Daisuke HIGASHI:
All postbank.de nameservers are sending malformed UDP reply with TC. But my Unbound (1.5.7) resolver retries query via TCP to get correct answer. Your firewall is dropping malformed DNS messages or TCP DNS queries?
not that I know / no firewall in the way and tcp is allowed, too BUT: if I disable "use-caps-for-id" I get NXDOMAIN from unbound. so "caps-whitelist: postbank.de" solved the issue for me. Andreas
