Hi,
I recently installed OPNSense (26.1.6) and have connected to the Internet just fine. However, DNS is confusing me in several ways.
First confusion: I don't know what DNS servers it is using, but it doesn't appear to be anything I set.
My ISP offers DNS with sinkhole - essentially a pi-hole I can configure in their portal. The DNS setting is offered through DHCP and you can configured it yourself.
I've added the DNS into the System/Settings/General, and at the moment I have 'Allow DNS server list to be overidden by DHCP/PP on WAN' enabled - but ticked or not it doesn't make a difference.
From a windows client, my ISP DNS does not appear to being used. (ad block testing shows very low success rate, and optional DNS logs are empty)
On same windows client, if I set my IP statically and then set DNS to my ISP, the DNS logs fill quickly and ad block testing is 94% successful.
So it looks like OPNSense is using some other DNS server and I've no idea where that might be configured?
I do have a wireguard tunnel enabled to my other home and wondered if DNS was somehow going there, so I disabled wireguard and retested with same results.
As far as I understand, I'm using Dnsmasq and Unbound, though I don't really understand the relationship between the two.
2nd confusion:
As I mentioned above, I have a wireguard set up to another OPNSense 900km away. They each have their own domain; ie, mg.home.arpa and dy.home.arpa. I can't seem to resolve clients in the other domain. I've cheated for the time being by adding my Emby box as a static. On my new box I set a 'Query Forwarding' domain to the OPNSense private IP address in the 2nd location, but resolution doesn't work.
nslookup <client name> <2nd location OPNsense IP> does resolve successfully, so DNS traffic through the tunnel works ok.
Copilot led me a merry dance on the tunnel DNS yesterday until I gave up. I even migrated to KEA DNS for a bit and moved back when it didn't solve anything.
So I'm hoping someone can explain how this should work and help me figure out where it is going wrong. I figure what I want is a resolver in each site, and a pair of forwarder in each site - one to the opposite resolver for my internal domains, and one to my ISP or whatever for Internet stuff. But I'm at a loss how to be make it happen.
Quote from: disorganise on April 12, 2026, 02:45:09 PMHowever, DNS is confusing me in several ways.
First confusion: I don't know what DNS servers it is using, but it doesn't appear to be anything I set.
As far as I understand, I'm using Dnsmasq and Unbound, though I don't really understand the relationship between the two.
QuoteI even migrated to KEA DNS for a bit and moved back when it didn't solve anything.
All a matter of reading : https://docs.opnsense.org/manual/dhcp.html
HINT : There is no such thing as KEA DNS and in OPNsense everything is basically built around Unbound DNS-wise !!
QuoteI have a wireguard set up to another OPNSense 900km away. They each have their own domain; ie, mg.home.arpa and dy.home.arpa.
I can't seem to resolve clients in the other domain. I've cheated for the time being by adding my Emby box as a static. On my new box I set a 'Query Forwarding' domain to the OPNSense private IP address in the 2nd location, but resolution doesn't work.
nslookup <client name> <2nd location OPNsense IP> does resolve successfully, so DNS traffic through the tunnel works ok.
My guess is you told DNSmasqd about it instead of Unbound but again : Read the documentation and go through everything step-by-step ;)
Quote from: disorganise on April 12, 2026, 02:45:09 PMFirst confusion: I don't know what DNS servers it is using, but it doesn't appear to be anything I set.
As far as I understand, I'm using Dnsmasq and Unbound, though I don't really understand the relationship between the two.
Is Unbound enabled in Services => Unbound DNS => General => Enable Unbound?
If so then Services => Unbound DNS => Query Forwarding should tell you what upstream DNS servers it's using, and whether these are the system DNS servers from System => Settings => General or not.
If Unbound isn't enabled then you're probably using Dnsmasq. Is Services => Dnsmasq DNS and DHCP => General => "Do not forward to system defined DNS servers" selected? If it is, it should be using the servers from System => Settings => General, or if not the servers from Services => Dnsmasq DNS and DHCP => Domains.
Do the log files for Unbound or Dnsmasq show any errors?
On the windows host, when getting its IP Configuration automatically from DHCP, what does "ipconfig /all" in a command prompt show? Has it picked up its DNS configuration from your OPNsense? Also it might be worth using "nslookup" to check DNS from the command line as browsers can sometimes try using their own DNS over HTTPS configuration.
Quote2nd confusion:
Probably better to stick to one problem at at time for now :) Well worth trying to work out how your DNS is currently configured before getting the sites to query each other. Your plan for a forward from one site to the other sounds right though.