Unbound + dnscrypt-proxy broken after upgrade 25.7.11_1

[opnessense]

Hi all,
after a recent OPNsense upgrade my DNS stack with Unbound and dnscrypt-proxy broke, and I would like to understand what is the correct way to run this combination on current releases.

Setup (before it broke)

OPNsense as main router/firewall

Unbound listening on LAN/VLANs on port 53

dnscrypt-proxy (plugin) listening on 127.0.0.1:5353

Unbound forwarding to dnscrypt via custom file:
/var/unbound/etc/dnscrypt.conf:

text
server:
  do-not-query-localhost: no

forward-zone:
  name: "."
  forward-addr: 127.0.0.1@5353
AdGuard running on a Raspberry Pi in LAN (some VLANs used it directly, others only via Unbound)

Clients only use the firewall (Unbound) as DNS; dnscrypt and AdGuard are "behind" Unbound, so client-side configuration never changes.


What happened after upgrade

After an OPNsense/Plugin upgrade from 25.7.10 to  25.7.11_1, dnscrypt-proxy plugin installed), the following started to happen:


dnscrypt-proxy often fails to start or exits with:

"No servers configured" or issues with server_names in dnscrypt-proxy.toml

The TOML file appears to be regenerated/modified by the plugin/GUI after upgrades or reboots, even if I only manage it from the shell.

Unbound either:

Does not start, or

Starts but all queries return SERVFAIL for any domain, even though direct tests to public resolvers (1.1.1.1 / 9.9.9.9) work fine from the firewall.

unbound-checkconf /var/unbound/unbound.conf previously reported errors related to Python module / DNSBL and custom fragments, but now the config has been cleaned up and Unbound passes the check. Still, when chained to dnscrypt, resolution randomly breaks.


As a temporary workaround, I had to:

Disable dnscrypt in the chain.

Configure Unbound to forward directly to 1.1.1.1 and 9.9.9.9 (or use "System Nameservers"), so clients could resolve again.


Current behaviour / tests

From OPNsense shell:

service unbound status → service running (when not chained to dnscrypt).

drill @1.1.1.1 google.com and drill @9.9.9.9 google.com → NOERROR with valid IPs.

With Unbound directly forwarding to those public DNS, drill @127.0.0.1 google.com and drill @<LAN_GW_IP> google.com return valid answers.


When I reintroduce the forwarding to dnscrypt via /var/unbound/etc/dnscrypt.conf (127.0.0.1@5353):

If dnscrypt-proxy is running and the TOML is clean, the chain works again:

drill @127.0.0.1 -p 5353 google.com → NOERROR

drill @<LAN_GW_IP> google.com → NOERROR (clients → Unbound → dnscrypt → upstream)


But after some upgrades or reboots, dnscrypt-proxy's config is changed/regenerated and Unbound starts failing again (SERVFAIL), unless I manually fix the TOML and/or custom Unbound fragments. This behaviour seems similar to what is described here: "Unbound + Dnscrypt-proxy issue after upgrade to 25.7.11_1".


What I am looking for

Supported way to chain Unbound + dnscrypt-proxy on current OPNsense versions

Is the approach "clients → Unbound (53) → dnscrypt-proxy (127.0.0.1:5353)" via custom file in /var/unbound/etc/ still considered valid, or is there now a recommended alternative?


How to prevent plugin/GUI from regenerating dnscrypt-proxy.toml

If I want to manage dnscrypt-proxy only from the console (no GUI), what is the correct way to:

Disable automatic regeneration of dnscrypt-proxy.toml on upgrades/reboots?

Keep my own TOML persistent across firmware/plugin updates?


Best practice for Unbound custom fragments with dnscrypt

Given the changes in ACL handling and the known bug reported for 25.7.11 (duplicate server: clause etc.), what is currently the cleanest way to:

Add the forward-zone to 127.0.0.1@5353

Avoid clashes with Unbound's generated config and ACL changes in newer releases?


Logging / diagnostics

Is there a recommended way to make configctl unbound check errors show up clearly in the regular logs (e.g. /var/log/resolver.log), as suggested in the 25.7.11 thread, to make debugging these situations easier?


If needed, I can provide:

Current /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml

unbound-checkconf /var/unbound/unbound.conf output

tail -n 50 /var/log/resolver.log and /var/log/dnscrypt-proxy/dnscrypt-proxy.log

Thanks in advance for any hints or examples of a stable Unbound + dnscrypt-proxy setup on the latest OPNsense versions.

Regards