I have some firewall aliases that depend on LAN name resolution, ex: "servers" could be a firewall host alias pointing to server1.mydomain.com and server2.mydomain.com. unbound is resolving these correctly: on a LAN computer, the command
host server1.mydomain.com
returns something like: "server1.mydomain.com has address 192.168.16.250".
Unfortunately, if I ssh onto the opnsense device itself, it's unable to resolve this: host server1.mydomain.com and dig server1.mydomain.com both hang. However, dig @localhost server1.mydomain.com returns the correct values on the opnsense device. So it looks like a DNS config issue on opnsense.
This is a regression in 23.1: this configuration worked fine in 22.7 and earlier. Any advice is appreciated.
Nevermind. Side-effect of an unrelated change on my LAN. Everything is fine now.