edit: spent all day tryimg to make this work, in the end i got rid of the opnsense services, unbound and dnsmasq, and brought dhcp over to tDNS
I have been trying to set up Technitium DNS server (TDNS hereafter) for its clustering and fail over capabilities, it really does seem to be a one stop shop for DNS capabilities. But I have been hitting a wall so I’m asking if anyone here can see the flaw in my plan.
I have not been using TDNS for DHCP as it lacks ipv6 and router advertisements right now. And I like the idea of DHCP on the firewall router.
I have an opnsense firewall with DNSmasq performing DHCP and DNS forwarding to the Technitium server, which is hosted on proxmox in an lxc. I own my own public domain, example.com for our purposes here.
TDNS is set to “allow recursion only for private networks” this means that if something external tried to resolve using my TDNS they’ll be refused, correct? I ask because that could as be interpreted as not forwarding to external dns when needed.
I set NAT rules to force TDNS port 53 routing. TDNS is set to forward to quad9 and cloud flare externally. DNS blocking lists are set in TDNS.
I don’t really know what I’m doing with zones but I have a primary zone set with example.com. I set some static hosts records in this zone and enabled reverse lookup, expecting servicehost.example.com
query logs app enabled in TDNS.
Edit: 10.2.0.1 turned out to be my vpn’s dns server (When nslookup google.com from a laptop on this LAN, it returns Server: 10.2.0.1 Address: 10.2.0.1#53
nonauthoritative answer: google.com with ip information repeated.
I don’t under stand this return as it’s an ip outside my lan net and dhcp provisioning.)
Unable to reach external net when NAT rules active.
It seems the DHCP is handing out the fire wall’s ip for DNS server, 100.100.100.1 is that the expected behavior since DNSmasq should be forwarding to TDNS 100.100.100.333. Why not just hand out the TDNS address?
Do I have some setting misconfigured in either DNSmasq/opnsense or TDNS?
You must log in or # to comment.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network DNS Domain Name Service/System HA Home Assistant automation software ~ High Availability
[Thread #998 for this comm, first seen 12th Jan 2026, 19:55] [FAQ] [Full list] [Contact] [Source code]
It seems the DHCP is handing out the fire wall’s ip for DNS server, 100.100.100.1 is that the expected behavior since DNSmasq should be forwarding to TDNS 100.100.100.333. Why not just hand out the TDNS address?
You could and that should work but then it’s not called forwarding anymore. It does forwarding because that’s what you configured. Both approaches are valid.
I have an opnsense firewall with DNSmasq performing DHCP and DNS forwarding to the Technitium server
Thanks, that helps to clarify my understanding
When nslookup google.com from a laptop on this LAN, it returns Server: 10.2.0.1 Address: 10.2.0.1#53
nonauthoritative answer: google.com with ip information repeated.
I don’t under stand this return as it’s an ip outside my lan net and dhcp provisioning.
I’m unclear on what you’re confused about regarding the above quote. Here comes an explanation of nslookup.
The command is nslookup <domain> <dns-server> and if dns-server is empty it uses your default. F.e.:***@fedoragaming:~$ nslookup www.google.com 8.8.8.8
The response starts by telling you which <dns-server> it used for the lookup and which address including port was used:
Server: 8.8.8.8
Address: 8.8.8.8#53It then gives you the answer on where to find the <domain>, once for ipv4 and once for ipv6:
Non-authoritative answer:
Name: www.google.com
Address: 142.251.142.228
Name: www.google.com
Address: 2a00:1450:400f:807::2004edit: I think I understand your question a bit better now. To check which dns-server you’re using do a “cat /etc/resolve.conf”
If you run a distro with systemd then use the command “resolvectl status”Thanks for taking the time to comment.
My confusing was that <dns-server> used for the look up wasnt in my net nor upstream dns.
I turned off my vpn and it resolved as expected, so I suppose that 10.2.0.1 is the dns server for my vpn provider.
How many domains do you own when you try to set up so many DNS servers?
The OP is about hosting forwarding or recursive DNS for lookups, not authoritatative DNS hosting (which would be yet at least one separate server).
I count two servers (one clusterable for HA). How is that a lot for a small LAN?
More would also be normal for serving one domain internally and publicly. Each of these can be separate:
- Internal authoriative for internal domain
- Internal resolvers for internal machines
- Internal source-of-truth for serving your zone publicly (may or may not be an actual DNS server)
- Public-facing authoritative for your zone serving the above
- Secondary for the above
- Recursing resolver of external domains for internal use
Some people then add another forwarding resolver like dnsmasq on each server.
Just one domain, I only have dnsmasq forwarding to tdns for recursive resolving, tdns forwards to quad and cloudflare for resolving what isn’t in my local cache. I’m not sure I am understanding your question.