Hello everyone, I have OPNSENSE at home running on a MINIPC with N100, and 16GB RAM, now I did UNBOUND DNS and I put a domain in the ALLOWLIST, and I do a cache refresh and everything, it doesn't work.
But if I make an exception for it, it will work. How can I fix this?
https://jumpshare.com/s/5M6HGv9aVYS48Vw0vbFb
This is a frequent Unbound DNS issue on OPNsense where allowlists don't take effect immediately due to caching, CNAME redirects, or incomplete propagation after adding domains.
Check Reporting First
Go to Reporting > Unbound DNS > Overview or Details to spot the blocked domain (and any CNAME chain). Click it to whitelist directly—this auto-adds to Services > Unbound DNS > Blocklists > Allowlist Domains.
Use CLI on OPNsense: dig example.com @127.0.0.1 to trace resolutions and whitelist all linked domains.
Clear Cache Properly
In Services > Unbound DNS > General > Advanced, enable Flush DNS cache on restart. Apply changes, then Reload Unbound (full reload, not just cache refresh). Also restart the service via CLI: service unbound restart.
Flush client DNS too (e.g., ipconfig /flushdns on Windows). Test again—exceptions working confirms blocklist config is fine, just needs refresh.
Official Documentation
Full Unbound setup: [docs.opnsense.org/manual/unbound.html]
Reporting guide: [docs.opnsense.org/manual/reporting_unbound_dns.html]
Quote from: haim9080 on April 05, 2026, 10:32:02 PMHow can I fix this?
Unbound is nice for the whole 'Query Root DNS Servers' thing, but for blocking domains I would rather use Pi-Hole than anything else to be honest :)
Maybe one day there will be some kind of OPNsense alternative for pfBlockerNG but for now Pi-Hole + Unbound on a Raspberry Pi/Intel NUC/Proxmox CT or VM has my preference : https://docs.pi-hole.net/guides/dns/unbound/
/EDIT :Quote from: Patrick M. Hausen on April 06, 2026, 04:16:17 PMAdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.
I know, but aside from disliking AdGuard since Day #1 the reason to not use it on OPNsense is because I like to keep my Router/Firewall as clean and simple as possible and something like that does not belong there IMHO :)
Quote from: nero355 on April 06, 2026, 03:24:42 PMMaybe one day there will be some kind of OPNsense alternative
AdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.
Quote from: (MARLOO) on April 06, 2026, 03:45:17 AMClear Cache Properly
In Services > Unbound DNS > General > Advanced, enable Flush DNS cache on restart. Apply changes, then Reload Unbound (full reload, not just cache refresh). Also restart the service via CLI: service unbound restart.
It should be sufficient to just clear the specific entry:
unbound-control -c /var/unbound/unbound.conf flush_zone example.comBut I'd also recommend running a dedicated solution for this. I run AdGuard Home in an DietPi LXC Container and it uses my OPNSense Unbound as upstream DNS.
Quote from: (MARLOO) on April 06, 2026, 03:45:17 AMThis is a frequent Unbound DNS issue on OPNsense where allowlists don't take effect immediately due to caching, CNAME redirects, or incomplete propagation after adding domains.
Check Reporting First
Go to Reporting > Unbound DNS > Overview or Details to spot the blocked domain (and any CNAME chain). Click it to whitelist directly—this auto-adds to Services > Unbound DNS > Blocklists > Allowlist Domains.
Use CLI on OPNsense: dig example.com @127.0.0.1 to trace resolutions and whitelist all linked domains.
Clear Cache Properly
In Services > Unbound DNS > General > Advanced, enable Flush DNS cache on restart. Apply changes, then Reload Unbound (full reload, not just cache refresh). Also restart the service via CLI: service unbound restart.
Flush client DNS too (e.g., ipconfig /flushdns on Windows). Test again—exceptions working confirms blocklist config is fine, just needs refresh.
Official Documentation
Full Unbound setup: [docs.opnsense.org/manual/unbound.html]
Reporting guide: [docs.opnsense.org/manual/reporting_unbound_dns.html]
ok so i do that all things.
when i do a restart service VIA cli i get thats error
Quoteroot@HaimHome:~ # service unbound restart
Stopping unbound.
Waiting for PIDS: 88081.
Obtaining a trust anchor...
Starting unbound.
[1775556382] unbound[92360:0] warning: setsockopt(..., SO_SNDBUF, ...) was not granted: No buffer space available
[1775556382] unbound[92360:0] warning: so-sndbuf 4194304 was not granted. Got 57344. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set so-sndbuf: 0 (use system value).
[1775556382] unbound[92360:0] warning: setsockopt(..., SO_SNDBUF, ...) was not granted: No buffer space available
[1775556382] unbound[92360:0] warning: so-sndbuf 4194304 was not granted. Got 57344. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set so-sndbuf: 0 (use system value).
root@AmsalemHome:~ #
and i set a outgoing and in tcp\udp buffer 57344
Quote from: Patrick M. Hausen on April 06, 2026, 04:16:17 PMQuote from: nero355 on April 06, 2026, 03:24:42 PMMaybe one day there will be some kind of OPNsense alternative
AdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.
wherer??!?!?!!? i search in community plugin and i didnt see nothing..
Quote from: nero355 on April 06, 2026, 03:24:42 PMQuote from: haim9080 on April 05, 2026, 10:32:02 PMHow can I fix this?
Unbound is nice for the whole 'Query Root DNS Servers' thing, but for blocking domains I would rather use Pi-Hole than anything else to be honest :)
Maybe one day there will be some kind of OPNsense alternative for pfBlockerNG but for now Pi-Hole + Unbound on a Raspberry Pi/Intel NUC/Proxmox CT or VM has my preference : https://docs.pi-hole.net/guides/dns/unbound/
/EDIT :
Quote from: Patrick M. Hausen on April 06, 2026, 04:16:17 PMAdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.
I know, but aside from disliking AdGuard since Day #1 the reason to not use it on OPNsense is because I like to keep my Router/Firewall as clean and simple as possible and something like that does not belong there IMHO :)
Listen, this OPNSENSE is in my rented apartment, I have S2S between my parents' house and here, and my parents' house has PROXMOX on it, which has ADGUARD and everything. I can redirect all the traffic to its name, but that's a bit stupid to me..
Can I do blocks in the FW and get a USERBLOCK page like this that it's blocked??
Quote from: haim9080 on April 07, 2026, 12:23:17 PMwherer??!?!?!!? i search in community plugin and i didnt see nothing..
https://www.routerperformance.net/opnsense-repo/
If you pick the "just AdGuard" repository, there won't be any ill side effects caused by package conflicts. AGH is a single golang binary, all very clean and manageable.
Quote from: Patrick M. Hausen on April 07, 2026, 12:47:12 PMQuote from: haim9080 on April 07, 2026, 12:23:17 PMwherer??!?!?!!? i search in community plugin and i didnt see nothing..
https://www.routerperformance.net/opnsense-repo/
If you pick the "just AdGuard" repository, there won't be any ill side effects caused by package conflicts. AGH is a single golang binary, all very clean and manageable.
What its do???
Its install a Full Adguard Home Solution???
Yes, of course. Integrated with OPNsense.
Quote from: Patrick M. Hausen on April 07, 2026, 03:27:01 PMYes, of course. Integrated with OPNsense.
So how i can download that?? Install that? You can give me a steps ???
The instructions to do this are literally on the linked page.
Quote from: meyergru on April 08, 2026, 09:14:18 PMThe instructions to do this are literally on the linked page.
Thank you. I install that, but in adguard home installation its said me the port 53 not available after i turn off the unbound dns .. so what i do? Now ???
You need Unbound or any DNS resolver, so AGH should run on an alternative port. I do not use it, but here is a guide:
https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/
Maybe you should use something different than 5353, because that collides with mDNS.
Quote from: meyergru on April 08, 2026, 09:57:14 PMYou need Unbound or any DNS resolver, so AGH should run on an alternative port. I do not use it, but here is a guide:
https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/
Maybe you should use something different than 5353, because that collides with mDNS.
I managed to install ADGUARD. In the end, I disabled UNBOUND DNS. Now I also have OPENVPN, which comes out in FULL TUNNEL. I connect from my phone to the VPN, so the traffic doesn't go out. I see it in the ADGUARD logs as passing through, but on the phone there is no browsing at all.
What could be the solution to this?
AdGuard Home needs a forwarder or upstream DNS server as it might be called. It cannot do recursive resolution by itself. That's why I
- let AGH listen on port 53 on all interfaces
- let Unbound listen on port 53530
- set 127.0.0.1:53530 as an upstream for AGH
If you don't want a local Unbound in that equation, you need to point your AGH at your ISP's or some other recursive DNS server.
With that being solved it's a matter of
- have AGH listen on *all* interfaces: 0.0.0.0 - firewall rules will take care of nobody abusing it
- point your OpenVPN clients at "OPNsense address in the OpenVPN network, port 53" for DNS
HTH,
Patrick
Quote from: Patrick M. Hausen on April 09, 2026, 12:08:01 AMAdGuard Home needs a forwarder or upstream DNS server as it might be called. It cannot do recursive resolution by itself. That's why I
- let AGH listen on port 53 on all interfaces
- let Unbound listen on port 53530
- set 127.0.0.1:53530 as an upstream for AGH
If you don't want a local Unbound in that equation, you need to point your AGH at your ISP's or some other recursive DNS server.
With that being solved it's a matter of
- have AGH listen on *all* interfaces: 0.0.0.0 - firewall rules will take care of nobody abusing it
- point your OpenVPN clients at "OPNsense address in the OpenVPN network, port 53" for DNS
HTH,
Patrick
Dear Patrick, i solve that with reinstall AGH and do listen only to interface LAN and everything working great.
Thank you a lot.
I really appreciate that.
Haim