I have an opnsense box with two connections. One the fibre line, the other a 4g modem.
When the fibre fails, the router falls back to the 4g.
This all works without issue.
However, when the 4g takes over, it rams in it's own DNS server, forcing safesearch which I don't want and which takes nigh a day to clear once the fibre is returned.
I've configured the Cloudflare DNS servers under System/Settings/General (why are they not under the actual interfaces as you'd expect them to be?) and these seemingly have no effect.
I've a pihole locally (behind the opnsense) for local DNS. Ideally I have opnsense use that for everything, only going out to the internet to a defined DNS server - regardless of interface I use) when pihole doesn't know.
I do have Unbound DNS enabled, but only to forward queries.
Clearly I am doing something wrong. If someone could point me toward how to resolve this I'd be very grateful.
If your ISP intercepts DNS requests, it does not matter which DNS servers you configure for unencrypted DNS queries. Try DoT instead (https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-dot-on-opnsense), Cloudflare offers that as well.
Perhaps " Allow DNS server list to be overridden by DHCP/PPP on WAN " is active?