I was getting a lot of "server not found" browser messages after the upgrade to 25.7. All would seem OK for a while, then there'd be a period of failures. (Multiple devices, wired and wireless, and multiple browsers on those devices). Also, most devices were laggy at intervals, without any error messages. It would just take a long time before any result would appear (in the case of browsing).
I previously had Unbound enabled (it came that way by default). I did nothing further with it other than specify three DNS server IPs in Unbound. Nothing more for DNS. It's been this way for a couple of years, and no trouble here that I'm aware of.
After upgrade to 25.7, the problems came.
In searching the 'net for help, I stumbled on a setup post for Unbound that had me mark Enable DNSSEC Support, Register ISC DHCP4 Leases, and optionally Flush DNS Cache during reload, which I also marked. After applying the changes I rebooted.
It has now been several hours and I have not seen any DNS failures or experienced any lags. Performance is quite snappy again.
I assume what I had was a poorly configured DNS situation that was better tolerated before 25.7.
Most people here are far beyond me in config and expertise, I'm just posting in case it helps someone.
(Cable modem -> Protectli Vault with OPNsense -> Cisco switch -> wired clients and one wireless AP for the rest. Basic install setup plus some reserved DHCP LAN IPs.)
***ETA***: All had been working fine for more than 24 hours, when suddenly again nothing is getting DNS resolved. Unbound DNS reporting showed a sharp drop and 0% of queries resolving.
I tried restarting Unbound service, tried stopping/pause/starting, tried flushing the Unbound cache. Resorted to reboot OPNsense via WebUI menu and all is working again.
If anyone has any ideas on what else I can look at or do, I would really appreciate the help.
***ETA2***: Eight hours ago, I cleared Unbound's cache, disabled Unbound, rebooted, so OPNsense would use the DNS servers in System -> Settings -> General directly. All seems to be working fine so far, will continue to monitor. Did go more than 24 hours with the last change, though, so will check back in tomorrow. Meanwhile please let me know any ideas. Thank you.
***ETA3***: Fixed incorrect info.
It's a week later and everything is still working and stable with Unbound disabled. My setup is about as simple as it gets, so it just seems odd that it's not happening to more people. Not needing to use it is one thing, but being the default install it shouldn't cause problems. I will try again sometime in the next few weeks to enable it and see what happens.
I'm having the same issue. Just installed opnsense for the first time to evaluate it. Couldn't reach opnsense.org to read documentation!. After I disabled Unbound and set dns listen port to blank in dnsmasq I can access this site.
Can I install older non-broken version of opnsense?
You can find them here: https://pkg.opnsense.org/releases/
I installed OPNsense initially on UFS filesystem. I did not know anything about ZFS, or using Proxmox VM for OPNsense. (I am familiar with VMs, I have a dozen+ running under VirtualBox for a variety of uses. Just didn't occur to me for OPNsense.)
I'm sticking with 25.7 for now, in case someone steps up with some ideas for getting Unbound working so I can try them. If I find myself wanting to downgrade, I'll definitely go ZFS filesystem now that I've read more about it, and maybe Proxmox VM as well. Suggest you read up and consider same if you're not familiar, unless you already have an easier recovery than a format and install.
Thanks for posting, I'm sorry it's happened to you but glad to know it's not just me.
I ended up going going with pfsense and its been working great.
did you select IPV4 gateway in settings general
Did you reset cable modem
Flush cache is fine
dnssec may cause trouble
Did you wait for your IPS dns connection, then connect your system>settings IPV4 gateway, and click apply
Thats when it shows up, unless they fixed it
Quote from: someone on October 15, 2025, 02:15:06 AMdid you select IPV4 gateway in settings general
Did you reset cable modem
Flush cache is fine
dnssec may cause trouble
Did you wait for your IPS dns connection, then connect your system>settings IPV4 gateway, and click apply
Thats when it shows up, unless they fixed it
I only have IPv4, ISP doesn't serve IPv6.
Cable modem has been reset many times.
Flushed DNS cache many times.
Never enabled DNSSEC.
After cable modem is up and online, then I power on my Protectli box with OPNsense. After that is up and online, I power on my switches and wired devices. Then power on the wifi access points followed by wifi devices.
Not sure what that last item is in your list.
I'm still running without Unbound enabled, stable so far. I haven't tried to enable Unbound again, so I don't know if it would work.
@pseudonym3k I read you are running a pretty "default" setup but it is an upgrade so worth visiting basics. What services do you have running on your infra and on OPN ?
Quote from: cookiemonster on October 15, 2025, 03:54:51 PM@pseudonym3k I read you are running a pretty "default" setup but it is an upgrade so worth visiting basics. What services do you have running on your infra and on OPN ?
Literally took the defaults at install, except for very few changes. I recall switching ports so my WAN port was first, and LAN second. (It doesn't matter, really, I'm just anal about the order LOL). I added the three DNS servers into Unbound as mentioned. Set up the ISP type of connection. I don't remember anything else, unless there was another setting or two to finish up so OPNsense would start working. It was up and running well in minutes. I kept it updated and it remained rock solid until this upgrade.
I'm sorry, I don't understand the other part of your question, "services running on your infra?" What does that mean?
Services like AdGuardHome but seems not.
QuoteI previously had Unbound enabled (it came that way by default). I did nothing further with it. In System->Settings->General, I had specified three DNS server IPs. Nothing more for DNS. It's been this way for a couple of years, and no trouble here that I'm aware of.
System->Settings->General is for OPN itself but take notice of the tooltips because then you can start pushing these to clients depending on other settings.
Then you look what you have in your selected DHCP service. That gets passed to your clients. Say for instance ISC DHCPv4, expand your LAN interface settings there. Check the tooltip for "DNS servers" too: "Leave blank to use the system default DNS servers: This interface IP address if a DNS service is enabled or the configured global DNS servers." So that means that if you have Unbound enabled and as per default listening on all interfaces, the DHCP lease will have this interface's IP as the DNS server for the clients. But you can see you can also override things here.
As diagnostic, when it happens on your clients, check what ip they are using for dns.
Quote from: cookiemonster on October 15, 2025, 11:35:46 PMSystem->Settings->General
Sorry that was my mistake. The DNS servers were in the Unbound area originally. I moved them to system->settings->general when I disabled Unbound.
I'm not having any problems with DHCP, including reserved leases, since the beginning and still today. Only the DNS with Unbound after the upgrade.
I'm saying that the dhcp service gives to clients various pieces of information including the dns server to use, that's all.
I don't know what else to suggest then if your clients have problems when you only use Unbound for name resolution. Normally it is a configuration problem, whether on Unbound itself or the overall dns resolution setup for clients, which is what I've been trying to get you to see.
Quote from: cookiemonster on October 16, 2025, 03:02:08 PMNormally it is a configuration problem
I've got one cable modem with sub-gigabit internet service for WAN. One LAN cable connected to a Cisco unmanaged switch, which in turn is connected to a handful of wired computers and to one AP for a single wifi network.
I do understand what you're getting at. I just don't know what I could have done differently when I first installed OPNsense. Other than reversing the WAN/LAN port order, I set the cable modem's connection and the Unbound DNS servers. I've gone back through the guide and I don't think there was anything else to specify, to recognize my modem and start working.
Hi All, I'm having issues with DNS resolution as well. I have opnsense pointing to my raspberry pi adguard instance for my LAN, Dnsmasq-DHCP Options-dns-server (6). My adguard points back to opnsense unbound dns, 10.10.60.1:53. Right now github.com is failing. I'm not sure what is going on. I've never had dns resolution issues with PFsense.
I have DNSSEC support enabled and flush DNS cash enabled in unbound. And I just checked gihub.com, and it's working again.
Is this a bug?
Quote from: pftoopn on October 17, 2025, 12:12:22 AMIs this a bug?
That sounds just like my experience. Websites worked fine, then couldn't be reached, then would work again. Flushing the cache would get them working for varying lengths of time.
It doesn't seem to be a simple bug, or more people would be complaining about it. So there must be something only in certain installations that exposes some issue there. I just wish I knew how to pin it down so the devs could replicate it.
Without trying to downplay your experiences, there are thousands if not multiples of that using OPN with Unbound and without problem. Bugs are always a possibility however when there are like these here, they come to the configuration of either Unbound or how the network and their clients are setup to do name resolution.
@pftoon - if still required, please can you open your own thread, so it can be diagnosed in its own setup?
@pseudonym3k - if still a problem, we'll need to go to basics. I mean showing settings of multiple parts of OPN (like the ones on post #9), doing diagnostics from clients.
Quote from: cookiemonster on October 17, 2025, 11:06:24 AMif still a problem
As was mentioned, I haven't tried to enable Unbound again so I don't know if a problem still exists.
What browser are you using, if using firefox there are some changes in firefox that have to be made or firefox DNS will fight with unbound DNS. You should leave unbound enabled at default except check flush cache on reboot. Nothing to do there for a basic setup.put your dns servers in system>settings>general>dns. Just to the right of each one is a gateway drop down bubble. If it doesnt show A IPV4 gateway. Wait for a DHCP connection, then click the drop down bubble and it should be there. Have to attach a IPV4 gateway there. Its a bug I mentioned on the forum before. Then monitor your DNS, is it going where it should exactly. No deviations. Leave everything else about dns at default. If problems persist. Make sure you wipe the opnsense drive before a reinstall if you know how. It has a possibility of carrying data over to the new system. Wipe the RAM. If it still has wrong DNS then have to look at modem, and or operating system.
Thanks for your comments.
Quote from: someone on November 08, 2025, 04:32:25 AMWhat browser are you using, if using firefox there are some changes in firefox that have to be made or firefox DNS will fight with unbound DNS.
Multiple machines, multiple browsers, email clients, other programs that access the internet, multiple OS (Windows multiple versions, Ubuntu).
Quote from: someone on November 08, 2025, 04:32:25 AMYou should leave unbound enabled at default except check flush cache on reboot. Nothing to do there for a basic setup.put your dns servers in system>settings>general>dns.
I was informed that if DNS is configured in system->settings... instead of Unbound, then Unbound is not doing anything even if enabled. I didn't test that; I moved my DNS from Unbound to system->settings... and disabled Unbound. Then DNS started working normally.
Quote from: someone on November 08, 2025, 04:32:25 AMJust to the right of each one is a gateway drop down bubble. If it doesnt show A IPV4 gateway. Wait for a DHCP connection, then click the drop down bubble and it should be there. Have to attach a IPV4 gateway there. Its a bug I mentioned on the forum before.
None of those things went wrong for me, it was all there as it should be. Unbound DNS became flakier and flakier over varying periods of time until it stopped working completely. Clearing Unbound cache and reboot got it working again but only for short periods. Until I moved DNS and disabled Unbound, then all DNS problems stopped.
Quote from: someone on November 08, 2025, 04:32:25 AMMake sure you wipe the opnsense drive before a reinstall if you know how. It has a possibility of carrying data over to the new system. Wipe the RAM.
I will be using ZFS and I'm assuming it will completely format the disk (I've never used it). I suppose I'll find out when I get there.
Progress? Did you get it working. The things I mentioned effect DNS considerably.
I have not tried to enable Unbound again since for the most part things have been working without it. It hasn't been entirely stable but I haven't had time to figure out what or why (dealing with a sudden death in the family and other issues). Hopefully soon after the first of year I will find time to reformat with ZFS and try a fresh install with defaults as before, tweaking little else. Thanks for the followup.
Not wanting to take over this post. Here is my issues.
I was running OPNsense for about a year and had my hard drive crash and lost everything. My setup was simple as it could get. No VLANs or segmented networks. Just serving as a DHCP server and DNS server. I would create static IPs for various things on my network and a couple of firewall rules for reverse proxy.
I replaced my hard drive and was starting over and saw that ISC DHCPv4 wasn't default DHCP anymore. Reading on the forums and reddit I found that ISC is depreciated and recommendations are to use DNSmasq or KEA DHCP. Along with that it is recommended to use Unbound.
This is where my issues start. I noticed that my PCs sometimes can't resolve DNS. It is random but I know it is something with my OPNsense because if manually change DNS on my PC to a public DNS like 8.8.8.8 it works everytime.
I have no idea where to even troubleshoot. I know I can go back to ISC DHCPv4 but with it eventually going away I should use the recommended.
Since the 25.7 series, I have also noticed strange behavior where a few individual pages can no longer be accessed (ERR_CONNECTION_RESET), e.g., www.spiegel.de, or where I have to refresh the browser several times before other pages are displayed.
This happens with different browsers as well as on the LAN with Windows PCs and on the WLAN with Android.
I have already disabled all possible settings in Unbound (DNSSec, block lists, etc.) and tried different DNS servers for DoT, cleared the cache in the browser, cleared the DNS cache in Windows... but the pages still cannot be accessed. The block list tester also returns OK / PASS.
I can't make sense of the Unbound logs.
How could I further investigate the problem?
Kind regards
Torsten
Quote from: tokade on December 29, 2025, 07:57:48 PMSince the 25.7 series, I have also noticed
Quote from: ESClaus76 on December 29, 2025, 06:05:58 PMMy setup was simple as it could get.
I'm the OP, I'm still working on my issues, possibly related to both of yours, possibly just coincidence that I'm running smoothly right now, but I'll give you what I've got and let you try it out if you're willing.
I'm not saying this is best way to go, only that apparently it's working for me thus far and maybe you can get a stable setup too before moving on with more configuration.
1. If it isn't already, disable Unbound. Put your DNS server IP's in System -> Settings -> General.
2. I was having trouble with Health reports, I think something got corrupted in the upgrade. I went to Reporting -> Settings and reset/repaired everything, then rebooted. I had to do it a couple more times over a few weeks but reporting is working OK for now.
3. I've just moved from ISC to DNSmasq. I had DNSmasq in prior routers for years and liked it. This one is working for me too.
- The first day was a little rocky as leases expired and got picked up by DNSMasq, but settled after that.
- Don't enable DNSMasq until everything is ready. Then, disable ISC and enable DNSMasq. Reboot and give it a day to settle out.
- Leave the listen port at 53 (because unbound is disabled)
- I followed this guide: https://homenetworkguy.com/how-to/migrate-from-isc-dhcp-to-dnsmasq-or-kea-dhcp-in-opnsense/ except for leaving the listen port at 53 and skipping all the unbound info. I also put the lease time to 0 on all my reserved IPs. I don't know if that's redundant but it is what I've done on all past DNSMasq routers I've had.
NOTE: In ISC I had a small window of IPs available for dynamic IPs, and all the reserved IPs were defined outside of that range.
In my past DNSMasq routers I always gave the full LAN range for DHCP and reserved IPs were scattered throughout - I did the same here. The above guide also mentions this. I honestly don't know if that's required, but it's what I've always done.
4. I found out I was getting dpinger problems with gateway monitoring. I think this was causing me some instability. Probably nothing to do with DNS issues exactly, but my internet kept going unstable and only pulling the power cable would fix it. I could probably just uncheck gateway monitoring (and may still try that).
But for now I changed the IP from what was already populated, to a hop in a tracert to any public IP. I chose the IP from the fourth hop as it responded quickly. It's still within my ISP. I am not sure how the one in OPNsense was populated, I don't recall putting anything there when I first set up and don't have any notes about it. Maybe I did it and just don't remember. In any case, using the fourth hop IP on the tracert is working well and I don't have any dpinger entries anymore.
Check your logs at System -> Gateways -> Log file and see if you have any dpinger warnings or errors expecially "exit on signal 15" which I think means it was killed and restarted. (?) If you have warnings or errors, go to System -> Gateways -> Configuration and enter that fourth hop IP for monitoring. Or just try a reliable one like 1.1.1.1 or 8.8.8.8, something for your test that has a consistent fast response and solid uptime.
If you are willing to try the above and if your internet becomes stable after a day or two (and maybe a couple of reboots at intervals), then we might be able help shed some light on why the most basic near-default installs seem to have trouble with DNS.
Let us know?
Kind regards.