Hi all,
after a recent OPNsense upgrade my DNS stack with Unbound and dnscrypt-proxy broke, and I would like to understand what is the correct way to run this combination on current releases.
Setup (before it broke)
OPNsense as main router/firewall
Unbound listening on LAN/VLANs on port 53
dnscrypt-proxy (plugin) listening on 127.0.0.1:5353
Unbound forwarding to dnscrypt via custom file:
/var/unbound/etc/dnscrypt.conf:
text
server:
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353
AdGuard running on a Raspberry Pi in LAN (some VLANs used it directly, others only via Unbound)
Clients only use the firewall (Unbound) as DNS; dnscrypt and AdGuard are "behind" Unbound, so client-side configuration never changes.
What happened after upgrade
After an OPNsense/Plugin upgrade from 25.7.10 to 25.7.11_1, dnscrypt-proxy plugin installed), the following started to happen:
dnscrypt-proxy often fails to start or exits with:
"No servers configured" or issues with server_names in dnscrypt-proxy.toml
The TOML file appears to be regenerated/modified by the plugin/GUI after upgrades or reboots, even if I only manage it from the shell.
Unbound either:
Does not start, or
Starts but all queries return SERVFAIL for any domain, even though direct tests to public resolvers (1.1.1.1 / 9.9.9.9) work fine from the firewall.
unbound-checkconf /var/unbound/unbound.conf previously reported errors related to Python module / DNSBL and custom fragments, but now the config has been cleaned up and Unbound passes the check. Still, when chained to dnscrypt, resolution randomly breaks.
As a temporary workaround, I had to:
Disable dnscrypt in the chain.
Configure Unbound to forward directly to 1.1.1.1 and 9.9.9.9 (or use "System Nameservers"), so clients could resolve again.
Current behaviour / tests
From OPNsense shell:
service unbound status → service running (when not chained to dnscrypt).
drill @1.1.1.1 google.com and drill @9.9.9.9 google.com → NOERROR with valid IPs.
With Unbound directly forwarding to those public DNS, drill @127.0.0.1 google.com and drill @<LAN_GW_IP> google.com return valid answers.
When I reintroduce the forwarding to dnscrypt via /var/unbound/etc/dnscrypt.conf (127.0.0.1@5353):
If dnscrypt-proxy is running and the TOML is clean, the chain works again:
drill @127.0.0.1 -p 5353 google.com → NOERROR
drill @<LAN_GW_IP> google.com → NOERROR (clients → Unbound → dnscrypt → upstream)
But after some upgrades or reboots, dnscrypt-proxy's config is changed/regenerated and Unbound starts failing again (SERVFAIL), unless I manually fix the TOML and/or custom Unbound fragments. This behaviour seems similar to what is described here: "Unbound + Dnscrypt-proxy issue after upgrade to 25.7.11_1".
What I am looking for
Supported way to chain Unbound + dnscrypt-proxy on current OPNsense versions
Is the approach "clients → Unbound (53) → dnscrypt-proxy (127.0.0.1:5353)" via custom file in /var/unbound/etc/ still considered valid, or is there now a recommended alternative?
How to prevent plugin/GUI from regenerating dnscrypt-proxy.toml
If I want to manage dnscrypt-proxy only from the console (no GUI), what is the correct way to:
Disable automatic regeneration of dnscrypt-proxy.toml on upgrades/reboots?
Keep my own TOML persistent across firmware/plugin updates?
Best practice for Unbound custom fragments with dnscrypt
Given the changes in ACL handling and the known bug reported for 25.7.11 (duplicate server: clause etc.), what is currently the cleanest way to:
Add the forward-zone to 127.0.0.1@5353
Avoid clashes with Unbound's generated config and ACL changes in newer releases?
Logging / diagnostics
Is there a recommended way to make configctl unbound check errors show up clearly in the regular logs (e.g. /var/log/resolver.log), as suggested in the 25.7.11 thread, to make debugging these situations easier?
If needed, I can provide:
Current /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml
unbound-checkconf /var/unbound/unbound.conf output
tail -n 50 /var/log/resolver.log and /var/log/dnscrypt-proxy/dnscrypt-proxy.log
Thanks in advance for any hints or examples of a stable Unbound + dnscrypt-proxy setup on the latest OPNsense versions.
Regards