Unbound DNS not being utilized

Started by opnsense1, October 04, 2025, 04:03:22 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
October 05, 2025, 11:37:23 PM #15 Last Edit: October 06, 2025, 12:15:49 AM by opnsense1
Quote from: marunjar on October 05, 2025, 09:50:01 AMUnbound is a dns resolver and don't need any upstream dns.
see https://docs.opnsense.org/manual/unbound.html, you can even find someting about query forwarding and dns over tls there.

System > Settings > General is a little different, see https://docs.opnsense.org/manual/settingsmenu.html#general

If you chose mullvad instead of unbound this is totally fine, but as you found out it will bypass unbound depending on your settings.
To use unbound you don't need any dns server in general settings, just uncheck `Allow DNS server list to be overridden by DHCP/PPP on WAN` and uncheck `Do not use the local DNS service as a nameserver for this system`, thats it basically.
Or if you prefer check `Do not use the local DNS service as a nameserver for this system` and add 127.0.0.1 to servers explicitely.

Query forwarding or DoT should then be configured under services > unbound itself IMO.
Hello, both of those settings have already been disabled as shown in my long list of settings (#'s 4 and 5). DISABLED means unchecked. So I guess my upstream provider isn't even being used which I might reconsider since I like the multiple layers of blocking.

And that must not be related to my issue then.
October 06, 2025, 12:53:16 AM #16
@marunjar actually 127.0.0.1 is not a valid option for my DNS servers. It errors: You can not assign a gateway to DNS server "127.0.0.1" which is on a directly connected network. So that solution would not work even if that was the issue unfortunately.
October 09, 2025, 02:43:44 PM #17
Quote from: marunjar on October 05, 2025, 09:50:01 AMUnbound is a dns resolver and don't need any upstream dns.
see https://docs.opnsense.org/manual/unbound.html, you can even find someting about query forwarding and dns over tls there.

System > Settings > General is a little different, see https://docs.opnsense.org/manual/settingsmenu.html#general

If you chose mullvad instead of unbound this is totally fine, but as you found out it will bypass unbound depending on your settings.
To use unbound you don't need any dns server in general settings, just uncheck `Allow DNS server list to be overridden by DHCP/PPP on WAN` and uncheck `Do not use the local DNS service as a nameserver for this system`, thats it basically.
Or if you prefer check `Do not use the local DNS service as a nameserver for this system` and add 127.0.0.1 to servers explicitely.

Query forwarding or DoT should then be configured under services > unbound itself IMO.
I tried removing any DNS servers from Settings: General since the IP address you said to use was invalid and I now have DNS leaks where my IP address is revealed through DNS because it is resolving queries on its own I assume.

So to use Unbound as my local DNS resolver and Mullvad DNS as my upstream provider (to not have DNS leaks), you are saying that I should configure DNS over TLS in Unbound settings rather than Settings: General? I can give that a shot but I just want to make sure I am understanding you correctly.
October 09, 2025, 03:23:05 PM #18
@marunjar there is a known bug where you cannot have a Wireguard VPN setup and use Unbound DNS without DNS leaks: https://github.com/opnsense/core/issues/7679

Thankfully I found that to save myself further headaches.
Print
Go Up Pages 1 2
User actions