Unbound Upstream DNS Server Setup on a Transparent Bridge

First of all, thank you for all the guidance you have shared with the internet community. It has helped me immensely. I have utilized your videos and guides to successfully configure and deploy both an OPNsense Transparent Bridge and a Pi-Hole DNS server.

I do have a question and/or issue that I need help with. I would like to utilize the Unbound DNS feature on the Bridge and use it as my upstream DNS Server. I attempted modifying the Custom DNS servers setting in Pi-Hole to point to the Bridge and a secondary public DNS server, but that did not seem to work. I could tail the log file in the Pi-Hole and see that the DNS requests to the bridge were not being resolved and the request was then sent to the secondary server.

I was referencing your guide “Install Pi-hole on Proxmox and Use OPNsense Unbound DNS as Upstream DNS,” but this is a slightly different use case. So, I’m a little lost.

I’m wondering if I need to set IPv4 Configuration Type to IP4 on the Bridge interface and assign it an IP Address or create a new interface all together. Then in the custom DNS Servers setting of pi-hole, use that IP Address that I assigned to it. Currently it is set to the IP Address assigned to the MGMT interface. I’m thinking that is probably not correct.

My question is, what setting do I need to set on my bridge to use Unbound DNS as an Upstream DNS Server?

Thanks for the help.

[EDIT: 1/17/25] What if I assigned a static IP to the Bridge interface, and then use that address as a Custom IP Address for an Upstream DNS server in pi-hole. Would it be that easy?

Sorry I didn’t respond to this sooner. That may very well work but you will need to make sure you have a gateway set up so you can reach out to the Internet from the bridge because Unbound will need to reach out to external DNS servers.

I need to experiment with this because I’ve had several others want to use Unbound DNS on the transparent bridge (rather than use some other DNS server on the network).

Thank you for your tutorials, they are very helpful.

I have a related question with a PiHole/Unbound server on one machine and Unbound also runs in OPNsense on another machine.

What is the best way to use both of the local Unbound servers as Primary and Secondary DNS servers (without using ISP or public DNS servers) ?

In your tutorial, you point the bridge’s DNS as the main gateway 192.168.1.1 (which points back at the PiHole/Unbound server). How would you make best use of the existing 2 Unbound servers (minimizing network hops) ?

Thanks in advance.

When using a transparent filtering bridge, I am assuming you are using some other router and only using OPNsense as a firewall. I would recommend configuring your primary router to use DNS as you see fit on your network (Pi-hole, etc) and don’t do any DNS configuration on the transparent bridge. That keeps the transparent filtering bridge acting strictly as a firewall and you can control most of your network’s configuration on your primary router.

I used 192.168.1.1 in my example of the transparent filtering bridge so that I could get updates for the transparent bridge and so I was using the DNS server of my primary router (which happens to be OPNsense but it could be any other router you choose).

I have had several users want to make use of Unbound DNS of the OPNsense transparent filtering bridge but that’s something I haven’t tried (but I assume should work if you ensure every device in your network is receiving the proper DNS server IP address and you have the appropriate firewall rules in place to allow access).

Thanks for the response.

I tried more OPNsense monitoring utilities, but they seemed to get confused by the “snake swallowing its tail” with both WAN and LAN on the same bridge so I reset it to factory defaults and configured it as a standard router/firewall with different networks on both ends.

I grabbed some aggressive attack scripts and ran them at the WAN port and nothing got through. OPNsense was busy logging the attacks, but managed the attacks with virtually no CPU usage while downstream clients were streaming 4K video through it from the net. I am using the tmpfs/ramdisk feature for the logs to save the NVMe write lifespan.

I learned that OPNsenes’s Unbound could use most of my PiHole’s block lists and was more tightly coupled so I gave it a try. OPNsense also has its own set of Unbound block lists so I am running both my PiHole’s lists and OPNsenese’s list on OPNsense and they are all running without effort.

I added a rule to forward all port 53 traffic to the OPNsense Unbound server so they all get filtered, even if they were intended for web hosted DNS servers.

I think I will no longer need my PiHole machine. I did have to manually add a rate cap to OPNsense’s DNS queries/second. Something PiHole has easily configurable, but on a per-client basis. PiHole has a better GUI for DNS URL pattern blocking, but the one in OPNsense is more than suitable.

Also added Suricata IDS/IPS in addition to the DNS block lists. Both are running with little CPU usage.

So far, OPNsense as a Router/Firewall/PiHole-substitute/DHCP-server/DHCP-reservations/Monitoring-tool appears to be checking all of the boxes.

Thanks again for your videos.