DNS lookup failing

[Nick Howitt]

I am having a problem with a particular DNS lookup and I am not even 
sure how to formulate the question, so please bear with me.

My setup is Internet – IPFire with Unbound 1.19.0 – ClearOS7. ClearOS 
runs a system called Gateway Management which is a branding of 
AdamNetworks’ Adam:one, a DNS filtering tool.

IPFire is currently running as a recursive resolver but the same problem 
exists when running as a Caching DNS server. All other boxes are empty 
on the DNS setup screen in IPFire. SSL and TLS are not being used. I 
should be able to dig out the configs, if needed.

With Gateway Management running, in ClearOS I can resolve 1024 and 2048 
bit domainkeys (1024._domainkey.howitts.co.uk and 
2048_domainkey.howitts.co.uk) with nslookup. I can resolve 4096 bit 
domainkeys using the dig command "dig txt 
202403._domainkey.howitts.co.uk" but with nslookup I get:

    [root at server ~]# nslookup -q=txt 202403._domainkey.howitts.co.uk
    Server:         127.0.0.1
    Address:        127.0.0.1#53

    Non-authoritative answer:
    *** Can't find 202403._domainkey.howitts.co.uk: No answer

    Authoritative answers can be found from:
    howitts.co.uk
             origin = achiel.ns.cloudflare.com
             mail addr = dns.cloudflare.com
             serial = 2336336559
             refresh = 10000
             retry = 2400
             expire = 604800
             minimum = 1800

Without Gateway Management on ClearOS 7, it all works. This may lead you 
to thinking it is Gateway Management but if I change ClearOS’s upstream 
resolver from IPFire/Unbound to Cloudflare, all lookups work. This leads 
me to believe Unbound is doing an invalid lookup or giving an invalid 
response to a particular query formatted by Gateway Managament.

I have pcap files of the working and non-working lookups between ClearOS 
and IPFire but I don’t know how to interpret them.

Can anyone please help me?