Hi all,
after upgrading to OPNsense 26.1 my Unbound + dnscrypt-proxy setup stopped working.
Before the upgrade:
Unbound on OPNsense was configured to forward all queries to dnscrypt-proxy on localhost via a forward-zone in a custom file under /usr/local/etc/unbound.opnsense.d/.
dnscrypt-proxy v2 was running on localhost, listening on a custom port, with a list of resolvers configured in dnscrypt-proxy.toml.
Queries sent to Unbound were answered correctly (NOERROR), and dnscrypt-proxy validated DNSSEC as expected.
After upgrading to 26.1:
dnscrypt-proxy no longer starts:
service dnscrypt-proxy status → "not running".
�
Log shows: [FATAL] No servers configured.
In the active dnscrypt-proxy.toml I noticed that the server_names line had been changed to something like:
text
server_names = ['dnscrypt.eu-nl dnscrypt.eu-dk mullvad-doh mullvad-dot quad9-doh-ip4-only']
i.e. multiple resolver names concatenated into a single string, which makes dnscrypt-proxy fail to load any server and emit the "No servers configured" error.
Unbound is running, but returns SERVFAIL for external domains, since it forwards to dnscrypt-proxy on localhost, which is not actually running.
Temporary manual fixes that work only until reboot:
Manually fixing dnscrypt-proxy.toml:
Rewriting server_names as a proper list,
Making sure listen_addresses points to localhost on the chosen port, etc.
After that, dnscrypt-proxy starts and answers queries on its local port.
Restoring the Unbound → dnscrypt forward:
Keeping a forward-zone pointing to dnscrypt-proxy in a custom file under /usr/local/etc/unbound.opnsense.d/,
Restarting Unbound so that queries go through dnscrypt-proxy again.
This works until the next reboot. After reboot:
dnscrypt-proxy is again "not running",
Unbound still forwards to it, so external queries result in SERVFAIL.
Questions
Is it expected that upgrading to OPNsense 26.1 modifies or resets dnscrypt-proxy.toml in a way that breaks server_names and causes [FATAL] No servers configured?
What is the recommended / supported way in 26.1 to:
keep a local dnscrypt-proxy v2 instance on OPNsense,
have Unbound forward all queries to it via forward-zone,
and ensure that:
dnscrypt-proxy.toml is not overwritten or broken on upgrades,
custom Unbound configuration under /usr/local/etc/unbound.opnsense.d/ is reliably loaded on boot and not ignored after upgrades?
If there is an updated best-practice example (or official doc) for a persistent Unbound + dnscrypt-proxy setup on 26.1, I'd really appreciate a pointer.
Thanks!