OPNsense with external DNS

[AndyTheRobot]

Hi, context:

• OPNsense with DNSMasq for DHCP.
• DNS provided by a different DNS server elsewhere on the lan (i.e. no DNS provided by OPNsense).

Seems like you need to setup DHCPOption 6 to specify the external DNS server (or, I'm missing something).
That's fine, but some unofficial information on the internet (e.g. this ) suggest otherwise, while other unofficial information (e.g. this) suggests this may be a recent change.

The official docs imply this is not necessary, specifically here describing the General>Settings>DNS Servers list:

DNS Servers
A list of DNS servers, optionally with a gateway. These DNS servers are also used for the DHCP service, DNS services and for PPTP VPN clients. When using multiple WAN connections there should be at least one unique DNS server per gateway.

I don't exactly remember the setup wizard experience, but I'm pretty sure when you use it for this configuration you end up in a broken state (i.e., it asks you to specify a DNS server, it disables Unbound, it sets up DNSMasq for DHCP but not DNS, but doesn't set the DHCPOptions or otherwise configure DNSMasq to use the DNS). I don't know if that's intentional or what, either...if it is, it seems like something should prompt you to go and do the follow-up steps.

I'm new to OPNsense and the community, so I'm not sure what to do about this. I don't know if it's working as expected and the docs should be updated? Or if it's accidentally broken and OPNsense magic should be getting the DNS server list into DNSMasq for use?

If it's the docs, should I file a bug in the core github repo? Submit a PR for a docs change?

Thanks and Hi!

[meyergru]

You can actually achieve that effect in one of (at least) three ways:

1. You use DHCP to advertise the DNS server IP to the clients. How you do that depends on the DHCP service you use (ISC, Kea or DNSmasq). This does not change which DNS server OpnSense itself uses - also, you would have to set that DNS server in statically configured clients.

2. You configure an OpnSense DNS server, advertise this via DHCP, but forward the requests to your internal DNS. Again, you could use Unbound, DNSmasq or other DNS servers for this. You can look up each in the official docs.

3. You advertise OpnSense as the DNS server, but divert DNS requests on port 53 via port forwarding to your internal DNS server. There is a thread in the tutorial section on how to do this, but read it to the end. Also see https://forum.opnsense.org/index.php?topic=42985.0, point 29.

As you see, there is many ways that lead to Rome. We are talking a professional tool, not a consumer router here, so choose your poison.