Unbound DNS not being utilized

Started by opnsense1, October 04, 2025, 04:03:22 PM

Previous topic - Next topic
October 04, 2025, 04:03:22 PM Last Edit: October 04, 2025, 04:21:03 PM by opnsense1
Hello, it appears that my Unbound DNS is only being used by the router and not being used by my devices. Looking at `Reporting > Unbound DNS`, the top passed domains are:
1. 3.opnsense.pool.ntp.org. 
5248 (12.13%)

2. 1.opnsense.pool.ntp.org. 
5234 (12.10%)

3. 0.opnsense.pool.ntp.org. 
5225 (12.08%)

4. 3.opnsense.pool.ntp.org.localdomain. 
5221 (12.07%)

5. 2.opnsense.pool.ntp.org. 
5219 (12.06%)

6. 1.opnsense.pool.ntp.org.localdomain. 
5186 (11.99%)

7. 0.opnsense.pool.ntp.org.localdomain. 
5185 (11.98%)

8. 2.opnsense.pool.ntp.org.localdomain. 
5169 (11.95%)

9. forum.opnsense.org. 
465 (1.07%)

10. forum.opnsense.org.localdomain. 
457 (1.06%)

In System > Settings > General I have my upstream DNS server configured. Unbound is enabled. I do have a wireguard VPN setup in Opnsense - is there a special configuration I have to do to get that to use Unbound? All of my troubleshooting has changed nothing. Also my devices are getting the correct DNS server advertised to them - they show my opnsense IP address as the DNS server in network settings and `nslookup` returns `Server: 127.0.0.53  Address: 127.0.0.53#53` so the devices appear to be correctly configured, it is just Opnsense that is not utilizing Unbound correctly.

Edit: Forgot to mention, I made sure that `Allow DNS server list to be overridden by DHCP/PPP on WAN` and `Do not use the local DNS service as a nameserver for this system` are *not* enabled.

Do you see query if you start one from the command line, with nslookup or dig?

Browser are often using DoH these days and are not using the DHCP provided DNS server and you would have to disable DoH in the browser. E.g. https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Deciso DEC740

October 04, 2025, 04:58:27 PM #2 Last Edit: October 04, 2025, 05:08:46 PM by opnsense1
Quote from: patient0 on October 04, 2025, 04:27:47 PMDo you see query if you start one from the command line, with nslookup or dig?

Browser are often using DoH these days and are not using the DHCP provided DNS server and you would have to disable DoH in the browser. E.g. https://support.mozilla.org/en-US/kb/firefox-dns-over-https
Thank you for the reply, I have DNS over HTTPS disabled in Firefox. Looking at the "Top 10 client activity over the last hour" graph and clicking on the few dots that show up, I think the only requests that are showing up here are ones that I performed under Interfaces: Diagnostics: DNS Lookup in the Opnsense web UI. Trying a few more nslookups, they do not appear to be going into this graph despite the response signaling what I thought meant it was correctly configured based on the server address returned:
```
nslookup proton.me
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:    proton.me
Address: 185.70.42.45
```

So this would point to my devices not getting the correct DNS server? How do I correct that - on both my laptop and phone they are displaying the correct IP address for the DNS server under network settings and I also tried statically configuring them to use the DNS servers just in case, with no change.

Edit: I also recently tried going into VPN: WireGuard: Interfaces and enabling advanced settings so I could set the DNS server manually there to be my opnsense IP, with no change. (Made sure to disable Wireguard, apply changes, reenable Wireguard, apply changes after as I know this was recommended when I was setting the VPN up.) and I have also tried going into my external router's settings and changed the DNS setting from "ISP Default" (which I assumed in this case it would read from Opnsense correctly and preferred to leave it at this to prevent weird issues later if I forget that this was manually configured) to the local address as well. No change. And the fact that the devices are displaying the correct local IP address for their DNS server in network settings makes me less confident that this setting would have mattered anyways because as far as I can tell, they are correctly being configured unless it is being intercepted by something.

Are you connecting the client to OPNsense using Wireguard or does OPNsense use WG to connect to the internet? What is operating system are you using?
Deciso DEC740

Wireguard is setup through Opnsense to route all internet traffic through my VPN service. operating systems are android and linux.

Quote from: opnsense1 on October 04, 2025, 05:44:38 PMoperating systems are android and linux.
Can you check on Linux which dns server it really uses, 127.0.0.1 is just the local caching dns (you would have to ask the internet for it, depending on your distro).
Deciso DEC740

I'm not sure what you mean, like I said it lists the IP address of my Opnsense device for the DNS server in network settings so is that what you mean? "IPv4 Primary Nameserver" in network settings is the IP address of my opnsense device.

Or is this what you mean?
```
resolvectl status
Global
         Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 2 (wlp0s20f3)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 192.168.86.1
       DNS Servers: 192.168.86.1
     Default Route: yes
```
Again though, that is the IP address of my Opnsense device. I do notice it has a DNSOverTLS flag, could that be an issue even though the traffic is seemingly still going to the correct IP? I have no idea where I would disable that for the OS but could look around if you think it is an issue.

So I tried to break things to see what setting actually matters by putting a local IP address in that is not in use.
1. Setting the DNS server manually on my VPN on a device that is excluded from the whole network VPN. Websites still resolve.
2. Enabling DNS over HTTPS in Firefox and setting the IP manually there. Websites still resolve.
3. In system Network Settings for my ethernet connection - here, websites finally stop resolving. The only issue is that the value here was again, the IP address of my Opnsense device so when I return it to that IP address, websites resolve again but are still bypassing Unbound DNS. (Nothing is being added to the graph when I search for things)

It definitely seems to me by this that it is an issue in Opnsense rather than a device config issue. But I've combed over the settings and cannot figure out what it would be 🤔

Here are all of the settings I can find that I imagine would have potential to cause issues - I am not a networking expert so I don't know what all of them do but I understand the basics of DNS so here is the format:

#. [LOCATION SETTING IS FOUND] - [SETTING NAME] - [SETTING VALUE]
#a. [SETTING HELP DESCRIPTION, IF APPLICABLE]
#b. [ADDITIONAL COMMENTS RELATED TO SETTING]

1. System: Settings: Administration - Disable DNS Rebinding Checks - ENABLED
1a. When this is unchecked, your system is protected against DNS Rebinding attacks. This blocks private IP responses from your configured DNS servers. Check this box to disable this protection if it interferes with web GUI access or name resolution in your environment.
1b. I believe this is disabled by default. I read that this should be enabled to allow for local addresses to be resolved in DNS. May or may not be true for my case - the whole thing that got me into this mess and made me realize Unbound is being bypassed is that I need to create a local DNS record and it wasn't working. I initially thought it was because I wasn't configuring it correctly but if Unbound is being skipped, all of the settings in it are moot so plugging the bypass is step 1.

2. System: Settings: General - DNS servers - DNS Server: 100.64.0.7 Use gateway: OPT1 (My VPN gateway)
2a. Enter IP addresses to be used by the system for DNS resolution. These are also used for the DHCP service, DNS services and for PPTP VPN clients. In addition, optionally select the gateway for each DNS server. When using multiple WAN connections there should be at least one unique DNS server per gateway.
2b. I believe this is the upstream DNS server that Unbound uses so it is the Mullvad DNS server IP address of my choice.

3. System: Settings: General - DNS search domain - BLANK
3a. Enter additional domains to add to the local list of search domains. Use "." to disable passing any other automatic search domain for resolving.

4. System: Settings: General - Allow DNS server list to be overridden by DHCP/PPP on WAN - DISABLED
4a. If this option is set, DNS servers assigned by a DHCP/PPP server on WAN will be used for their own purposes (including the DNS services). However, they will not be assigned to DHCP clients. Since this option concerns all interfaces retrieving dynamic dns entries, you can exclude items from the list below.
4b. I read this should be disabled, again for Unbound DNS to work.

5. System: Settings: General - Do not use the local DNS service as a nameserver for this system - DISABLED
5a. By default localhost (127.0.0.1) will be used as the first nameserver when e.g. Dnsmasq or Unbound is enabled, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers.
5b. I read this should be disabled, again for Unbound DNS to work.

6. Interfaces: [WAN] - Block private networks - ENABLED
6a. When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 as well as loopback, link-local and Carrier-grade NAT addresses. This option should only be set for WAN interfaces that use the public IP address space.

7. Interfaces: [WAN] - Block bogon networks - ENABLED
7a. When set, this option blocks traffic from IP addresses that are reserved (but not RFC 1918) or not yet assigned by IANA. Bogons are prefixes that should never appear in the Internet routing table, and obviously should not appear as the source address in any packets you receive.

8. Interfaces: [WAN] - IPv4 Configuration Type - DHCP

9. Interfaces: [WAN] - IPv6 Configuration Type - DHCPv6
9b. Should this be disabled if my Wireguard VPN doesn't support IPv6?

10. Interfaces: [WAN_VPN_Default] - Block private networks - DISABLED
10a. When set, this option blocks traffic from IP addresses that are reserved for private networks as per RFC 1918 as well as loopback, link-local and Carrier-grade NAT addresses. This option should only be set for WAN interfaces that use the public IP address space.

11. Interfaces: [WAN_VPN_Default] - Block bogon networks - DISABLED
11a. When set, this option blocks traffic from IP addresses that are reserved (but not RFC 1918) or not yet assigned by IANA. Bogons are prefixes that should never appear in the Internet routing table, and obviously should not appear as the source address in any packets you receive.

12. Interfaces: [WAN_VPN_Default] - IPv4 Configuration Type - None

13. Interfaces: [WAN_VPN_Default] - IPv6 Configuration Type - None

14. VPN: WireGuard: Instances: VPN-Default - DNS servers - [Opnsense IP address]
14a. Set specific DNS servers for this instance. Use with care.

15. VPN: WireGuard: Peers: Default-Peer -  Allowed IPs - 0.0.0.0/0
15a. List of networks allowed to pass through the tunnel adapter. Use CIDR notation like 10.0.0.0/24.

16. Services: ISC DHCPv4: [LAN] - DNS servers - BLANK
16a. Leave blank to use the system default DNS servers: This interface IP address if a DNS service is enabled or the configured global DNS servers.
16b. Based on the description, assumed supposed to be left blank so as not to manually set DNS in too many places and automatically use Unbound DNS.

AHAAAA THIS WAS IT! Setting it to the Opnsense IP address made traffic start coming through Unbound >.<

October 05, 2025, 07:47:14 AM #10 Last Edit: October 05, 2025, 08:11:00 AM by opnsense1
Alright, I jumped the gun... it fixed it for my one device that is excluded from the whole router VPN and has its own VPN client that I manually configured to use the local IP address. Every other device is still bypassing Unbound DNS it seems. Back to square one because they are configured manually to use Opnsense's IP for DNS even though DHCP should and seemingly does correctly advertise it, just in case.

Went through same process of controlled breaking on my laptop by setting useless IP address in different locations one by one and reversing between each step:
1. Not applicable - device is using whole router VPN rather than own client.
2. Enabling DNS over HTTPS in Firefox and setting the IP manually there. Websites still resolve.
3. In system Network Settings for my WiFi connection - here, websites stop resolving. The only issue is that the value here was again, the IP address of my Opnsense device so when I return it to that IP address, websites resolve again but are still bypassing Unbound DNS. (Nothing is being added to the graph when I search for things)

Seems like there is still a config issue in Opnsense... Even though as per setting 14, I am manually setting the local IP address for Wireguard. Also the `nslookup` and `resolvectl status` commands return identical results on the working device and a non working device.

Even if I do try to enable the same VPN client on one of these devices, resulting in a double VPN situation I imagine but for testing purposes, and set it to use my private IP address for DNS, they do not go through Unbound.

My intuition here would tell me that maybe the IPv4 Configuration Type set to None in Interfaces: [WAN_VPN_Default] would be the issue here since changing a DHCP setting fixed it for the one device going through regular WAN, however I am given the error that I `Cannot assign an IP configuration type to a tunnel interface.` when I try setting it to DHCP :/

Quote from: opnsense1 on October 04, 2025, 04:03:22 PMIn System > Settings > General I have my upstream DNS server configured
This may be cause of your problem.
Why do you set any dns servers if you want unbound to be used?

Having set `Do not use the local DNS service as a nameserver for this system` is fine, but as long as you want unbound (aka the local DNS service) to be used you have to add 127.0.0.1 explicitely as your dns server then.

If you wanna force all dns request to your firewall, even if client wants to use something else, you may think about using nat
https://forum.opnsense.org/index.php?topic=9245.0

Referring back to https://docs.opnsense.org/manual/how-tos/wireguard-client.html

They say, "Peers can be generated using the new peer generator feature under VPN ‣ WireGuard ‣ Peer generator. If using the peer generator and require Unbound DNS to serve names, fill the DNS server with the tunnel address (eg 10.10.10.1 )."

I attempted this because there is no DNS section for a peer and it seems that the generator simply puts the DNS address you specify into the "Allowed IPs" field of a peer. My VPN already has me specify 0.0.0.0/0 which I believe includes every possible IP address from CIDR notation so this has no effect in my situation.

October 05, 2025, 08:49:24 AM #13 Last Edit: October 05, 2025, 09:25:03 AM by opnsense1
Quote from: marunjar on October 05, 2025, 08:46:04 AM
Quote from: opnsense1 on October 04, 2025, 04:03:22 PMIn System > Settings > General I have my upstream DNS server configured
This may be cause of your problem.
Why do you set any dns servers if you want unbound to be used?

Having set `Do not use the local DNS service as a nameserver for this system` is fine, but as long as you want unbound (aka the local DNS service) to be used you have to add 127.0.0.1 explicitely as your dns server then.

If you wanna force all dns request to your firewall, even if client wants to use something else, you may think about using nat
https://forum.opnsense.org/index.php?topic=9245.0
As far as I understand it, Unbound needs an upstream DNS server to get records from. Then it caches the results it gets and future lookups that it already has cached are served from Unbound instead of querying the upstream provider.

Edit: I see that you can choose to not do this. I believe I chose this to benefit from multiple layers of Ad/Tracker blocking. The upstream provider I chose has their own list of Ad and tracker records to block and I'm not concerned with Mullvad seeing the first time I request something. I use them as one of my VPN providers anyways so I inherently have to trust them. I have ad and tracker block lists setup with uBlock as well in my browser so I haven't actually seen a request come through yet that was blocked but I like having multiple layers in case one fails or isn't complete as another.

The one thing I would be concerned with that I hadn't thought of is if these upstream requests need to be configured to use DNS over TLS or not. My assumption for my use case was no because every device should be routed through a VPN in my setup. I have the whole router wireguard VPN setup for all of my devices except one. The exception is my PC which I use for gaming so I like to swap VPN servers more frequently on to reduce ping or change servers so it instead has a VPN client on it configured with a kill switch and "lockdown mode" where the VPN has to be connected to be able to reach the internet. I assumed this would protect my DNS lookups. Please let me know if this assumption is incorrect.

I can see that Unbound is working for the one device that it does work on because the "Source" for the records is listed as "Recursion" and "Cache" so the fact that it works in this case but not for my VPN makes me think that it is a different cause.

I will try the linked guide tomorrow though to see if it helps - thank you for the lead!

Unbound is a dns resolver and don't need any upstream dns.
see https://docs.opnsense.org/manual/unbound.html, you can even find someting about query forwarding and dns over tls there.

System > Settings > General is a little different, see https://docs.opnsense.org/manual/settingsmenu.html#general

If you chose mullvad instead of unbound this is totally fine, but as you found out it will bypass unbound depending on your settings.
To use unbound you don't need any dns server in general settings, just uncheck `Allow DNS server list to be overridden by DHCP/PPP on WAN` and uncheck `Do not use the local DNS service as a nameserver for this system`, thats it basically.
Or if you prefer check `Do not use the local DNS service as a nameserver for this system` and add 127.0.0.1 to servers explicitely.

Query forwarding or DoT should then be configured under services > unbound itself IMO.