On an opnsense box at one location, I was using dnsmasq successfully for quite some time but decided to switch to unbound. To do the switch, I literally just took the host/domain overrides from dnsmasq and put them in unbound, disabled dnsmasq - enabled unbound - and it has been working for weeks no issues.
On an opnsense box at another location, I set it up with dnsmasq and it was definitely working for clients. Then 10 minutes later I decided "nah, I meant to use unbound". I had no host/domain overrides on that one, so just disabled dnsmasq and enabled unbound. Within a few seconds, no lan client was able to perform dns queries to that opnsense box.
I have compared all the settings between the two, and can't find anything obviously different that would make sense as impacting this. I know I have not provided great details on my setup, but I was wondering if anyone could suggest things I should check. I'd assume its not a firewall rule, as requests to dnsmasq get through.... and if I turn off unbound and turn dnsmasq back on - all clients can immediately get resolutions. Bizarre!
Any thoughts?
No much to work with here...
No DNS upstream ?
Either In System-General and then tick the checkbox in Unbound to use system servers
OR
Set up your own servers in DNS over TLS. 1.1.1.2 and/or 9.9.9.11 would be good to have there
Lastly, make sure Unbound is listening on all interfaces.
yeah, here's the odd thing. Yes, turning on query forwarding on the router in question immediately fixed the issue. I didn't notice I hadn't checked it because....
However, I was copying the configuration on this router from another router I have running at a different house with mostly the same setup. It was using unbound and did NOT have the query forwarding checked. But it definitely is/was working. I'm curious how the original router was working without query forwarding set.
All the rest of the config between the two routers is pretty much the same. I will stare at this a bit and see if I can't figure out how the original router is working without that set. If not, I'll come back and ask for guidance.
Thanks folks!
For privacy reasons it's better to configure your own servers using DoT/DoH/DoQ depending on the software capabilities available
Cloudflare and Quad9 are nothing to shy away from, but you can always do some more research and testing
https://dnsprivacy.org/public_resolvers/ (https://dnsprivacy.org/public_resolvers/)
Agreed. The current setup is the system points to 1.1.1.1/1.0.0.1 and unbound resolver set to use system servers.
I wanted to get the hardware up and running quickly and move on to a few downstream projects. But planning to return to it soon and finish 'flushing things out' - DNS over TLS is the first item on my list. Also captive portal at both locations, ids...