns.cloudflare.com. 2336527677 10000 2400 604800 1800
pihole  |
pihole  | ;; ADDITIONAL SECTION:
pihole  | ;; MSG SIZE  rcvd: 88

This is what Unbound gets as a UDP answer from "what seems to be" 192.36.148.17; which is supposed to be i.root-servers.net. (there was also scrubbing of . NS records which are not relevant to this query).

Below is a normal answer for the same query directly to i.root-servers.net:

$ dig @192.36.148.17 rexia.pl. https

; <<>> DiG 9.18.24 <<>> @192.36.148.17 rexia.pl. https
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33789
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 0da8716b1e73cb99010000006601a0f2bb5aae85703c7da1 (good)
;; QUESTION SECTION:
;rexia.pl.			IN	HTTPS

;; AUTHORITY SECTION:
pl.			172800	IN	NS	b-dns.pl.
pl.			172800	IN	NS	a-dns.pl.
pl.			172800	IN	NS	j-dns.pl.
pl.			172800	IN	NS	h-dns.pl.
pl.			172800	IN	NS	d-dns.pl.
pl.			172800	IN	NS	f-dns.pl.

;; ADDITIONAL SECTION:
j-dns.pl.		172800	IN	A	204.61.217.4
h-dns.pl.		172800	IN	A	185.159.198.48
f-dns.pl.		172800	IN	A	194.0.25.29
d-dns.pl.		172800	IN	A	185.159.197.48
b-dns.pl.		172800	IN	A	192.195.72.53
a-dns.pl.		172800	IN	A	192.102.225.53
j-dns.pl.		172800	IN	AAAA	2001:500:14:7004:ad::1
h-dns.pl.		172800	IN	AAAA	2620:10a:80ab::48
f-dns.pl.		172800	IN	AAAA	2001:678:20::29
d-dns.pl.		172800	IN	AAAA	2620:10a:80aa::48
b-dns.pl.		172800	IN	AAAA	2001:7f9:c::53
a-dns.pl.		172800	IN	AAAA	2001:7f9::53

;; Query time: 23 msec
;; SERVER: 192.36.148.17#53(192.36.148.17) (UDP)
;; WHEN: Mon Mar 25 17:06:10 CET 2024
;; MSG SIZE  rcvd: 449

This is the correct answer where the root server provides a NOERROR data together with the delegation information for "pl.".

For using open resolvers; maybe you are using stateful transports to them (e.g., TCP/TLS) or this interaction has exceptions for well-known open resolvers.

You can try something like the following in your Unbound config file to see if forwarding everything to open resolvers solves the issue for you while using Unbound for local validation:

forward-zone:
    name: .
    forward-addr: 1.1.1.1
    forward-addr: 8.8.8.8
    forward-addr: 9.9.9.9

You can also take this a step further and use DoT (DNS over TLS) with those open resolvers (https://dnsprivacy.org/public_resolvers/#dns-over-tls-dot). For more information you can have a look at https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#forward-zone-options

As a side note: I vaguely remember seeing something similar from another user and a UK ISP but I can't seem to find the issue at the moment.

[gthess]

Just found the other issue I referred to. Are you using SKY in the UK per chance?
#98 (comment)

[jamespavett]

In regards to the Sky question, I am using BT, however they both make use of the same fibre under the hood and are both managed by OpenReach, to now sure if there could be overlap there.

Weirdly on my host machine I see the following:

dig @192.36.148.17 rexia.pl. https

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> @192.36.148.17 rexia.pl. https
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2307
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1c9ba9d4aa6f8917010000006601ba652d24fb51c27e4110 (good)
;; QUESTION SECTION:
;rexia.pl.                      IN      HTTPS

;; AUTHORITY SECTION:
pl.                     172800  IN      NS      h-dns.pl.
pl.                     172800  IN      NS      d-dns.pl.
pl.                     172800  IN      NS      a-dns.pl.
pl.                     172800  IN      NS      b-dns.pl.
pl.                     172800  IN      NS      f-dns.pl.
pl.                     172800  IN      NS      j-dns.pl.

;; ADDITIONAL SECTION:
j-dns.pl.               172800  IN      A       204.61.217.4
h-dns.pl.               172800  IN      A       185.159.198.48
f-dns.pl.               172800  IN      A       194.0.25.29
d-dns.pl.               172800  IN      A       185.159.197.48
b-dns.pl.               172800  IN      A       192.195.72.53
a-dns.pl.               172800  IN      A       192.102.225.53
j-dns.pl.               172800  IN      AAAA    2001:500:14:7004:ad::1
h-dns.pl.               172800  IN      AAAA    2620:10a:80ab::48
f-dns.pl.               172800  IN      AAAA    2001:678:20::29
d-dns.pl.               172800  IN      AAAA    2620:10a:80aa::48
b-dns.pl.               172800  IN      AAAA    2001:7f9:c::53
a-dns.pl.               172800  IN      AAAA    2001:7f9::53

;; Query time: 29 msec
;; SERVER: 192.36.148.17#53(192.36.148.17) (UDP)
;; WHEN: Mon Mar 25 17:54:45 GMT 2024
;; MSG SIZE  rcvd: 449

but running off the machine pihole / unbound are running on:

dig @192.36.148.17 rexia.pl. https

; <<>> DiG 9.18.24-1-Debian <<>> @192.36.148.17 rexia.pl. https
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42962
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;rexia.pl.                      IN      HTTPS

;; AUTHORITY SECTION:
rexia.pl.               1425    IN      SOA     dane.ns.cloudflare.com. dns.cloudflare.com. 2336527677 10000 2400 604800 1800

;; Query time: 7 msec
;; SERVER: 192.36.148.17#53(192.36.148.17) (UDP)
;; WHEN: Mon Mar 25 17:54:47 GMT 2024
;; MSG SIZE  rcvd: 99

Not sure why it would be getting two different responses.

[gthess]

So this doesn't seem like an Unbound issue.
You are getting answers from a recursive caching resolver kind-of-thing for UDP.
Can you try dig @192.36.148.17 rexia.pl. https +tcp? I expect to see the correct answer there.
Also dig @192.36.148.17 version.bind ch txt could be interesting.

[jamespavett]

Here are the output for both.

Host machine running Ubuntu (actually in WSL2)

dig @192.36.148.17 rexia.pl. https +tcp

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> @192.36.148.17 rexia.pl. https +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42046
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 13
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4d4ccf2819da0ad9010000006601e3c1fdc5739bf9962e4c (good)
;; QUESTION SECTION:
;rexia.pl.                      IN      HTTPS

;; AUTHORITY SECTION:
pl.                     172800  IN      NS      b-dns.pl.
pl.                     172800  IN      NS      a-dns.pl.
pl.                     172800  IN      NS      j-dns.pl.
pl.                     172800  IN      NS      h-dns.pl.
pl.                     172800  IN      NS      d-dns.pl.
pl.                     172800  IN      NS      f-dns.pl.

;; ADDITIONAL SECTION:
j-dns.pl.               172800  IN      A       204.61.217.4
h-dns.pl.               172800  IN      A       185.159.198.48
f-dns.pl.               172800  IN      A       194.0.25.29
d-dns.pl.               172800  IN      A       185.159.197.48
b-dns.pl.               172800  IN      A       192.195.72.53
a-dns.pl.               172800  IN      A       192.102.225.53
j-dns.pl.               172800  IN      AAAA    2001:500:14:7004:ad::1
h-dns.pl.               172800  IN      AAAA    2620:10a:80ab::48
f-dns.pl.               172800  IN      AAAA    2001:678:20::29
d-dns.pl.               172800  IN      AAAA    2620:10a:80aa::48
b-dns.pl.               172800  IN      AAAA    2001:7f9:c::53
a-dns.pl.               172800  IN      AAAA    2001:7f9::53

;; Query time: 29 msec
;; SERVER: 192.36.148.17#53(192.36.148.17) (TCP)
;; WHEN: Mon Mar 25 20:51:13 GMT 2024
;; MSG SIZE  rcvd: 449

dig @192.36.148.17 version.bind ch txt

; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> @192.36.148.17 version.bind ch txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49564
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f1fa1f994824ae00010000006601e3e25395804a6095d5da (good)
;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "contact info@netnod.se"

;; Query time: 59 msec
;; SERVER: 192.36.148.17#53(192.36.148.17) (UDP)
;; WHEN: Mon Mar 25 20:51:46 GMT 2024
;; MSG SIZE  rcvd: 104

The then the second device, running Raspbian and where pihole and unbound are:

dig @192.36.148.17 rexia.pl. https +tcp

; <<>> DiG 9.18.24-1-Debian <<>> @192.36.148.17 rexia.pl. https +tcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11675
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;rexia.pl.                      IN      HTTPS

;; AUTHORITY SECTION:
rexia.pl.               1800    IN      SOA     dane.ns.cloudflare.com. dns.cloudflare.com. 2336527677 10000 2400 604800 1800

;; Query time: 23 msec
;; SERVER: 192.36.148.17#53(192.36.148.17) (TCP)
;; WHEN: Mon Mar 25 20:51:02 GMT 2024
;; MSG SIZE  rcvd: 99

dig @192.36.148.17 version.bind ch txt

; <<>> DiG 9.18.24-1-Debian <<>> @192.36.148.17 version.bind ch txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23840
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "dnsmasq-2.86"

;; Query time: 0 msec
;; SERVER: 192.36.148.17#53(192.36.148.17) (UDP)
;; WHEN: Mon Mar 25 20:51:53 GMT 2024
;; MSG SIZE  rcvd: 66

I just don't see why these overall issue Manifests when using Unbound, as I don't have any other issues otherwise.

[gthess]

If you configure your pihole to not use Unbound, would the last two dig outputs be different?

In that case this seems to be an issue related to your pihole; not a pihole issue per se.
I am not versed in pihole but:

• Have you properly followed their guide when installing Unbound (https://docs.pi-hole.net/guides/dns/unbound/)? Did you disable the resolvconf.conf entry as instructed?
• Do you have BLOCKINGMODE=NODATA in /etc/pihole/pihole-FTL.conf? This seems like what is happening here. If so, where do you get your blocklists from?

For now this seems like a configuration issue with pihole. I would suggest to also reach out to that community for helpful pointers.