"
Follow the excellent guide and you'll be fine: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.7, 25.10 Series / Re: Unbound DNS & issue with"Outgoing Network Interfaces"
October 10, 2025, 11:46:08 PM #2
25.7, 25.10 Series / Re: Unbound DNS & issue with"Outgoing Network Interfaces"
October 09, 2025, 10:00:19 PM
I had something similar and tinkered a bit, but eventually gave up as I wanted fail-over and not depending on some WAN redirect magic due to Wireguard not working the same as OpenVPN.
My home setup as follows (don't ask why, it's fun with vms, dockers and stuff, and you may remove complexity for your use case).
Redirect rule on lan1-lan10 to catch dns: IPv4 TCP/UDP * * 127.0.0.1 53 (DNS) * *
Adguard running on :53
Opnsense unbound running on :53530
3 dns servers in Adguard (192.168.0.2, 192.168.0.3, [/local/127.0.0.1:53530])
dns1: 192.168.0.2 failover on 4 wg-tunnels
dns2: 192.168.0.3 failover on 4 (different) wg-tunnels
so queries are: Adguard -> dns1 and dns2 for external lookups with then the fail-over as mentioned, and adguard -> opnsense unbound for local lookups.
If you want to decrease complexity you may use WAN redirect rules but when one of the tunnels goes down you may see some longer times for dns queries.
Example for your WAN rule: IPv4 TCP/UDP VPN1 address * 9.9.9.9 853 VPN1-gw *
Maybe someone has an easier fix, but what worked best for me and my use cases was a seperate vm with a dns server.
My home setup as follows (don't ask why, it's fun with vms, dockers and stuff, and you may remove complexity for your use case).
Redirect rule on lan1-lan10 to catch dns: IPv4 TCP/UDP * * 127.0.0.1 53 (DNS) * *
Adguard running on :53
Opnsense unbound running on :53530
3 dns servers in Adguard (192.168.0.2, 192.168.0.3, [/local/127.0.0.1:53530])
dns1: 192.168.0.2 failover on 4 wg-tunnels
dns2: 192.168.0.3 failover on 4 (different) wg-tunnels
so queries are: Adguard -> dns1 and dns2 for external lookups with then the fail-over as mentioned, and adguard -> opnsense unbound for local lookups.
If you want to decrease complexity you may use WAN redirect rules but when one of the tunnels goes down you may see some longer times for dns queries.
Example for your WAN rule: IPv4 TCP/UDP VPN1 address * 9.9.9.9 853 VPN1-gw *
Maybe someone has an easier fix, but what worked best for me and my use cases was a seperate vm with a dns server.
#3
25.7, 25.10 Series / Re: Unbound DNS & issue with"Outgoing Network Interfaces"
October 09, 2025, 07:32:20 PM
I guess this is via OpenVPN and not Wireguard?
From my understanding and testing it's 'all' outgoing interfaces, not a fail-over in Unbound as you think.
What I did (for Wireguard but somewhat applicable to you) was to:
1. Set up an dns server on another machine.
2. Add a gateway group.
3. Add a firewall rule for the dns server to use that gateway group instead of <insert default gw>
then you would have failover via the gateway group.
From my understanding and testing it's 'all' outgoing interfaces, not a fail-over in Unbound as you think.
What I did (for Wireguard but somewhat applicable to you) was to:
1. Set up an dns server on another machine.
2. Add a gateway group.
3. Add a firewall rule for the dns server to use that gateway group instead of <insert default gw>
then you would have failover via the gateway group.
Pages1
