"
Thank you for this, but I wanted to add as well. If I wanted to setup each VLAN that I have to have it's own set of DNS servers, how would I go about doing that? In NextDNS, you have different "Profiles" you can create which gives you seperate IPs / DoT addresses, etc, and how would I go about setting per VLAN which DNS addresses to go to?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
General Discussion / Re: Opnsense and NextDNS with DNSMasq and Unbound
September 22, 2025, 05:38:36 PM #2
General Discussion / Re: Opnsense and NextDNS with DNSMasq and Unbound
August 01, 2025, 03:04:04 PM
If there are any details missing, I can provide anything that's needed
#3
General Discussion / Re: Opnsense and NextDNS with DNSMasq and Unbound
July 31, 2025, 01:50:57 PM
Ultimately, what I want to be able to happen is when a client on any VLAN, as long as they're allowed to access a server, they should be able to:
DNS Query to Router -> If Local server (with domain I use internally), give them server IP
-> If External server, go to NextDNS address set by DHCP option 6 addresses
DNS Query to Router -> If Local server (with domain I use internally), give them server IP
-> If External server, go to NextDNS address set by DHCP option 6 addresses
#4
General Discussion / Opnsense and NextDNS with DNSMasq and Unbound
July 29, 2025, 09:24:51 PM
So, currently, I have Unbound set at what I believe are defaults listening on port 53, no overrides and query forwarding to DNSmasq on 127.0.0.1:53053
I have all my static hosts set on the "Hosts" tab in Dnsmasq, with each host checked as "Local".
So, in the DHCP options, I can have option 6 set as just the router address for each VLAN, and be able to do local resolution to hosts in my networks, or I can add NextDNS Addresses as well, and not be able to resolve anything local, but I would have all the features of NextDNS working correctly.
What am I missing to be able to resolve local hosts, but forward every other address lookup to NextDNS per VLAN?
I have all my static hosts set on the "Hosts" tab in Dnsmasq, with each host checked as "Local".
So, in the DHCP options, I can have option 6 set as just the router address for each VLAN, and be able to do local resolution to hosts in my networks, or I can add NextDNS Addresses as well, and not be able to resolve anything local, but I would have all the features of NextDNS working correctly.
What am I missing to be able to resolve local hosts, but forward every other address lookup to NextDNS per VLAN?
#5
General Discussion / Re: OpnSense per VLAN NextDNS setup
April 04, 2025, 08:16:26 PMQuote from: patient0 on February 25, 2025, 07:35:11 PMQuote from: GregTheHun on February 25, 2025, 05:23:59 PMI mean, I suppose this could be a discussion thread on any service that has profiles and seperate dns addresses once they're setup. NextDNS just happens to be the one I'm using.I do use both NextDNS and ControlD, ControlD at home and NextDNS on the root Server. And while evaluating both services I did install and use ControlD's DNS forward proxy (https://github.com/Control-D-Inc/ctrld) at home. Very flexible and worth to checkout.
You can define multiple listeners, networks, rule for the listeners and upstream services (and more that I probably forgot about). Never tried with multiple NextDNS profile but I don't see a reason why it wouldn't work. There's no GUI element to it in OPNsense, the config happens in a TOML file
In my config below some devices have their own ControlD or NextDNS profile (MAC based) and queries for local DNS get forwarded to the *sense (network.0 & upstream.0):Code Select[service]
log_level = "info"
log_path = ""
cache_enable = true
cache_size = 10240
cache_ttl_override = 60
cache_serve_stale = true
[listener]
[listener.0]
ip = '0.0.0.0'
port = 53
allow_wan_clients = true
restricted = true
[listener.0.policy]
name = 'Policy @ Home'
networks = [
{'network.0' = ['upstream.0']}
]
rules = [
{ '*.my.home.arpa' = ['upstream.5']}
]
macs = [
{"xx:xx:xx:xx:xx:xx" = ["upstream.2"]}, # Macbook Air M2 Wifi
{"yy:yy:yy:yy:yy:yy" = ["upstream.1"]} # Apple TV 4K Livingroom
]
[network]
[network.0]
name = 'Local LANs'
cidrs = ['192.168.169.0/24', '10.11.0.0/16', '2aaa:bbbb:.../48']
[upstream]
[upstream.0]
name = 'ControlD - Firewall @ Home'
type = 'doh'
bootstrap_ip = '2606:...'
endpoint = 'https://dns.controld.com/<a profile>'
timeout = 5000
[upstream.1]
name = 'ControlD - Apple TV Living Room'
type = 'doh'
bootstrap_ip = '2606:...'
endpoint = 'https://dns.controld.com/<another profile>'
timeout = 5000
[upstream.2]
name = 'NextDNS - blockads Profile'
type = 'doh'
boostrap_ip = '2a07:...'
endpoint = 'https://dns.nextdns.io/<profile>'
timeout = 5000
[upstream.3]
name = 'Quad9'
type = 'doh'
bootstrap_ip = '2620:fe::fe'
endpoint = 'https://dns.quad9.net/dns-query'
timeout = 5000
[upstream.4]
name = 'DNS0.eu'
type = 'doh'
bootstrap_ip = '2a0f:fc80::'
endpoint = 'https://dns0.eu'
timeout = 5000
[upstream.5]
name = 'Local Unbound'
type = 'legacy'
endpoint = '127.0.0.1:10053'
timeout = 5000
I would also be curious about this method, would you have to disable Unbound in order for this to work?
#6
General Discussion / Re: OpnSense per VLAN NextDNS setup
April 01, 2025, 05:45:48 PM
Thanks everyone for the responses, but do you guys know anyway to do the same thing in OpnSense alone?
#7
General Discussion / Re: OpnSense per VLAN NextDNS setup
February 25, 2025, 05:23:59 PM
I mean, I suppose this could be a discussion thread on any service that has profiles and seperate dns addresses once they're setup. NextDNS just happens to be the one I'm using.
#8
General Discussion / Re: OpnSense per VLAN NextDNS setup
February 06, 2025, 06:00:46 PM
Mainly, what I'd like to do is have VLAN have it's own set of DNS servers it goes to, should the local Unbound server not be able to resolve it. I have some local servers that have proper URLs that I'd like to be able to access, and I have their overrides in Unbound, but if that doesn't go to anything local, then go to NextDNS and get the URL. Depending on the VLAN traffic originates from.
Hope this all makes sense, and thanks again
Hope this all makes sense, and thanks again
#9
General Discussion / OpnSense per VLAN NextDNS setup
February 05, 2025, 04:10:10 PM
Hi all,
I was curious, for those of you using NextDNS or something similar out there. I have a couple different profiles setup in NextDNS and was wondering how I can apply each of those profiles to different VLANs on my networks?
Any help would be much appreciated.
I was curious, for those of you using NextDNS or something similar out there. I have a couple different profiles setup in NextDNS and was wondering how I can apply each of those profiles to different VLANs on my networks?
Any help would be much appreciated.
#10
Tutorials and FAQs / Re: ACME sftp automation
May 12, 2023, 10:03:13 PM
If there are any errors, do you know where you can find the logs for the automations?
#11
22.7 Legacy Series / Re: One VLAN not working
October 13, 2022, 08:51:01 PM
So, I thought the error might've been fixed, but apparently even though I'm able to ping my proxmox server's IP. It's still not grabbing from the IP range in 13.0.0.0/16.
Is there any other things I could be missing, and what can I present to help you see what's up?
Is there any other things I could be missing, and what can I present to help you see what's up?
#12
22.7 Legacy Series / Re: One VLAN not working
October 07, 2022, 07:15:26 PM
Actually, I figured it out, VLAN 13 wasn't connected to Port 8 (the port connected to the router).
Once I did that, then addresses could be pulled.
The image below shows the VLAN not added to my port 8, which is causing the problems.
Once I did that, then addresses could be pulled.
The image below shows the VLAN not added to my port 8, which is causing the problems.
#13
22.7 Legacy Series / One VLAN not working
September 27, 2022, 09:21:05 PM
So, I've got some VLANs on my router
11 = IoT
12 = Kids network
13 = Servers
They are all setup in the same way (in the VLANs section of Interfaces), and all of them have the LAN as a parent. Outside of firewall rules, they all work except for the server one, They all have a default allow out rule at the end. The layout is the picture below.
However, anything connecting to the Servers VLAN refuses to connect, what could be wrong?
11 = IoT
12 = Kids network
13 = Servers
They are all setup in the same way (in the VLANs section of Interfaces), and all of them have the LAN as a parent. Outside of firewall rules, they all work except for the server one, They all have a default allow out rule at the end. The layout is the picture below.
However, anything connecting to the Servers VLAN refuses to connect, what could be wrong?
#14
General Discussion / Re: Git plugin not authenticating
July 04, 2021, 12:59:48 AM
Alrighty, both of those suggestions made it work.
So, for anyone else:
So, for anyone else:
- Setup SSH Keys properly (With your ssh-agent too)
- Make sure it works on Github
- Create a new repo (don't add or commit anything)
- The URL should be ssh://github.com/[username]/[repo].git
- The branch should be whichever one is the one setup (most likely master)
- Paste your SSH key
- Set username to 'git'
- Success! :-D
#15
General Discussion / Re: Git plugin not authenticating
July 03, 2021, 03:20:43 PM
Yes, I do have the ssh key added, and it does work for other repos.
Just not the new one I setup for the configs, but at least I remember creating new ones for each of my projects and not coming across this yet.
I'll have to check and see if something's different on the others.
Just not the new one I setup for the configs, but at least I remember creating new ones for each of my projects and not coming across this yet.
I'll have to check and see if something's different on the others.
