Split DNS done right using opnsense

I can’t get over how simple and powerful my OPNsense router is. It’s almost as easy to setup as any consumer router as long as you know to leave stuff alone that you don’t understand. I recently setup OPNsense on a Protectli VP420 and I’ve been real happy with it.

Running a home lab with public facing services, you run into the problem of Split DNS. Any name, like my home.stovallhut.online webpage, needs to be registered with a public IP address to reach it over the internet. Problem is, if you’re at home then you should be contacting a local address on your network (some routers let you use reflection/hairpinning to get around that but this has its own issues). My OPNsense router makes this pretty easy to manage with its Unbound DNS service and dns overrides.

That all works pretty good but the icing on the cake came when I figured out (with the help of a Great Guide) how to forward queries to my local DNS even when the client software specifically requested a different DNS server. Like if the client sends DNS queries to google’s public DNS at, then my router will now STILL handle the request if it can locally without contacting google. And if it does contact a public server, it won’t be google, and it will go out using DNS over TLS so my searches are private (at least to third parties like my ISP).

Amazing device 🙂

Leave a Comment