"
I know this is a fairly old thread but I recently had the need to have a specific client excluded from Unbound's BL and struggled to find any solution that would work until I realized, if I'm bypassing Unbound entirely, I could just set that client to use a specific external DNS server in the static ip lease section of Opnsense and I wasn't too concerned since this was a fairly isolated device. My question is what would the benefits be of not going this route but instead having the firewall itself make that determination through some other form of filtering or custom Unbound config?
