Text only | Text with Images

OPNsense Forum

English Forums => 25.7 Series => Topic started by: larrygs on July 30, 2025, 05:02:24 PM

Title: Unbound on OPNsense 25.7 Loses DoT Forwarders
Post by: larrygs on July 30, 2025, 05:02:24 PM
Hello everyone,

I'm writing to report a recurring issue with Unbound DNS since upgrading to OPNsense 25.7. My setup uses Unbound to forward all queries to Control D via DNS over TLS (DoT).

The Problem:
The configuration works perfectly for several hours, but then DNS resolution will suddenly stop for all clients. The only way to restore functionality is to manually restart the Unbound service from the OPNsense dashboard. After a restart, it works perfectly again for another few hours.

Log Evidence:
When the failure occurs, the Unbound log is filled with the following error for every query, which indicates it has "forgotten" its list of forward servers:

Error: SERVFAIL <domain.com A IN>: all the configured stub or forward servers failed, at zone. no server to query nameserver addresses not usable have no nameserver names

Troubleshooting Done:
I initially thought this was an issue with the os-ctrld plugin, but I experienced the same behavior after removing it and configuring DoT directly in Unbound. This suggests the issue lies within Unbound's integration in OPNsense 25.7, as the configuration itself is correct and works flawlessly after a service restart.

Question:
Has anyone else experienced similar behavior with Unbound on 25.7, where it seems to lose its DoT forwarder configuration until the service is restarted?
Title: Re: Unbound on OPNsense 25.7 Loses DoT Forwarders
Post by: humanthrope on July 30, 2025, 07:33:50 PM
I've been using Cloudflare's DoT service with Unbound on 25.7 and haven't run into this problem.
Title: Re: Unbound on OPNsense 25.7 Loses DoT Forwarders
Post by: Shild73 on July 31, 2025, 12:25:51 PM
The same problem. After updating the DNS, requests are no longer processed.
Title: Re: Unbound on OPNsense 25.7 Loses DoT Forwarders
Post by: DEC670airp414user on July 31, 2025, 12:51:21 PM
for those having the issue.  do you have 2 servers checked?

i have frequently had that issue.  but if i uncheck one server so only one is utilized.   i never had the issue again.

i am not on 25.7 yet but have that issue on the latest Business Edition and have for some time.   
Title: Re: Unbound on OPNsense 25.7 Loses DoT Forwarders
Post by: irrenarzt on July 31, 2025, 01:55:56 PM
I'm on 25.7, and use the free ControlD DoT service with Unbound. I haven't had this issue.

The only problem I've ran into is that if IoT devices spam 3,000 queries within a minute, then ControlD will ban your IP for 24 hours. The workaround has been setting up overrides for the addresses they're reaching out to.
Text only | Text with Images