Hi all!
I recently moved 4 otherSense installs to OPNsense and added one more. Then I discovered this awsome forum and found a lot of interesting info and details about a lot of things about OPNsense and even networking.
I read this (https://forum.opnsense.org/index.php?topic=48379.msg244251#msg244251) and then this one (https://forum.opnsense.org/index.php?msg=108462).
@Patrick M. Hausen says,
QuoteUnbound is a perfectly capable recursive DNS server that does not need any upstream.
so I removed the upstream servers in System > Settings > General and made sure "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked. My clients are either manual IP or reserved DHCP with only the OPNsense as DNS, have rules to block outbound traffic to port 53 and allow 53 on "This firewall" only. It just works as I supposed, according to Patrick's explanations.
Is this the way of having Unbound to do all the job described in the second link?
Not sure what the question is.
Yes you got a working recursive, local DNS aka unbound up and running.
Yes, this is how it's supposed to work.
Quote from: Netlearn on August 07, 2025, 11:50:04 PMIs this the way of having Unbound to do all the job described in the second link?
I would say so, yes. By removing the upstream servers and not using the ISP DNS you are using DNS root servers as mentioned in the 2nd link
https://www.iana.org/domains/root/servers
https://en.wikipedia.org/wiki/Root_name_server
Yes, it appears you were using unbound. I spent some time researching unbound yesterday and I see more about what the others were saying about it. It's a full DNS server that knows how to access the DNS Database far away. You bypass the upstream servers. In fact, I didn't know it but I think I am using unbound on my main LAN even though I have DNS servers listed on the settings pages.
However, if you want to access pihole or adguard home on an outside home server, the general way to do that is by entering the fixed ip address for the home server on the DHCP page, bypassing unbound, unless you choose to use unbound in pihole. IDK about Adguard Home in that context. Both make upstream DNS servers easy to select and use. Unbound by design goes straight to the source DNS Database.
Upstream DNS servers offer other benefits. All need to cover their costs so all users probably contribute to that somehow. But Adguard provides a free public upstream server that provides ad blocking. I use it on my cell phone by simply typing in the ip address for it. Many claim to keep no logs. Many others offer a free and clean version of the same public DNS Database that unbound reads. The Public one is raw data and has warts and all. At least some of the upstream servers filter out a lot of the bad stuff before you get to see it. You need an adblocker and / or antivirus as protection with unbound.
I'm going to look into finding out how to not use unbound for access to the dns database for this reason. I want to use the servers listed on the settings pages, although I can always go to the DHCP page if needed. I now personally consider unbound to be a last resort situation for dns resolution.
Also, I added a 2nd subnet and locked it out of the main LAN for security reasons. That apparently locked that subnet out of unbound and all DNS. The internet could not be accessed. Lots of failed heroics including the need to wipe and reload OPNsense failed to bypass that lockout for DNS. So, I simply added an outside DNS server to the DHCP page for the new subnet and it popped to life.
So, in summary, unbound is a choice with good and less good considerations.
Edit: I used the DHCP page to bypass unbound. Entering external DNS servers on the DHCP page caused Adguard Home on OPNsense to be bypassed completely. This approach completely eliminated ad blocking. I will try the 'Settings Pages' approach later.
I have 2 home servers for backup and other purposes. Both also have Adguard Home for Windows installed. Adguard Home there is for backup purposes. Both use upstream DNS servers for defaults. Both were entered in the DHCP page and both fired up perfectly.
I will also try entering upstream DNS Servers directly into Adguard Home on OPNsense later to see what happens. The two external Adguard Home servers are configured in this way. Unbound may or may not need the listening port to be changed. I will be surprised if it works the 1st time if at all. The 'settings page' DNS servers are most likely to retain adblocking, but not certain. Unbound DNS may be required for Adguard Home to be installed on OPNsense. Perhaps turning off all DNS in OPNsense to let Adguard Home do it using upstream servers will work? This will be another test.
(Why use OPNsense if 2 perfectly good home servers can do the job? Outside HOME DNS servers are a point of failure for the entire home network. Internal access to the DNS database is far more reliable. As is entering more than 1 external DNS server. That's why there are 2 home servers and Windows is sometimes not completely reliable when it decides to reboot on its own. 2 pihole servers in Ubuntu / Hyper-V proved that last year. Linux as a home server is overrated. Too many accommodations need to be taken to ignore what it can't do.)
Thank you all for your answers.
So this is the behavior I was looking for. I already have DNSBL running on Unbound. Will check the DNSSEC option and put a NAT redirect rule, to assure all clients have DNS access, even with other config out of my control.
I know that other DNS servers offer additional services, but I prefer to ask only root servers and keep control of what happen before/after that.
I see the point putting additional sever/s in the network, but, for now, I don't see the need for it. If Unbound can't resolve chances are the OPNsense machine has crashed (so no internet, too) or root DNSs have gone down (so no internet, too). Swapping the OPNsense for another machine or router would be a viable patch in that case.
Again, many thanks for your attention.
I just read an article about how internet privacy is changing in Europe. It was surprising. I now see why the privacy that unbound offers is so important. It's not VPN level privacy, but every little bit helps.
Not only a privacy question, but control at hands, too.
On the privacy side, I can't see how DoT and DoH could help:
a. You use your ISP's DNS > they capture DNS + associated traffic (http, https, smtp...)
b. You use an external DNS > DNS server capture DNS data and your ISP captures associated traffic.
c. You use an external DoT or DoH DNS > Same as b.
In all the above alternatives, you lose recursion on your DNS, which becomes a forwarder and your ISP will always know your traffic, ISP doesn't care about DNS data.
d. You use your own DNS server > You are in control about filtering and no DNS data for free to other entities. ISP, of course, sees your traffic.
DNS data has no value for the ISP, as they have your traffic anyway. At least, don't give that info to one (or more) corps, orgs, or whatever.
That's my point of view about encripted DNS systems in small or even medium networks. That could be different for a multi-site bigger net. Other thinkings really appreciated, probably there are some benefits I am missing.
Regards.
Netlearn,
I agree with everything you said. In the US I really don't care much about who serves me my DNS as many public ones prefilter the data for me. But the world is changing and it's more than ad serving to worry about now in various places.
My Adguard Home server on my router started this whole adventure. It requires unbound to use an override port for listening for DNS.
A new network for IOT could not connect (initially) with DNS and needed an entry for an outside server on the DHCP page, which was very hard to find for KEA. (This created an uproar.) I wrote rules that kept LAN and IOT apart. This caused me to learn more about unbound than I ever dreamed. Before this, it was only a word people used about DNS.
Also, I finally figured out how to get DNS to the new subnet without the DHCP override. Firewall rules had nothing to do with it. The AdguardHome.yaml file needed to be edited to add a 2nd bind network. I also added a line for the new network to talk to the new Unbound DNS port.
I'm undecided on unbound for me right now. I tried it exclusively and some initial loads take a long time, although they are fast after they cache. I will play with it over time.