Here is my original DNS configuration in ipfire:
The only DNS server my network should be using is my local one, which also enforces DNSSEC. I am currently only using green and red, so it is accessible from my entire network. If you look at an earlier post, if I specify to dig +dnssec www.wikipedia.org @10.0.0.3 wikipedia resolves just fine. However, if I ommit the @10.0.0.3 ipfire returns a SERVFAIL.
My network clients only get a SERVFAIL when trying to resolve www.wikipedia.org if they are configured to use ipfire’s squid proxy, even if I have clamscan, suricata, and the URL filter all disabled.
It seems like at some point this thread ended up in the weeds (most likely my doing) but I am going to repeat my problem again so hopefully it becomes more clear.
Issue:
When a network client is configured to use ipfire’s squid proxy, it becomes unable to connect to www.wikipedia.org, the only related behavior is that when running #dig +dnssec www.wikipedia.org from a ssh session on the firewall, it returns a SERVFAIL
Expected Behavior:
Since using the squid proxy shouldn’t change the DNS that clients use (all clients should still use the 10.0.0.3:53 that the firewall gave them during DHCP), whether or not the clients are using squid, they should be able to connect to www.wikipedia.org
Does that make my issue more clear? I am not certain it is a DNS issue, it just seems like if squid uses unbound by default, and unbound is returning SERVFAIL, that would be the problem. But IDK if thats the issue.