In a setup with Unbound as the primary DNS resolver forwarding to DNSmasq for local DNS resolution of DHCP names (as described here: https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration), I believe I've discovered an issue.
Unbound randomly stops forwarding DNS queries for the local domain configured in Unbound > Query Forwarding, instead attempting to resolve the local domain recursively (like all other domains). This fails of course, resulting in NXDOMAIN. It sometimes resumes working after a while. Restarting Unbound also fixes it temporarily. This seems to be a known issue with Unbound, see for example: https://github.com/NLnetLabs/unbound/issues/451
Although it's not a bug in OPNSense, this affects the new recommended mechanism to forward local queries from Unbound to DNSMasq. Since this is the "new" way post-ISC DHCP, this is concerning. Not sure what the solution is, since it seems to be an issue in Unbound and nothing to do with Opnsense.
https://forum.opnsense.org/index.php?topic=47370.msg238628#msg238628
After applying these patches enable "Do not forward to system DNS servers" in dnsmasq and apply.
Thank you, done! So far so good.