Windows clients append the domain suffix to hostnames, even if unqualified names are used (this is a feature called DNS devolution). So there are no "domain-name independent" names. Try nslookup from a client.macOS clients hate .local domains.If you don't have a DNS server that resolves the FQDN, or if you have multiple DNS servers and you did not configure the chain properly (forward lookups/DNS zones/root hints), or your domains are public domain names, you will have problems exactly as the ones you described (with the clients, can't say for sure if this happens from OPNsense itself). There's no way around that.From my experience, it's an unrecommended design to override private domains, I personally never do. The right way to do it (IMO) is to query the DNS servers directly and configure correctly the forward lookups/root hints/DNS zones. The local DNS servers in question will also forward queries if they fail (for any reason) to resolve the query, ending up who knows where. And there's the warning in OPNsense (attached image).
You don't understand me either, I guess. What I'm trying to say is that you should not override local domains at all from OPNsense. So you are doing it wrong on all 25 firewalls. So it doesn't matter if OPNsense has some freak unbound bug regarding local domain overrides, as you should not use local domain overrides at all.
