Unbound behavior in General

[mfpck]

Hello,

Imho I try to understand the default behavior of unbound on a default installation basis of Opnsense to decide which setup is recommended for my needs.

Unfortunately I was not able to find an equal documentation entry for Opnsense, Pfsense doc snip:

By default, the DNS Resolver queries the root DNS servers directly and does not use DNS servers configured under System > General Setup or those obtained automatically from a dynamic WAN. This behavior may be changed, however, using the DNS Query Forwarding option. By contacting the roots directly by default, it eliminates many issues typically encountered by users with incorrect local DNS configurations, and the DNS results are more trustworthy and verifiable with Domain Name System Security Extensions (DNSSEC).

Is it equal on Opnsense ?
Which results from a dhcp client perspective, the client gets the Opnsense ip as a dns server and Opnsense queries directly the root dns servers ?

If so, it means that the entries under System: Settings: General are getting ignored and will be never used unless I activate the DNS Query Forwarding option  Enable Forwarding Mode  true If I eg. wann use Quad9 there ?

Further I am pretty curious about the dns behavior If I start using Unbound DNS: DNS over TLS - Does this overrule all other dns rel. settings and if in which way ?

Thanks and Best !

[abulafia]

Yeah, behaviour is the same -- Unbound is a resolver by nature, whether running on pfsense or opnsense (or any other OS). It won't "forward" unless you tell it to.

Further I am pretty curious about the dns behavior If I start using Unbound DNS: DNS over TLS - Does this overrule all other dns rel. settings and if in which way ?

Yes - In my (limited but existing) experience, DNS over TLS mode turns unbound into a forwarder (via DNS-over-TLS) and causes it to ignore the other settings.