Messages

This obviously is a different approach from mine.
My explicit question was how to realize Split Horizon DNS.

Unfortunately, this whole discussion did not get me any step into that direction... ...yet...

Maybe, somebody could share some thoughts about that?

Looking forward to reading from you all!

So - how DO you do it?
If you only use unbound (unlinked from dnsmasq), you will need overrides to resolve your hostnames internally.
For overrides, you need (static) IP addresses.
How do you produce those?

Consequence from using overrides means: Double host management. Is that really the easiest and most practical way?

Well.
"Don't" doesn't help me answer my question.
Maybe, somebody could explain how this CAN be implemented (as concrete as possible)

Thank you kindly.

It's about Split Horizon DNS.

Query "host.domain.tld" from outside and get a different result if you query "host.domain.tld" from inside. Same domain name. Same hostname.

Furthermore:
If "host.domain.tld" is non-existent on the LAN but exists in the outside world:
Resolve it nevertheless - however, forward the query into the internet.

This works nicely (and is well implemented into unbound) if you use ISC.
I do not get it working if I have to use dnsmasq behind unbound (as is proposed for 26.1 onwards).


And once more my request:
How can I implement this using dnsmasq behind unbound?
What is the tweak?

Of course, it was unbound - and still is.

Nevertheless,
the whole host implementation was done with the help of ISC.
Now, it shall be realized via dnsmasq.

Unbound however appears not to play well with dnsmasq, yet.

Yet again my question:

How would you implement a Split Horizon DNS setup?

Kind regards,

Dear all,

what was pretty easy with ISC, "somehow" doesn't want to fly using dnsmasq.

Using the option "forward first" in unbound appears not to work correctly.
At least, on my side, that option didn't bring any success.

Has anyone been able to implement Split Horizon DNS aka Split Brain DNS so far?
Would you mind sharing your thoughts and ideas with me?

Kind regards,

Just to clarify things:

Unbound listens on port 53.
Queries to my local lan will be forwarded to dnsmasq, port 53053

However, this nslookup wasn't to my lan.
This nslookup went onto the internet!

Therefore, I'm even more puzzled!

Dear all,

currently, I'm a bit lost:

Today, I have re-installed my firewall.
Now, if I do a nslookup:

Code Select Expand

root@OPNsense:~ # nslookup www.domain.tld
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find www.domain.tld: NXDOMAIN

However, if I dig:

Code Select Expand

root@OPNsense:~ # dig www.domain.tld

; <<>> DiG 9.20.16 <<>> www.domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62041
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.domain.tld. IN A

;; ANSWER SECTION:
www.domain.tld. 7194 IN CNAME hss-oracle-1.lan.domain.tld.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Feb 08 16:18:06 CET 2026
;; MSG SIZE  rcvd: 72

What will I need to change so that the CNAME will be resolved?

Any help is appreciated!

Kind regards,

Wow. Thank you kindly.
That isn't self-explainatory.

Kind regards!

Dear all,

Title says it all.

Go to: Interfaces -> Devices -> VLAN
--> "Add"

The bridge is not available to be selected as Parent.

What the heck?!?

What can I do?

Kind regards,

Nobody able to help?

Dear all,

I have two local networks connected to each other via two different wireguard connections.

What I would like to know:
How can I establish a route metric/route cost, so that one of the two connections only works as a kind of a fallback?
Without a metric, the possibility to crate a routing loop is quite high.

Could somebody please give me a hand?

Kind regards,

Dear all,

On my wireguard gateway, I am monitoring the remote IP address.
This is no problem at all @IPv4,
however,
the IPv6 Gateway Monitoring Service stays down after every reboot and needs to be re-started manually.

Is that a bug or a feature?

If it's a bug - where will I report it?

Kind regards,

Virtual IP-Mode ist "IP Alias"? Auf den Servern sind die ULAs ebenfalls als /64 angelegt?

Ja und ja.

Gateway-Adressen sind üblicherweise link-local, keine GUAs oder ULAs.

Darin sehe ich wenig Sinn. Route sollte Route sein.

Answering my own question:

mimugmail posted a short but effective answer (https://forum.opnsense.org/index.php?topic=34815.msg168643#msg168643) , saying:

In GUI set the filter rule, at the bottom tick advanced, scroll down, "keep state" to none

Indeed, this solved my troubles.

Chapeau! Thank you, mimugmail!