HELP NEEDED: unbound doesn't resolve CNAME

[Kornelius777]

Dear all,

currently, I'm a bit lost:

Today, I have re-installed my firewall.
Now, if I do a nslookup:

Code Select Expand

root@OPNsense:~ # nslookup www.domain.tld
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find www.domain.tld: NXDOMAIN

However, if I dig:

Code Select Expand

root@OPNsense:~ # dig www.domain.tld

; <<>> DiG 9.20.16 <<>> www.domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62041
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.domain.tld. IN A

;; ANSWER SECTION:
www.domain.tld. 7194 IN CNAME hss-oracle-1.lan.domain.tld.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Feb 08 16:18:06 CET 2026
;; MSG SIZE  rcvd: 72

What will I need to change so that the CNAME will be resolved?

Any help is appreciated!

Kind regards,

[sstaible]

Same here. I just upgraded to 26.1 and migrated DHCP from ISC to dnsmasq. While migrating my static host entries I added some alias and cname records. However they don't resolve. They also don't show up in /usr/local/etc/dnsmasq.conf
Not sure if this worked in 25.10 as I've not used dnsmasq before for DHCP.

[LisaMT]

DNSmasq has always given me issues.  I only run unbound and it resolves everything on my network.  For duplicates (like multiple names for a server), I just put an entry in Unbound/overrides

[nero355]

Today, I have re-installed my firewall.

What will I need to change so that the CNAME will be resolved?

Read the documentation carefully : https://docs.opnsense.org/manual/dnsmasq.html

HINT : Your Unbound probably does not know about DNSmasqd at this point!

While migrating my static host entries I added some alias and cname records. However they don't resolve.

Please also check the above :)

DNSmasq has always given me issues.  I only run unbound and it resolves everything on my network.  For duplicates (like multiple names for a server), I just put an entry in Unbound/overrides.

NOFI but IMHO nothing but User Error probably :)

[Kornelius777]

Just to clarify things:

Unbound listens on port 53.
Queries to my local lan will be forwarded to dnsmasq, port 53053

However, this nslookup wasn't to my lan.
This nslookup went onto the internet!

Therefore, I'm even more puzzled!

[sstaible]

Same here. I just upgraded to 26.1 and migrated DHCP from ISC to dnsmasq. While migrating my static host entries I added some alias and cname records. However they don't resolve. They also don't show up in /usr/local/etc/dnsmasq.conf
Not sure if this worked in 25.10 as I've not used dnsmasq before for DHCP.

I was able to resolve my issues and learned a great deal about DHCP, mDNS and DNS on Windows:

If Windows does not know your domain suffix (e.g. 'mydomain.home') because you don't use DHCP but use a statically configured IP address and you are not adding the domain suffix in your network adapter DNS settings, then Windows tries to resolve DNS lookups that don't have a domain component over mDMS, e.g. 'ping webserver1' (it will add the .local suffix). This will only resolve names of machines that are seen by mDNS. It will not resolve any CNAME's configured in DNS, e.g. 'ping www' will complain that the name cannot be resolved. However if you run 'nslookup www', this will resolve, because nslookup is querying DNS. If you resolve names with a domain suffix (e.g. 'ping www.mydomain.home') then DNS will be used instead of mDNS and it will resolve.

If you use DHCP or add your domain suffix to the Windows DNS settings then all lookups are resolved over DNS.