Help with DNS configuration - OPNsense + pi-hole (unbound)

[New_User]

Admin - please feel free moving this thread to General Discussion (which may be a more appropriate place for it)

***

Hi all,

I need some help with my DNS configuration.

It seems that while I was busy with configuring a new VLAN + VPN connection, I broke something accidentally...Given the many changes I've mode during the process, I think it would be a good idea to review my main settings before we dig any deeper :)

My setup is as follows:

1) OPNsense (24.7.10_2) acts as DHCP server
2) Pi-hole@Raspberry-pi runs as a DNS server (unbound)
3) I have several VLANs (one of them uses an external DNS server, the rest use pi-hole)

My settings are:

1) My pi-hole set as the first DNS server on the list under System → Settings → General (Networking) with no gateway. As a backup I have a few external DNS servers (quad9) on the list.

* I forced it not to jump between DNS servers on the list, by adding a conf file in usr/local/etc/dnsmasq.conf.d with the following text:

add-mac
add-subnet=32
strict-order

* Btw, IMHO, it should be the default option, unless a user explicitly selects (opt-in) that he wants it to ignore the order of the list. But it is another topic..

2) Unbound is disabled on OPNsense

3) DNSmasq is enabled on OPNsense (port 53)

* p.s. I enabled it on all the interfaces, LANs, VLAN's and WANs, but frankly, I'm not sure that this is the right thing to do given my setup.

4) I set a specific DNS server under Services → ISC DHCPv4 (DNS servers) only for one VLAN. Clients on other VLANS should you the system's default DNS server – pi-hole (and if its down, then one of the backup options: quad9 etc.)

5) Relevant firewall rules:
     i) All the clients are allowed to send DNS request to pi-hole.
     ii) I have FW rules for all the interfaces that suppose to intercept all DNS requests (port 53 only) going outside my local network and forward them to 127.0.0.1 (save for the VLAN with an external DNS and save for the pi-hole itself).

* * * * *

1) Before we dig any deeper, is there any flaw in the above configuration?

2) Is there anything special I need to pay attention to, like a must-have setting/FW rule?

Many thanks in advance!

[newsense]

Unbound not good enough to run on OPNsense but good enough for pi-hole while dnsmasq not enough on the pi-hole so it needs to be added to OPNsense ?

Set pi-hole as dns server on your VLANs and forward pi-hole to OPNsense unbound

Since you're asking, the flaw is pi-hole, whether current stable or "future and upcoming for more than a year" stable. AGH would be a much better option to look into whether on the FW or on a different machine/container.

[trixter]

Why pi-Hole+Opnsense ?

Opnsense + Plugin (Adguard) will do the same job on one server.