I have a very annoying issue with DNS recently. I'm using the standard DNS device and servers provided by my internetprovider which runs a full dual-stack IPv4/6. Other non-qubes devices have no issues. I think this might be a Qubes bug but I want to ask for help first to rule out an error on my side.
Selected domainnames (all subdomains, eg www.qubes.org, so not qubes.org) get a SERVFAIL when trying to resolve them within applications, and on the commandline with 'host' and 'nslookup'. Strangely enough, 'dig' has no issues, (querying the same default resolver ip of course). At times, the domainname will resolve inside sys-net and certain app-vm's, and not in another app-vm. At other times, it resolves nowhere. When quering resolvers directly (like my isp's resolvers or 1.1.1.1) the issue does not occur.
What can be happening here? One of the only consistent hints I found is that Qubes does not seem to pass the full nslookup response from sys-net to the appvm (compare nslookup examples below). My router gives a servfail when quering it via ipv4, nslookup then tries it's ipv6 address, where it does get a reply, but this reply is not passed to the appvm. The servfail might be an ipv6 issue or an issue with my router, but I think still Qubes should pass the full response, right?
some affected domainnames:
textsecure-service.whispersystems.org
user@chat-1:~$ host -v www.startpage.com
Trying "www.startpage.com"
Host www.startpage.com not found: 2(SERVFAIL)
Received 35 bytes from 10.139.1.2#53 in 2 ms