After initially attempting to configure Unbound to forward to Dnsmasq and encountering the same issues described by others (https://www.reddit.com/r/opnsense/comments/1mkc8ci/unbound_forwarding_to_dnsmasq_for_local_dns/), I switched to using Dnsmasq on port 53 forwarding to Unbound (recursive) on port 53053, configuring the Domain rule as outlined in the OPNsense documentation.
Everything appeared to work correctly until I noticed that my TV was reporting errors reaching certain addresses (for example, fr.app.lgwebostv.com).
When I tested DNS name resolution, I discovered there was a problem.
$ drill @127.0.0.1 -p 53 fr.app.lgwebostv.com
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 38756
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; fr.app.lgwebostv.com. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
lgwebostv.com. 422 IN SOA ns-951.awsdns-54.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Sun Jan 4 16:04:01 2026
;; MSG SIZE rcvd: 135
It appears to be a name resolution issue. I received the same response when querying Unbound directly on port 53053.
Restarting Unbound multiple times does not change the behavior, but, interestingly, restarting Dnsmasq (sometimes not once but twice -?!-) seems to restore proper name resolution for Unbound (and consequently to Dnsmasq).
$ drill @127.0.0.1 -p 53053 fr.app.lgwebostv.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 63796
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; fr.app.lgwebostv.com. IN A
;; ANSWER SECTION:
fr.app.lgwebostv.com. 60 IN A 52.16.45.77
fr.app.lgwebostv.com. 60 IN A 54.76.24.108
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 4 msec
;; SERVER: 127.0.0.1
;; WHEN: Sun Jan 4 16:11:58 2026
;; MSG SIZE rcvd: 70
After about 15 minutes, the situation reverts to its original state and name resolution starts failing again. When the failure occurs, if I change certain dnsmasq options (for example, by enabling "Do not forward to system defined DNS servers"), DNS lookups resume working by using the DNS servers configured under System → Settings → General (if no DNS servers in this section the failure continues). This might suggest that dnsmasq is not successfully forwarding this address to Unbound. I only manage to detect this problem with the mentioned address and other two also related to lg tv.
This rather chaotic sequence of trial-and-error tests has been quite confusing, so any suggestions that could help clarify what is happening would be greatly appreciated.
I am running DNSmasqd + Unbound too but not on OPNsense and the address works just fine here so that should not be a DNSmasqd issue in theory...
When the domain both works and does not work :
Do you query both DNSmasqd and Unbound directly on the OPNsense Router ?
You can then compare the results and hopefully see where things go wrong.
Thanks for your answer!
Quote from: nero355 on January 07, 2026, 12:21:01 AMWhen the domain both works and does not work :
Do you query both DNSmasqd and Unbound directly on the OPNsense Router ?
I hope I got your question right: the tests I've pasted before were made on the CLI of the router (sorry for not making that clearer), and also (but not showed or mentioned before) I've tested from different CLI of computers on the lan (vlan) side, and the situation was the same as on the router. What made me think that the problem is on the router side, but as I said, I'm pretty clueless with this issue.
Thanks again!
I hope I got your question right: the tests I've pasted before were made on the CLI of the router (sorry for not making that clearer)[/quote]
I see the following in your post now after your edit :
Quote$ drill @127.0.0.1 -p 53 fr.app.lgwebostv.com
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN
Was that at the same moment when you have also tested :
Quote$ drill @127.0.0.1 -p 53053 fr.app.lgwebostv.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR
??
- What are the results when both of them show NOERROR ?
- Does Unbound ever show NXDOMAIN or at least something else instead of NOERROR ?
First figure that out and then move onto :
Quoteand also (but not showed or mentioned before) I've tested from different CLI of computers on the lan (vlan) side, and the situation was the same as on the router.
Which should then ofcourse always show the right query results because you have solved the issue on the Router :)
QuoteWhat made me think that the problem is on the router side, but as I said, I'm pretty clueless with this issue.
It could be also some kind of issue with your ISP or the domain itself ofcourse, but doing what you can to troubleshoot it is ofcourse not a bad idea!
Have you tried using the DNS Servers of your ISP as Forward DNS Servers for DNSmasqd ?
Or perhaps servers like 1.1.1.1 and 9.9.9.9 and so on ?