Using OPNsense as a HA proxy for port 53 UDP traffic to internal DNS resolvers

[gctwnl]

I want to use my OPNsense router as a proxy for two internal DNS resolvers. Preferably, I want a HA-setup where on the OPNsense a proxy runs that tests if my two internal DNS-es are alive and routes the UDP port 53 to an alive one. That way, I can let the DHCP of the OPNsense router hand out the OPNsense router's IP address as DNS to the DHCP clients.

Reason: I run two internal DNS resolvers. Currently, the DHCP on OPNsense hands out both to clients. It turns out I have many clients that will stick to the one they select first (especially iOS/macOS devices, but it may be the same for others). Recently, I have had availability issues on both where one failed because a switch in front of it had trouble, and the other failed because it had an ethernet hardware issue. Not at the same time, but that doesn't matter, because when I client had settled on one, it would stubbornly keep trying. that one, not switching to the other one. I think that is a problem with macOS/iOS, but as this is what I have to deal with (good luck in getting Apple to fix anything), I want my setup to be robust under the scenario that one of my internal DNS resolvers is unavailable.

I accept that makes the OPNsense into a SPOF, but if the router is down, not much will work anyway.

What is the best way to do this on an OPNsense business edition?

[cookiemonster]

https://9to5mac.com/2025/05/03/understanding-how-apple-devices-decide-which-wi-fi-network-to-auto-join/

For haproxy, I imagine you can. I would create the two real servers, a pool with them, and bind on OPN on a new loopback vip.
I'd then play with binding to a front end too if necessary.
Then OPN would have to be dishing that vip out via dchp.
haproxy plugin has already the ability to check the health in the backend pools settings.