Hi Bas,
(translation: “Why does your test work, but my own DNS doesn’t?”)
I don’t know for sure - but I am pretty sure it is something trivial. I still suspect it could be the DNS rebinding protection that I mentioned earlier. That’s because ‘ntp5.heppen.be’ resolves to an address within your 2a02:578:440e::/48 range (with one exception, see below) and the DNS rebinding protection built into your router won’t allow that, because it is a security risk. Did you try to add ‘ntp5.heppen.be’ to the exception list as well?
It may seem that this situation does not exist for IPv4, but that isn’t the case. For IPv4 you use NAT and you don’t have any DNS records within your 192.168.1.0/24 range, because that doesn’t make sense for a machine that has to be reachable from the internet. But if you would do that, than you’d probably see the exact same behaviour for IPv4: rebind protection. I created a little test below to show it.
The only part that isn’t clear to me yet, is why your 127.0.0.53 does resolve the IPv6 address of ‘ntp5.heppen.be’. My guess is you are running this query on a box with ‘systemd-resolved’ enabled that doesn’t use 192.168.1.1 (your router) as the resolver, but I could be wrong.
By the way; are you aware that the three authoritative name servers for ‘heppen.be’ are not in sync? The SOA serial of ‘christina.neostrada.nl’ is running behind. And ‘ns.heppen.be’ is serving another IPv6-address for ‘ntp5.heppen.be’ (2001:41d0:203:654d::8f37:5630) than the other two (2a02:578:440e:0:5f05:fa04:1720:d90f). And only ‘ns.heppen.be’ serves an IPv4 address (5.135.125.103).
There is also a discrepancy between the NS set of ‘heppen.be’ in the child (‘heppen.be’ zone) and the parent (‘be’ zone). Meaning that ‘heppen.be’ is not configured correctly in (the) DNS. See this Zonemaster output. And this link shows it as well, but it might be harder to read.
Last but not least; I recommend to use ‘dig’ for DNS queries. It gives you much more control over what exactly you are trying to do. Much like the ‘set debug’ option of nslookup, but better. And it has lot’s of options to help with debugging DNS.
For example, try this:
dig +nssearch heppen.be
You will quickly spot the difference in SOA serial number.
Hope this helps!
Test:
I setup a small test to try DNS rebinding protection. It is designed for your specific situation: 192.168.1.0/24 and 2a02:578:440e::/48. And it won’t work anymore if these ranges change.
Try to do this:
nslookup rebind.testdns.nl 192.168.1.1
It won’t work.
Now try this:
nslookup rebind.testdns.nl 1.1.1.1
It will work
Now add ‘rebind.testdns.nl’ to your rebind protection exceptions list and run the tests again (but wait a couple of minutes to let this change come into effect).
They will now both work.