I'm using ISC DHCP and Unbound DNS on an OPNsense server. Whenever I apply a configuration change in DHCP, Unbound also gets reloaded. Since I have a DNSBL with 3.7 million entries, this reload process takes about 5 seconds, causing timeouts for clients making DNS requests. How can I prevent Unbound from reloading every time there's a configuration change in ISC DHCP? Or does anyone have another idea on how to solve this problem?
Use a service independent of Unbound for the blocklist. Like AdGuardHome. I found blocklists in Unbound do not scale very well. Just let it do its thing - recursive lookups, sync of local DHCP addresses and names - and leave the blocklists to a tool designed for that.
Some of the stuff in blocklists is typically not DNS-related and could/should be blocked in general (e.g. DROP, EDROP, etc). You could try to put all your non-DNS related blocking into firewall rules via the URL table alias[1] and only keep DNS-filtering to Unbound's DNSBLs.
[1] https://docs.opnsense.org/manual/how-tos/edrop.html