"
Hi,
I recently installed OPNSense (26.1.6) and have connected to the Internet just fine. However, DNS is confusing me in several ways.
First confusion: I don't know what DNS servers it is using, but it doesn't appear to be anything I set.
My ISP offers DNS with sinkhole - essentially a pi-hole I can configure in their portal. The DNS setting is offered through DHCP and you can configured it yourself.
I've added the DNS into the System/Settings/General, and at the moment I have 'Allow DNS server list to be overidden by DHCP/PP on WAN' enabled - but ticked or not it doesn't make a difference.
From a windows client, my ISP DNS does not appear to being used. (ad block testing shows very low success rate, and optional DNS logs are empty)
On same windows client, if I set my IP statically and then set DNS to my ISP, the DNS logs fill quickly and ad block testing is 94% successful.
So it looks like OPNSense is using some other DNS server and I've no idea where that might be configured?
I do have a wireguard tunnel enabled to my other home and wondered if DNS was somehow going there, so I disabled wireguard and retested with same results.
As far as I understand, I'm using Dnsmasq and Unbound, though I don't really understand the relationship between the two.
2nd confusion:
As I mentioned above, I have a wireguard set up to another OPNSense 900km away. They each have their own domain; ie, mg.home.arpa and dy.home.arpa. I can't seem to resolve clients in the other domain. I've cheated for the time being by adding my Emby box as a static. On my new box I set a 'Query Forwarding' domain to the OPNSense private IP address in the 2nd location, but resolution doesn't work.
nslookup <client name> <2nd location OPNsense IP> does resolve successfully, so DNS traffic through the tunnel works ok.
Copilot led me a merry dance on the tunnel DNS yesterday until I gave up. I even migrated to KEA DNS for a bit and moved back when it didn't solve anything.
So I'm hoping someone can explain how this should work and help me figure out where it is going wrong. I figure what I want is a resolver in each site, and a pair of forwarder in each site - one to the opposite resolver for my internal domains, and one to my ISP or whatever for Internet stuff. But I'm at a loss how to be make it happen.
I recently installed OPNSense (26.1.6) and have connected to the Internet just fine. However, DNS is confusing me in several ways.
First confusion: I don't know what DNS servers it is using, but it doesn't appear to be anything I set.
My ISP offers DNS with sinkhole - essentially a pi-hole I can configure in their portal. The DNS setting is offered through DHCP and you can configured it yourself.
I've added the DNS into the System/Settings/General, and at the moment I have 'Allow DNS server list to be overidden by DHCP/PP on WAN' enabled - but ticked or not it doesn't make a difference.
From a windows client, my ISP DNS does not appear to being used. (ad block testing shows very low success rate, and optional DNS logs are empty)
On same windows client, if I set my IP statically and then set DNS to my ISP, the DNS logs fill quickly and ad block testing is 94% successful.
So it looks like OPNSense is using some other DNS server and I've no idea where that might be configured?
I do have a wireguard tunnel enabled to my other home and wondered if DNS was somehow going there, so I disabled wireguard and retested with same results.
As far as I understand, I'm using Dnsmasq and Unbound, though I don't really understand the relationship between the two.
2nd confusion:
As I mentioned above, I have a wireguard set up to another OPNSense 900km away. They each have their own domain; ie, mg.home.arpa and dy.home.arpa. I can't seem to resolve clients in the other domain. I've cheated for the time being by adding my Emby box as a static. On my new box I set a 'Query Forwarding' domain to the OPNSense private IP address in the 2nd location, but resolution doesn't work.
nslookup <client name> <2nd location OPNsense IP> does resolve successfully, so DNS traffic through the tunnel works ok.
Copilot led me a merry dance on the tunnel DNS yesterday until I gave up. I even migrated to KEA DNS for a bit and moved back when it didn't solve anything.
So I'm hoping someone can explain how this should work and help me figure out where it is going wrong. I figure what I want is a resolver in each site, and a pair of forwarder in each site - one to the opposite resolver for my internal domains, and one to my ISP or whatever for Internet stuff. But I'm at a loss how to be make it happen.
