Running 25.7.2 on a recently factory reset installation, and not getting Unbound to work as a recursive DNS server.
Some background: I had downloaded opnsense 25.1 to try out several months ago, installed it on a small box but never went through configuring and setting it up. This weekend I got around to it, and did the update up to 25.7.2. The box is behind my home router, so it's pulling a 192.168 address on the WAN side and handing out 10.X.X.X on the LAN side. Under System -> Settings -> General I left the DNS servers list blank, but CHECKED the allow DNS Server list to be overridden by WAN DHCP. Because of the double router setup, I UNCHECKED the 'Block Private Networks' on the WAN setting so it'd be good with 192.168 traffic. So it was pulling my home router (192.168.1.1) as DNS, which allowed the update from 25.1 -> 25.7.2 to happen. Default install had Unbound running on port 53, and DNSMASQ set to 0 (DNS disabled) while DHCP services were working fine.
Next round of setup included following the guide in the docs for DHCP -> DNS registration: https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration. Had no issue setting up DNSMASQ DNS on port 53053. Went into Unbound settings -> Query Forwarding and setup the forward and reverse domain match for my internal LAN domain to forward to 127.0.0.1:53053 (DNSMASQ). I also had CHECKED 'Use System Nameservers' on the Unbound -> Query Forwarding -> Settings page. From a couple LAN clients I verified they got Opnsense router as DNS Server after successful DHCP lease. I was able to successfully test DNS resolution against DHCP clients (FQDN), both forward and reverse and it was working fine.
So at this point I know my LAN clients are hitting Opnsense Unbound on 53 for DNS services, and it's forwarding to DNSMASQ for internal domain resolution against DHCP leases fine. I had a feeling it wasn't running as a recursive DNS server and confirmed after doing a dnscheck.tools that it was resolving from my home router (192.168) DNS settings (set to a public clean browsing service). This made sense with me checking that option on the Unbound Query Forwarding page to 'Use System Nameservers'. After unchecking that box and Unbound restart, I lost DNS resolution to anything external on my LAN test clients. Going into the router -> System -> Settings -> General and unchecking 'allow DNS to be overridden by WAN DHCP' and a system reboot, and I lost DNS resolution on the OPNSense router. I explicitly tried setting it's DNS server list to 127.0.0.1 but had no effect.
On LAN clients, any nslookup against the default DNS server (OPNSense router) were failing. Explicitely pointing a nslookup to use a public server like 8.8.8.8 worked fine. Same on the OPNSense router, doing a 'drill www.google.com' would fail (showing it was asking against 127.0.0.1) while doing a 'drill www.google.com @8.8.8.8' would be successful. So this wasn't a case of not being able to get DNS traffic to the LAN or WAN side of this OPNSense router.
Thinking maybe it was me mucking up something during setup, I did a 'factory reset' option. The only stuff I did was assign interfaces, unblock private networks on WAN, set IP address/subnet on LAN side. I left DNS Servers BLANK, I never checked allow WAN DHCP override, I left default settings untouched in DNSMASQ and Unbound. No custom query forwarding on the Unbound side or anything. I was under the impression that OPNSense would use the internally running default Unbound instance on port 53 as system DNS if the server list was left empty. Trying a 'drill www.google.com' verified it was asking against 127.0.0.1. No luck, not getting resolution from the OPNSense server itself, or a LAN client. I can manually override LAN client to a public DNS Server like 8.8.8.8 and all is well.
Any ideas? I was curious if root hints were missing or something, knowing it needs a starting point explicitly given for recursion to jump off from. Looking through config files, those seem to be there (i'm not a freebsd person by any stretch tho). I know I can get the router working by setting a system DNS server to use (like Google DNS or my ISP) and telling Unbound to forward queries - but I was under the impression that shouldn't be needed; as a recursive DNS server it should be able to do everything it needs on its own.
Any tips or pointers or ideas welcome.
So I found that going to Services -> Unbound -> Settings and toggling 'Advanced' and then setting 'Outgoing Network Interfaces' to explicitly 'WAN' seemed to make a difference. That setting, normally hidden, defaulted to 'ALL'. I have 3 interfaces on my machine, LAN, WAN, and OPT1 which is unconnected onboard WiFi. Toggling outbound to 'WAN', apply, stop, re-starting the service and this seems to bring DNS resolution to life.
Any ideas why? And related note, the help wording indicates this only works when the interface is statically configured... but my WAN interface is set by DHCP.