Unbound DNS

haim9080 · April 05, 2026, 10:32:02 PM

Hello everyone, I have OPNSENSE at home running on a MINIPC with N100, and 16GB RAM, now I did UNBOUND DNS and I put a domain in the ALLOWLIST, and I do a cache refresh and everything, it doesn't work.
But if I make an exception for it, it will work. How can I fix this?

https://jumpshare.com/s/5M6HGv9aVYS48Vw0vbFb

(MARLOO) · April 06, 2026, 03:45:17 AM

This is a frequent Unbound DNS issue on OPNsense where allowlists don't take effect immediately due to caching, CNAME redirects, or incomplete propagation after adding domains.

Check Reporting First
Go to Reporting > Unbound DNS > Overview or Details to spot the blocked domain (and any CNAME chain). Click it to whitelist directly—this auto-adds to Services > Unbound DNS > Blocklists > Allowlist Domains.

Use CLI on OPNsense: dig example.com @127.0.0.1 to trace resolutions and whitelist all linked domains.

Clear Cache Properly
In Services > Unbound DNS > General > Advanced, enable Flush DNS cache on restart. Apply changes, then Reload Unbound (full reload, not just cache refresh). Also restart the service via CLI: service unbound restart.

Flush client DNS too (e.g., ipconfig /flushdns on Windows). Test again—exceptions working confirms blocklist config is fine, just needs refresh.

Official Documentation
Full Unbound setup: [docs.opnsense.org/manual/unbound.html]

Reporting guide: [docs.opnsense.org/manual/reporting_unbound_dns.html]

nero355 · April 06, 2026, 03:24:42 PM

Quote from: haim9080 on April 05, 2026, 10:32:02 PMHow can I fix this?

Unbound is nice for the whole 'Query Root DNS Servers' thing, but for blocking domains I would rather use Pi-Hole than anything else to be honest :)

Maybe one day there will be some kind of OPNsense alternative for pfBlockerNG but for now Pi-Hole + Unbound on a Raspberry Pi/Intel NUC/Proxmox CT or VM has my preference : https://docs.pi-hole.net/guides/dns/unbound/

/EDIT :

Quote from: Patrick M. Hausen on April 06, 2026, 04:16:17 PMAdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.

I know, but aside from disliking AdGuard since Day #1 the reason to not use it on OPNsense is because I like to keep my Router/Firewall as clean and simple as possible and something like that does not belong there IMHO :)

Patrick M. Hausen · April 06, 2026, 04:16:17 PM

Quote from: nero355 on April 06, 2026, 03:24:42 PMMaybe one day there will be some kind of OPNsense alternative

AdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.

bamf · April 06, 2026, 05:15:04 PM

Quote from: (MARLOO) on April 06, 2026, 03:45:17 AMClear Cache Properly
In Services > Unbound DNS > General > Advanced, enable Flush DNS cache on restart. Apply changes, then Reload Unbound (full reload, not just cache refresh). Also restart the service via CLI: service unbound restart.

It should be sufficient to just clear the specific entry:

Code Select

unbound-control -c /var/unbound/unbound.conf flush_zone example.com
But I'd also recommend running a dedicated solution for this. I run AdGuard Home in an DietPi LXC Container and it uses my OPNSense Unbound as upstream DNS.

haim9080 · April 07, 2026, 12:13:49 PM

Quote from: (MARLOO) on April 06, 2026, 03:45:17 AMThis is a frequent Unbound DNS issue on OPNsense where allowlists don't take effect immediately due to caching, CNAME redirects, or incomplete propagation after adding domains.

Check Reporting First
Go to Reporting > Unbound DNS > Overview or Details to spot the blocked domain (and any CNAME chain). Click it to whitelist directly—this auto-adds to Services > Unbound DNS > Blocklists > Allowlist Domains.

Use CLI on OPNsense: dig example.com @127.0.0.1 to trace resolutions and whitelist all linked domains.

Clear Cache Properly
In Services > Unbound DNS > General > Advanced, enable Flush DNS cache on restart. Apply changes, then Reload Unbound (full reload, not just cache refresh). Also restart the service via CLI: service unbound restart.

Flush client DNS too (e.g., ipconfig /flushdns on Windows). Test again—exceptions working confirms blocklist config is fine, just needs refresh.

Official Documentation
Full Unbound setup: [docs.opnsense.org/manual/unbound.html]

Reporting guide: [docs.opnsense.org/manual/reporting_unbound_dns.html]

ok so i do that all things.
when i do a restart service VIA cli i get thats error

Quoteroot@HaimHome:~ # service unbound restart
Stopping unbound.
Waiting for PIDS: 88081.
Obtaining a trust anchor...
Starting unbound.
[1775556382] unbound[92360:0] warning: setsockopt(..., SO_SNDBUF, ...) was not granted: No buffer space available
[1775556382] unbound[92360:0] warning: so-sndbuf 4194304 was not granted. Got 57344. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set so-sndbuf: 0 (use system value).
[1775556382] unbound[92360:0] warning: setsockopt(..., SO_SNDBUF, ...) was not granted: No buffer space available
[1775556382] unbound[92360:0] warning: so-sndbuf 4194304 was not granted. Got 57344. To fix: start with root permissions(linux) or sysctl bigger net.core.wmem_max(linux) or kern.ipc.maxsockbuf(bsd) values. or set so-sndbuf: 0 (use system value).
root@AmsalemHome:~ #

and i set a outgoing and in tcp\udp buffer 57344

haim9080 · April 07, 2026, 12:23:17 PM

Quote from: Patrick M. Hausen on April 06, 2026, 04:16:17 PM
Quote from: nero355 on April 06, 2026, 03:24:42 PMMaybe one day there will be some kind of OPNsense alternative

AdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.

wherer??!?!?!!? i search in community plugin and i didnt see nothing..

haim9080 · April 07, 2026, 12:29:05 PM

Quote from: nero355 on April 06, 2026, 03:24:42 PM
Quote from: haim9080 on April 05, 2026, 10:32:02 PMHow can I fix this?
Unbound is nice for the whole 'Query Root DNS Servers' thing, but for blocking domains I would rather use Pi-Hole than anything else to be honest :)

Maybe one day there will be some kind of OPNsense alternative for pfBlockerNG but for now Pi-Hole + Unbound on a Raspberry Pi/Intel NUC/Proxmox CT or VM has my preference : https://docs.pi-hole.net/guides/dns/unbound/

/EDIT :
Quote from: Patrick M. Hausen on April 06, 2026, 04:16:17 PMAdGuard Home is available as a community plug in and works very well. I prefer it over Pihole.
I know, but aside from disliking AdGuard since Day #1 the reason to not use it on OPNsense is because I like to keep my Router/Firewall as clean and simple as possible and something like that does not belong there IMHO :)

Listen, this OPNSENSE is in my rented apartment, I have S2S between my parents' house and here, and my parents' house has PROXMOX on it, which has ADGUARD and everything. I can redirect all the traffic to its name, but that's a bit stupid to me..
Can I do blocks in the FW and get a USERBLOCK page like this that it's blocked??

Patrick M. Hausen · April 07, 2026, 12:47:12 PM

Quote from: haim9080 on April 07, 2026, 12:23:17 PMwherer??!?!?!!? i search in community plugin and i didnt see nothing..

https://www.routerperformance.net/opnsense-repo/

If you pick the "just AdGuard" repository, there won't be any ill side effects caused by package conflicts. AGH is a single golang binary, all very clean and manageable.

haim9080 · April 07, 2026, 02:56:19 PM

Quote from: Patrick M. Hausen on April 07, 2026, 12:47:12 PM
Quote from: haim9080 on April 07, 2026, 12:23:17 PMwherer??!?!?!!? i search in community plugin and i didnt see nothing..

https://www.routerperformance.net/opnsense-repo/

If you pick the "just AdGuard" repository, there won't be any ill side effects caused by package conflicts. AGH is a single golang binary, all very clean and manageable.

What its do???
Its install a Full Adguard Home Solution???

Patrick M. Hausen · April 07, 2026, 03:27:01 PM

Yes, of course. Integrated with OPNsense.

haim9080 · Reply #11 - Re: Unbound DNS

Quote from: Patrick M. Hausen on April 07, 2026, 03:27:01 PMYes, of course. Integrated with OPNsense.

So how i can download that?? Install that? You can give me a steps ???

meyergru · Reply #12 - Re: Unbound DNS

The instructions to do this are literally on the linked page.

haim9080 · Reply #13 - Re: Unbound DNS

Quote from: meyergru on Today at 09:14:18 PMThe instructions to do this are literally on the linked page.

Thank you. I install that, but in adguard home installation its said me the port 53 not available after i turn off the unbound dns .. so what i do? Now ???

meyergru · Reply #14 - Re: Unbound DNS

You need Unbound or any DNS resolver, so AGH should run on an alternative port. I do not use it, but here is a guide:

https://samuelsson.dev/install-adguard-home-on-an-opnsense-router/

Maybe you should use something different than 5353, because that collides with mDNS.

Unbound DNS

haim9080

April 05, 2026, 10:32:02 PM

(MARLOO)

April 06, 2026, 03:45:17 AM #1

nero355

April 06, 2026, 03:24:42 PM #2 Last Edit: April 06, 2026, 06:37:53 PM by nero355

Patrick M. Hausen

April 06, 2026, 04:16:17 PM #3

bamf

April 06, 2026, 05:15:04 PM #4

haim9080

April 07, 2026, 12:13:49 PM #5

haim9080

April 07, 2026, 12:23:17 PM #6

haim9080

April 07, 2026, 12:29:05 PM #7

Patrick M. Hausen

April 07, 2026, 12:47:12 PM #8 Last Edit: April 07, 2026, 12:54:05 PM by Patrick M. Hausen

haim9080

April 07, 2026, 02:56:19 PM #9

Patrick M. Hausen

April 07, 2026, 03:27:01 PM #10

haim9080

Today at 08:23:58 PM #11

meyergru

Today at 09:14:18 PM #12

haim9080

Today at 09:50:55 PM #13

meyergru

Today at 09:57:14 PM #14