Unbound DNS

Started by haim9080, April 05, 2026, 10:32:02 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 05, 2026, 10:32:02 PM
Hello everyone, I have OPNSENSE at home running on a MINIPC with N100, and 16GB RAM, now I did UNBOUND DNS and I put a domain in the ALLOWLIST, and I do a cache refresh and everything, it doesn't work.
But if I make an exception for it, it will work. How can I fix this?


https://jumpshare.com/s/5M6HGv9aVYS48Vw0vbFb
Today at 03:45:17 AM #1
This is a frequent Unbound DNS issue on OPNsense where allowlists don't take effect immediately due to caching, CNAME redirects, or incomplete propagation after adding domains.

Check Reporting First
Go to Reporting > Unbound DNS > Overview or Details to spot the blocked domain (and any CNAME chain). Click it to whitelist directly—this auto-adds to Services > Unbound DNS > Blocklists > Allowlist Domains.

Use CLI on OPNsense: dig example.com @127.0.0.1 to trace resolutions and whitelist all linked domains.

Clear Cache Properly
In Services > Unbound DNS > General > Advanced, enable Flush DNS cache on restart. Apply changes, then Reload Unbound (full reload, not just cache refresh). Also restart the service via CLI: service unbound restart.

Flush client DNS too (e.g., ipconfig /flushdns on Windows). Test again—exceptions working confirms blocklist config is fine, just needs refresh.

Official Documentation
Full Unbound setup: [docs.opnsense.org/manual/unbound.html]

Reporting guide: [docs.opnsense.org/manual/reporting_unbound_dns.html]
Hardware: N5105 Intel Celeron  
                       OPNsense | Home Lab | Linux & Home Automation
                               "Secure the network, automate the rest."
Today at 03:24:42 PM #2 Last Edit: Today at 06:37:53 PM by nero355
Quote from: haim9080 on April 05, 2026, 10:32:02 PMHow can I fix this?
Unbound is nice for the whole 'Query Root DNS Servers' thing, but for blocking domains I would rather use Pi-Hole than anything else to be honest :)

Maybe one day there will be some kind of OPNsense alternative for pfBlockerNG but for now Pi-Hole + Unbound on a Raspberry Pi/Intel NUC/Proxmox CT or VM has my preference : https://docs.pi-hole.net/guides/dns/unbound/

/EDIT :
Quote from: Patrick M. Hausen on Today at 04:16:17 PMAdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.
I know, but aside from disliking AdGuard since Day #1 the reason to not use it on OPNsense is because I like to keep my Router/Firewall as clean and simple as possible and something like that does not belong there IMHO :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 04:16:17 PM #3
Quote from: nero355 on Today at 03:24:42 PMMaybe one day there will be some kind of OPNsense alternative

AdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 05:15:04 PM #4
Quote from: (MARLOO) on Today at 03:45:17 AMClear Cache Properly
In Services > Unbound DNS > General > Advanced, enable Flush DNS cache on restart. Apply changes, then Reload Unbound (full reload, not just cache refresh). Also restart the service via CLI: service unbound restart.

It should be sufficient to just clear the specific entry:
Code Select
unbound-control -c /var/unbound/unbound.conf flush_zone example.com
But I'd also recommend running a dedicated solution for this. I run AdGuard Home in an DietPi LXC Container and it uses my OPNSense Unbound as upstream DNS.
Print
Go Up Pages1
User actions