OPNsense 25.7 DNS Issues: Migrating from Unbound to dnsmasq

If you’ve recently upgraded to OPNsense 25.7 and are experiencing intermittent DNS resolution failures, you’re not alone. Many users have reported issues where websites become unreachable, then mysteriously work again after cache flushes or reboots. The culprit? Changes in how DNS services interact in the new version.

In this post, I’ll walk you through the issues introduced in OPNsense 25.7 and show you how to migrate from the problematic Unbound setup to a more stable dnsmasq configuration.

---

🚨 What Changed in OPNsense 25.7?

OPNsense 25.7 introduced several significant changes that have disrupted previously stable DNS configurations:

🔄 Default DHCP Service Switch

The most significant change is that dnsmasq became the default DHCP service instead of ISC DHCP. While this change improves performance and simplifies configuration for most users, it has created compatibility issues with existing Unbound DNS setups.

🐛 Unbound DNS Resolution Issues

Users are reporting widespread DNS resolution failures with symptoms including:

• Intermittent “server not found” errors in browsers
• Lag and timeouts when accessing websites
• Local hostname resolution failures (devices can’t resolve each other by name)
• Cache flush temporarily fixes issues but problems return

The issues appear to affect both:

• Fresh installations of OPNsense 25.7
• Upgraded systems from previous versions

---

🔍 Understanding the Root Cause

The problems stem from several interrelated issues:

1. DHCP Service Migration: The switch from ISC DHCP to dnsmasq broke existing DNS registration workflows
2. Unbound Instability: The new version of Unbound has compatibility issues with the changed DHCP environment
3. Configuration Mismatches: Previous configurations that worked fine now conflict with the new service architecture

📊 Impact on Local DNS

One of the most frustrating issues is the complete failure of local hostname resolution. In previous versions, devices like laptop.local or server.internal would resolve automatically. After the upgrade, these lookups fail entirely, requiring manual IP address management.

---

🛠️ Solution: Migrate to dnsmasq for DNS

The most effective solution is to configure dnsmasq as both the DHCP and DNS service, replacing Unbound entirely. This provides:

• ✅ Stable DNS resolution without random failures
• ✅ Automatic local hostname registration for DHCP clients
• ✅ Simplified configuration with fewer moving parts
• ✅ Better integration with the new DHCP service

---

📋 Step-by-Step Migration Guide

🎯 Step 1: Disable Unbound DNS

First, we need to disable the problematic Unbound service:

1. Navigate to Services → Unbound DNS → General
2. Uncheck “Enable” to disable Unbound
3. Change the Listen Port from 53 to 53053 (we’ll use this later if needed)
4. Apply the changes

🎯 Step 2: Configure dnsmasq for DNS

Now we’ll set up dnsmasq to handle DNS resolution:

1. Go to Services → Dnsmasq DNS & DHCP → General
2. Enable dnsmasq by checking the “Enable” box
3. Set Listen Port to 53 (the standard DNS port)
4. Configure the following settings:
   • Interface: LAN (and other internal interfaces) - Interfaces to serve DNS requests
   • Do not forward to system DNS: ✅ Checked - Forces manual DNS server configuration
   • DHCP fqdn: ✅ Checked - Enables automatic local domain registration
   • DHCP default domain: internal - Local domain name for your network
   • DHCP register firewall rules: ✅ Checked - Automatically creates firewall rules
5. Apply the configuration

🎯 Step 3: Configure Upstream DNS Servers

Set up external DNS servers for internet resolution:

1. Go to Services → Dnsmasq DNS & DHCP → Domains
2. Add a new domain entry:

Field	Value	Description
Domain	*	Matches all domains
IP Address	1.1.1.1	Cloudflare DNS (or your preferred DNS)
Port	53	Standard DNS port

1. Add additional upstream servers for redundancy:
   • 8.8.8.8 (Google DNS)
   • 9.9.9.9 (Quad9 DNS)

🎯 Step 4: Configure DHCP Ranges

Set up DHCP ranges with automatic DNS registration:

1. Go to Services → Dnsmasq DNS & DHCP → DHCP ranges
2. Add a range for your LAN:

Field	Value	Example
Interface	LAN	Your main network interface
Start address	192.168.1.100	First IP in DHCP range
End address	192.168.1.199	Last IP in DHCP range
Domain	lan.internal	Local domain for this range
Lease time	86400	24 hours (in seconds)

1. Apply the configuration

🎯 Step 5: Update System DNS Settings

Configure OPNsense to use the new DNS setup:

1. Go to System → Settings → General
2. Remove any existing DNS servers
3. Add your dnsmasq instance: 127.0.0.1
4. Uncheck “Allow DNS server list to be overridden by DHCP/PPP on WAN”
5. Apply changes

---

🧪 Testing the New Configuration

✅ Test Internet Resolution

From a client device, test external DNS resolution:

nslookup google.com
ping cloudflare.com

✅ Test Local Hostname Resolution

Test automatic hostname registration:

# From one device, try to reach another by hostname
ping laptop.lan.internal
nslookup server.lan.internal

✅ Verify DHCP Registration

1. Check Services → Dnsmasq DNS & DHCP → Log
2. Look for DHCP lease entries showing hostname registration
3. Verify clients receive correct DNS server (should be your OPNsense LAN IP)

---

🔧 Advanced Configuration Options

🎯 Configure Local Host Overrides

For devices that need static DNS entries:

1. Go to Services → Dnsmasq DNS & DHCP → Hosts
2. Add static entries:

Field	Value	Example
Host	nas	Hostname
Domain	lan.internal	Local domain
IP addresses	192.168.1.50	Static IP

🎯 Set Up Custom DNS Blocking

For ad-blocking or content filtering:

1. Go to Services → Dnsmasq DNS & DHCP → Domains
2. Add blocking entries:

Field	Value	Description
Domain	ads.example.com	Domain to block
IP Address	127.0.0.1	Redirect to localhost

---

🚨 Troubleshooting Common Issues

🔍 DNS Resolution Still Failing

If you’re still experiencing issues:

1. Check firewall logs for blocked DNS traffic
2. Verify DHCP clients are getting correct DNS server
3. Flush DNS cache on client devices
4. Restart dnsmasq service from Services menu

🔍 Local Hostnames Not Resolving

For local name resolution problems:

1. Verify DHCP fqdn is enabled
2. Check that clients are sending hostnames in DHCP requests
3. Ensure domain is configured in DHCP ranges
4. Review dnsmasq logs for registration messages

🔍 AdGuard Home Integration Issues

If you’re using AdGuard Home:

1. Configure AdGuard to use upstream DNS servers instead of OPNsense
2. Point DHCP clients directly to AdGuard instead of dnsmasq
3. Use separate ports to avoid conflicts

---

📊 Performance Comparison

Metric	Unbound (25.7)	dnsmasq
Stability	❌ Frequent failures	✅ Reliable
Local DNS	❌ Broken	✅ Automatic
Configuration	🟡 Complex	✅ Simple
Memory Usage	🟡 Higher	✅ Lower
Startup Time	🟡 Slower	✅ Faster

---

🔄 Reverting if Needed

If you need to revert to Unbound:

1. Disable dnsmasq DNS (set Listen Port to 0)
2. Re-enable Unbound (Services → Unbound DNS → General)
3. Restore Unbound to port 53
4. Reconfigure upstream DNS servers in Unbound settings

---

🧠 Final Thoughts

The DNS issues in OPNsense 25.7 are frustrating, but the migration to dnsmasq provides a more stable and feature-rich solution. The automatic hostname registration and simplified configuration make network management much easier.

Key benefits of the migration:

• 🎯 Eliminates random DNS failures
• 🏠 Restores local hostname resolution
• ⚡ Improves overall network performance
• 🔧 Simplifies ongoing maintenance

While the upgrade disruption is inconvenient, the end result is a more robust DNS infrastructure that’s better suited for home and small business networks.

The community feedback suggests that this configuration is not only more stable but also aligns better with OPNsense’s direction for future releases. Many users report that after making this switch, their networks are more reliable than they were even before the 25.7 upgrade.