@VMlabman
Check here : Diagnostics > Configuration History
These are the moments your pfSense syncs the local config with "acb" (non abc ^^).
Now we know that acb.netgate.com has a TTL of
acb.netgate.com. 30 IN A 208.123.73.69
= 30 seconds ( dono why, but's that very short )
every time your pfSense uploads your config it has to resolve again "acb.netgate.com."
But hey, as long as the NS servers of netgate.com aren't down, this will work.
Because : Internet, see above, isn't down.
And I presume your connection isn't down.
And - important - unbound must be up and running all the time - not restarting very often - see Status >System Logs > System > DNS Resolver to check that.
I've added myself an extra gadget : Services > DNS Resolver > Advanced Settings :
4b893fff-a49d-4c9f-a6bd-dd1239148c7a-image.png
this will take care of having a cached, resolved result of expiring.
When it expires, after 30 seconds, imho, unbound will refresh it. This means I'm hamering the netgate.com NS servers with a DNS request. Not my fault, as they set the TTL so low.
I use pfBlockerng, so I have some; insight about what unbound is asked to do :
2b4651de-b62d-406d-a05b-e1084894185f-image.png
Also : Status > DNS Resolver and I tjhought I would find our acb.netgate.com here but noop.
But all the NS servers of every domain name I visited for the last past ..... days, are there.
This means that 100 % resolving, from the top root servers down to the domain name server is actually a rare event.
unbound will keep the IP of the TLD, for example : the DNS server that hosts all the dot com domains and it will also keep the IP of the domain name (== "NS") of every visited domain name.
( and even refresh the TLL when it times out - see setting above )
So, when it needs to know what the IP of acb.netgate.com is, it will ask it directly to one (there must be 2 at least) of these NS = domain Name Servers:
ns1.netgate.com. 1436 IN A 208.123.73.80
ns2.netgate.com. 8 IN A 208.123.73.90
ns3.netgate.com. 8 IN A 34.197.184.5
ns1.netgate.com. 1436 IN AAAA 2610:160:11:11::80
ns2.netgate.com. 8 IN AAAA 2610:160:11:11::90
ns3.netgate.com. 8 IN AAAA 2600:1f10:4c5e:6701:e4b2:c059:13c5:64fb
Lets check 'manually', and ask the first NS "208.123.73.80" if it knows the A of acb.netgate.com :
[24.03-RELEASE][root@pfSense.bhf.tld]/root: dig @208.123.73.80 acb.netgate.com A +short
208.123.73.69
Nice.
Another check :
dig @208.123.73.80 acb.netgate.com AAAA +short
No answer, so no IPv6 for acb.netgate.com (strange ...)