DNS Confusion

[disorganise]

Hi,
I recently installed OPNSense (26.1.6) and have connected to the Internet just fine.  However, DNS is confusing me in several ways.

First confusion:  I don't know what DNS servers it is using, but it doesn't appear to be anything I set.
My ISP offers DNS with sinkhole - essentially a pi-hole I can configure in their portal.  The DNS setting is offered through DHCP and you can configured it yourself.
I've added the DNS into the System/Settings/General, and at the moment I have 'Allow DNS server list to be overidden by DHCP/PP on WAN' enabled - but ticked or not it doesn't make a difference.
From a windows client, my ISP DNS does not appear to being used. (ad block testing shows very low success rate, and optional DNS logs are empty)

On same windows client, if I set my IP statically and then set DNS to my ISP, the DNS logs fill quickly and ad block testing is 94% successful.

So it looks like OPNSense is using some other DNS server and I've no idea where that might be configured?

I do have a wireguard tunnel enabled to my other home and wondered if DNS was somehow going there, so I disabled wireguard and retested with same results.

As far as I understand, I'm using Dnsmasq and Unbound, though I don't really understand the relationship between the two.

2nd confusion:
As I mentioned above, I have a wireguard set up to another OPNSense 900km away.  They each have their own domain;  ie, mg.home.arpa and dy.home.arpa.  I can't seem to resolve clients in the other domain.  I've cheated for the time being by adding my Emby box as a static.  On my new box I set a 'Query Forwarding' domain to the OPNSense private IP address in the 2nd location, but resolution doesn't work. 
nslookup <client name> <2nd location OPNsense IP> does resolve successfully, so DNS traffic through the tunnel works ok.

Copilot led me a merry dance on the tunnel DNS yesterday until I gave up.  I even migrated to KEA DNS for a bit and moved back when it didn't solve anything.

So I'm hoping someone can explain how this should work and help me figure out where it is going wrong.  I figure what I want is a resolver in each site, and a pair of forwarder in each site - one to the opposite resolver for my internal domains, and one to my ISP or whatever for Internet stuff.  But I'm at a loss how to be make it happen.

[nero355]

However, DNS is confusing me in several ways.

First confusion:  I don't know what DNS servers it is using, but it doesn't appear to be anything I set.

As far as I understand, I'm using Dnsmasq and Unbound, though I don't really understand the relationship between the two.

I even migrated to KEA DNS for a bit and moved back when it didn't solve anything.

All a matter of reading : https://docs.opnsense.org/manual/dhcp.html

HINT : There is no such thing as KEA DNS and in OPNsense everything is basically built around Unbound DNS-wise !!

I have a wireguard set up to another OPNSense 900km away.  They each have their own domain;  ie, mg.home.arpa and dy.home.arpa.

I can't seem to resolve clients in the other domain.  I've cheated for the time being by adding my Emby box as a static.  On my new box I set a 'Query Forwarding' domain to the OPNSense private IP address in the 2nd location, but resolution doesn't work. 
nslookup <client name> <2nd location OPNsense IP> does resolve successfully, so DNS traffic through the tunnel works ok.

My guess is you told DNSmasqd about it instead of Unbound but again : Read the documentation and go through everything step-by-step ;)

[Booth]

First confusion:  I don't know what DNS servers it is using, but it doesn't appear to be anything I set.

As far as I understand, I'm using Dnsmasq and Unbound, though I don't really understand the relationship between the two.

Is Unbound enabled in Services => Unbound DNS => General => Enable Unbound?
If so then Services => Unbound DNS => Query Forwarding should tell you what upstream DNS servers it's using, and whether these are the system DNS servers from System => Settings => General or not.

If Unbound isn't enabled then you're probably using Dnsmasq. Is Services => Dnsmasq DNS and DHCP => General => "Do not forward to system defined DNS servers" selected? If it is, it should be using the servers from System => Settings => General, or if not the servers from Services => Dnsmasq DNS and DHCP => Domains.

Do the log files for Unbound or Dnsmasq show any errors?

On the windows host, when getting its IP Configuration automatically from DHCP, what does "ipconfig /all" in a command prompt show? Has it picked up its DNS configuration from your OPNsense? Also it might be worth using "nslookup" to check DNS from the command line as browsers can sometimes try using their own DNS over HTTPS configuration.

2nd confusion:

Probably better to stick to one problem at at time for now :) Well worth trying to work out how your DNS is currently configured before getting the sites to query each other. Your plan for a forward from one site to the other sounds right though.

[disorganise]

Is Unbound enabled in Services => Unbound DNS => General => Enable Unbound?

Yes

If so then Services => Unbound DNS => Query Forwarding should tell you what upstream DNS servers it's using, and whether these are the system DNS servers from System => Settings => General or not

ok - so the local domain is pointing to 127.0.0.1:53053 - that was auto-created.  I added my other local domain but that's for confusion 2 so let that go for now.

s Services => Dnsmasq DNS and DHCP => General => "Do not forward to system defined DNS servers" selected?

Not selected - also no domain configured.

Do the log files for Unbound or Dnsmasq show any errors?

Not for Dnsmasq.  For Informational level, Dnsmasq shows the nameservers that are configured either in dhcp on WAN or in the Sydney -> Settings -> General - DNS Servers section

2026-04-13T13:36:23 Informational dnsmasq using only locally-known addresses for mg.home.arpa
2026-04-13T13:36:23 Informational dnsmasq using nameserver 2401:dc20:cafe::53#53
2026-04-13T13:36:23 Informational dnsmasq using nameserver 2402:3120:cafe::53#53
2026-04-13T13:36:23 Informational dnsmasq using nameserver 138.252.23.138#53
2026-04-13T13:36:23 Informational dnsmasq using nameserver 138.252.23.23#53
2026-04-13T13:36:23 Informational dnsmasq using nameserver 127.0.0.1#53
2026-04-13T13:36:23 Informational dnsmasq reading /etc/resolv.conf
2026-04-13T13:35:38 Notice dnsmasq daemonize dnsmasq dhcpd watcher.

Unbound does have an error
2026-04-13T11:06:20 Error unbound [52383:1] error: recvfrom 112 failed: Protocol not available
Braves AI search suggested its from 'Register DHCP static mappings' being enabled, so unticked, restarted Unbound and the error hasn't come back.

what does "ipconfig /all" in a command prompt show? Has it picked up its DNS configuration from your OPNsense?

It just has the OPNSense as DNS - just the single entry (when via DHCP)

"nslookup

example:

> ad.doubleclick.net
Server:  OPNsense.mg.home.arpa
Address:  192.168.58.1

Non-authoritative answer:
Name:    ad.doubleclick.net
Addresses:  192.178.187.149
          192.178.187.148

>

the logs on the ISP side remain stubbornly silent - so that query above, for example, does not show.  So it appears I'm hitting another DNS server somewhere, but I don't know where it is nor where it is configured.


Is there some hardcoded DNS in OPNSense somewhere that isn't exposed to the GUI?
Am I supposed to add an empty domain to 'query forwarding' and put my desired DNS server in there?  I can, but that doesn't really explain what DNS is currently being used.

Is there some tool that will walk the DNS resolution tree?

[disorganise]

HINT : There is no such thing as KEA DNS

yeah typo.  I meant KEA DHCP and Unbound DNS

My guess is you told DNSmasqd about it instead of Unbound but again : Read the documentation and go through everything step-by-step ;)

nope, unbound.  just doesn't work.
https://postimg.cc/Vrq44Gj1

[meyergru]

If that does not work, I can only imagine two reasons:

1. You have your local unbound be responsible for home.arpa as a whole, such that sub-zone are not delegated any more.

2. Somehow the firewall rules or something blocks your OpnSense from accessing 192.168.178.3 on port 53. Being able to resolve from a client on your LAN is not the same as doing the same from OpnSense itself, especially when a VPN in involved en route. Try an nslookup from your OpnSense instance and then track down where that goes.

[disorganise]

omething blocks your OpnSense from accessing 192.168.178.3 on port 53

If I go Interfaces -> Diagnostics -> DNS Lookup and enter a hostname for dy.home.arpa with the server as the remote opnsense, it resolves succeessfuly in 20 msec.

You have your local unbound be responsible for home.arpa as a whole, such that sub-zone are not delegated any more.

This probably makes sense, but that should get set in System -> Settings -> General, shouldn't it?  I was following the instructions there (as far as I can read) to come up with the home.arpa in the first place (wasn't my first choice!).

[disorganise]

For testing, I changed the local domain and rebooted.



Still not able to resolve the other end.


Over on the 'what DNS is OPNSense using' question...

If I query for an ad server using OPNSense address I get a return


If I swap to my ISP DNS I get the block


and the logs show the same;


So OPNSense seems to be using some other DNS

[disorganise]

I found firewall logs that show seemingly random DNS servers - so at least I'm not imagining this.  So this is either expected behaviour and I need to do xyz to change default behaviour, or it not expected behaviour and maybe there's a bug or something?