switching from dnsmasq to unbound, fail

[jwest]

On an opnsense box at one location, I was using dnsmasq successfully for quite some time but decided to switch to unbound. To do the switch, I literally just took the host/domain overrides from dnsmasq and put them in unbound, disabled dnsmasq - enabled unbound - and it has been working for weeks no issues.

On an opnsense box at another location, I set it up with dnsmasq and it was definitely working for clients. Then 10 minutes later I decided "nah, I meant to use unbound". I had no host/domain overrides on that one, so just disabled dnsmasq and enabled unbound. Within a few seconds, no lan client was able to perform dns queries to that opnsense box.

I have compared all the settings between the two, and can't find anything obviously different that would make sense as impacting this. I know I have not provided great details on my setup, but I was wondering if anyone could suggest things I should check. I'd assume its not a firewall rule, as requests to dnsmasq get through.... and if I turn off unbound and turn dnsmasq back on - all clients can immediately get resolutions. Bizarre!

Any thoughts?

[newsense]

No much to work with here...


No DNS upstream ?

Either In System-General and then tick the checkbox in Unbound to use system servers

OR

Set up your own servers in DNS over TLS. 1.1.1.2 and/or 9.9.9.11 would be good to have there


Lastly, make sure Unbound is listening on all interfaces.

[jwest]

yeah, here's the odd thing. Yes, turning on query forwarding on the router in question immediately fixed the issue. I didn't notice I hadn't checked it because....

However, I was copying the configuration on this router from another router I have running at a different house with mostly the same setup. It was using unbound and did NOT have the query forwarding checked. But it definitely is/was working. I'm curious how the original router was working without query forwarding set.

All the rest of the config between the two routers is pretty much the same. I will stare at this a bit and see if I can't figure out how the original router is working without that set. If not, I'll come back and ask for guidance.

Thanks folks!

[newsense]

For privacy reasons it's better to configure your own servers using DoT/DoH/DoQ depending on the software capabilities available

Cloudflare and Quad9 are nothing to shy away from, but you can always do some more research and testing

https://dnsprivacy.org/public_resolvers/

[jwest]

Agreed. The current setup is the system points to 1.1.1.1/1.0.0.1 and unbound resolver set to use system servers.
I wanted to get the hardware up and running quickly and move on to a few downstream projects. But planning to return to it soon and finish 'flushing things out' - DNS over TLS is the first item on my list. Also captive portal at both locations, ids...