English Forums > Documentation and Translation

Use OPNsense as primary DNS with bind 9.10 - HOWTO needed


Dear colleagues,

OPNsense is a great and exciting product, millions of thanks for this great work! Being a nonprofit, we appreciate the availability of the free product with this kind of functionality, comparable to industry leaders.

However, we have a simple (maybe basic) question. What we need is to get our firewall to become a primary DNS server for some 2-3 domains for our projects. Yes we have bind910 package installed. But what is correct approach to achive the goal?

Now we have DNS Forwarder in operations. Is it really dnsmasq, what I guess?

What exactly is used as DNS Resolver - is it BIND itself, or whatever?

Which is a correct way to achieve the following setup:

1) a completely independent DNS Server (BIND) working as a service at WAN interface and serves as primary for our zones,

2) external (via WAN) queries for x.mydomain.org are resolved into visible official A records,

3) internal (via LAN) queries for x.mydomain.com are resolved into RFC#1918 A records with IPs from "grey", corporate range like 10.whatever

If anyone from the team give some suggestions about "what is OPNsense policy for this", I'd write a brief HOWTO on this for the community.

Thanks in advance!
WBR, Andrii

Hi Andrii,

DNS Forwarder is dnsmasq, DNS Resolver is unbound. Bind is installed too, but is only used in the GUI for RFC 2136 Dynamic DNS.

You can configure Bind manually like you would in a normal FreeBSD installation. https://forums.freebsd.org/threads/guide-bind-9-10-install-on-freebsd-10.45716/

You should see if unbound can do what you want (which it probably can) and go from there. It's likely that we can provide docs for unbound/dnsmasq, but not for bind.


Dear Franco,

thank you for the hint. Just one more question: in case I (maybe, who knows?) will someday enable DynDNS in the GUI, will it clobber my DNS configuration away, or not?

I took a brief look at unbound docs, it seems to me that I'll be more comfortable with good old named (which I'm familiar with since 1993) and rc.conf :) That's just my personal bias, of course.


Hi Andrii,

Good question. It looks like each RFC 2136 entry has its own config so it should not clobber your own unless you start to add your own entries manually. named.conf and named are unaffected. :)

Although unbound was the replacement for bind in FreeBSD this was largely due to many security advisories being registered for bind so it was decided to replace it. In OPNsense we have bind in the ports tree so you get the latest security updates anyway and it's unlikely going to be removed. It may also be a plugin some day, too.

You should be ok with your choice of named and rc.conf. If not let me know. :)



[0] Message Index

Go to full version