Unbound + dnscrypt-proxy broken after upgrade (“No servers configured”, SERVFAIL

[opnessense]

Hi all,

after upgrading to OPNsense 26.1 my Unbound + dnscrypt-proxy setup stopped working.

Before the upgrade:

Unbound on OPNsense was configured to forward all queries to dnscrypt-proxy on localhost via a forward-zone in a custom file under /usr/local/etc/unbound.opnsense.d/.

dnscrypt-proxy v2 was running on localhost, listening on a custom port, with a list of resolvers configured in dnscrypt-proxy.toml.

Queries sent to Unbound were answered correctly (NOERROR), and dnscrypt-proxy validated DNSSEC as expected.

After upgrading to 26.1:

dnscrypt-proxy no longer starts:

service dnscrypt-proxy status → "not running".
�

Log shows: [FATAL] No servers configured.

In the active dnscrypt-proxy.toml I noticed that the server_names line had been changed to something like:

text
server_names = ['dnscrypt.eu-nl dnscrypt.eu-dk mullvad-doh mullvad-dot quad9-doh-ip4-only']
i.e. multiple resolver names concatenated into a single string, which makes dnscrypt-proxy fail to load any server and emit the "No servers configured" error.

Unbound is running, but returns SERVFAIL for external domains, since it forwards to dnscrypt-proxy on localhost, which is not actually running.

Temporary manual fixes that work only until reboot:

Manually fixing dnscrypt-proxy.toml:

Rewriting server_names as a proper list,

Making sure listen_addresses points to localhost on the chosen port, etc.

After that, dnscrypt-proxy starts and answers queries on its local port.

Restoring the Unbound → dnscrypt forward:

Keeping a forward-zone pointing to dnscrypt-proxy in a custom file under /usr/local/etc/unbound.opnsense.d/,

Restarting Unbound so that queries go through dnscrypt-proxy again.

This works until the next reboot. After reboot:

dnscrypt-proxy is again "not running",

Unbound still forwards to it, so external queries result in SERVFAIL.

Questions

Is it expected that upgrading to OPNsense 26.1 modifies or resets dnscrypt-proxy.toml in a way that breaks server_names and causes [FATAL] No servers configured?

What is the recommended / supported way in 26.1 to:

keep a local dnscrypt-proxy v2 instance on OPNsense,

have Unbound forward all queries to it via forward-zone,

and ensure that:

dnscrypt-proxy.toml is not overwritten or broken on upgrades,

custom Unbound configuration under /usr/local/etc/unbound.opnsense.d/ is reliably loaded on boot and not ignored after upgrades?

If there is an updated best-practice example (or official doc) for a persistent Unbound + dnscrypt-proxy setup on 26.1, I'd really appreciate a pointer.

Thanks!