OPNSense DNS Server Setup via ProxMox

 

Private DNS Server & Traffic Monitoring:
OPNsense VM on ProxMox

Setting up a secure and intelligent home network doesn’t have to be complicated. In this guide, we’ll walk you through how to deploy OPNsense on Proxmox as a private DNS server and traffic monitor, giving you enterprise-grade filtering, visibility, and control; right from your living room. Whether you're looking to block ads, monitor bandwidth, or enhance your network’s security posture, this setup offers a powerful and flexible solution without replacing your existing router.

Network Topology Overview

Internet → Main Router → OPNsense (DNS/Monitor) → LAN Devices
                    ↘ → Direct LAN Devices

Your OPNsense VM will provide:

• DNS Services: Advanced filtering, ad-blocking, malware protection.
• Traffic Monitoring: Network analysis, logging, reporting.
• Content Filtering: Block categories, specific domains, etc.

Initial Installation:

Our Full OPNsense Installation Guide

Key points for VM setups specifically:

• Make sure you've allocated at least 2GB RAM to the VM
• You need 2 network interfaces configured in TrueNAS (WAN and LAN)
• Use VirtIO network adapters for best performance
• Set the VM to start on boot if this will be your main firewall

Configuration for DNS Server Role

1. Network Interface Setup

LAN Interface Configuration:

• Go to: Interfaces → LAN
• IPv4 Configuration: Static
• IPv4 Address: 192.168.1.x/24 (within your existing network range)
• Gateway: Your existing router IP (e.g., 192.168.1.1)
• Do NOT set OPNsense as the gateway for other devices

2. DHCP Server (Disable)

• Go to: Services → DHCPv4 → LAN
• Disable: DHCP Server on LAN interface
• Your existing router should handle DHCP

3. DNS Server Configuration (Primary Focus)

Unbound DNS Resolver Settings:

• Go to: Services → Unbound DNS → General
• ✅ Enable: DNS Resolver
• Listen Port: 53
• Network Interfaces: LAN
• ✅ Enable DNSSEC Support: For security
• Do not register system records: ✅ Check this
• Local Zone Type: transparent

Advanced DNS Features:

A. DNS Blocklists (Ad/Malware Blocking)

• Go to: Services → Unbound DNS → Blocklists
• Enable: Various blocklists (ads, malware, tracking)
• Popular Lists:
  • Steven Black's Hosts
  • Malware Domain List
  • EasyList
  • Disconnect.me

B. Custom DNS Overrides

• Go to: Services → Unbound DNS → Overrides
• Host Overrides: Point specific domains to custom IPs
• Domain Overrides: Forward specific domains to other DNS servers

4. Firewall LAN/WAN Rule Configuration (DNS Server Role Only)

LAN DNS Inbound Rule:

• Action: Pass ✅
• Interface: LAN ✅
• Direction: in ✅ (allows OPNsense to receive inbound query requests)
• Protocol: TCP/UDP ✅ (DNS uses both)
• Source: LAN net ✅ (only local OPNsense can make these queries)
• Destination: This Firewall (or OPNS IP) ✅ (can query any DNS server)
• Port: DNS to DNS (port 53) ✅
• Logging: Enabled ✅

WAN DNS Outbound Rule:

• Action: Pass ✅
• Interface: WAN ✅
• Direction: out ✅ (allows OPNsense to make outbound queries)
• TCP/IP Version: IPv4 ✅ (IPv6 needed ONLY IF you need it)
• Protocol: TCP/UDP ✅ (DNS uses both)
• Source: This Firewall (or OPNS IP) ✅ (can query any DNS server)
• Destination: any ✅ (can query any DNS server)
• Port: DNS to DNS (port 53) ✅
• Logging: Enabled ✅

5. Traffic Monitoring Setup

A. Enable Logging

• Go to: System → Logging → General
• Enable: Remote Logging (if desired)
• Log Level: Information or higher

B. Firewall Logging

• Go to: Firewall → Log Files → Settings
• ✅ Enable: Log firewall default blocks
• ✅ Enable: Log packets matched by pass rules
• Log Level: Informational

C. Traffic Analysis Tools

• Go to: Reporting → Traffic
• Enable: Netflow (if supported in your setup)
• Monitor: Bandwidth usage, top talkers, protocols

6. Content Filtering Configuration

A. Sensei Plugin (Advanced Traffic Intelligence)

System → Firmware → Plugins → Install os-sensei

• Real-time traffic analysis
• Application detection
• Threat intelligence
• Bandwidth monitoring

B. Web Proxy (Optional)

• Go to: Services → Web Proxy
• Configure: Transparent proxy for web filtering
• Content filtering: Block categories, file types, etc.

7. Setup Needed Preferences In Settings

• Set your correct local time-zone
• Set theme to "Dark" if prefered
• Select "Prefer to use IPv4 even if IPv6 is available"
  
• Make sure Primary and Secondary DNS servers are setup
• Select "Allow DNS server list to be overridden by DHCP/PPP on WAN"

8. Client Configuration

Configure Devices to Use OPNsense DNS:

Method 1: Router DHCP Settings

• Configure your main router's DHCP to provide OPNsense IP as DNS server
• Primary DNS: OPNsense IP (e.g., 192.168.1.10)
• Secondary DNS: Fallback (e.g., 1.1.1.1 or 8.8.8.8)

Method 2: Manual Device Configuration

• Configure devices individually to use OPNsense as DNS server

Method 3: Pi-hole Style Setup

• Set OPNsense as primary DNS in router
• Optionally redirect all DNS traffic to OPNsense via firewall rules

Essential Monitoring Features

1. DNS Query Monitoring

• Go to: Services → Unbound DNS → Query Log
• Enable: Query logging for analysis
• Monitor: Most queried domains, blocked requests

2. Real-time Traffic Dashboard

• Go to: Interfaces → Diagnostics → Traffic Graph
• Monitor: Real-time bandwidth usage
• Analyze: Traffic patterns, peak usage times

3. Firewall Analytics

• Go to: Firewall → Log Files
• Monitor: Blocked connections, passed traffic
• Analyze: Security threats, unusual patterns

Performance Optimization for DNS Role

1. VM Resource Allocation

• CPU: 2-4 cores sufficient
• RAM: 4-8GB (more if using Sensei/traffic analysis)
• Storage: 50-100GB for logs and analytics data

2. DNS Caching Optimization

• Go to: Services → Unbound DNS → Advanced
• Message Cache Size: 50-100MB
• RRSet Cache Size: 100-200MB
• Outgoing TCP Buffers: 10-50
• Incoming TCP Buffers: 10-50

3. Log Management

• Rotate logs: Configure log rotation to prevent disk space issues
• Remote logging: Send logs to external syslog server if desired
• Retention: Set appropriate log retention periods

Monitoring Dashboard Setup

1. Built-in Widgets

• Go to: Lobby (Dashboard)
• Add Widgets:
  • System Information
  • Interface Statistics
  • Firewall Logs
  • DNS Query Stats (if available)

2. External Monitoring Integration

• Grafana: For advanced visualization
• PRTG/LibreNMS: For SNMP monitoring
• ELK Stack: For log analysis

Security Considerations

1. Access Control

• Secure Web Interface: Change default ports, use HTTPS
• Firewall Rules: Restrict management access
• User Accounts: Create separate admin accounts

2. DNS Security

• DNS over HTTPS (DoH): Configure if needed
• DNS over TLS (DoT): Enable for upstream queries
• DNSSEC Validation: Already enabled ✅

3. Regular Maintenance

• Updates: Keep OPNsense and plugins updated
• Backups: Regular configuration backups
• Monitoring: Set up alerts for service failures

Quick Start Checklist

1. [  ] Set static IP for OPNsense LAN interface
2. [  ] Disable DHCP server on OPNsense
3. [  ] Configure Unbound DNS with blocklists
4. [  ] Setup inbound LAN Firewall Rule
5. [  ] Setup outbound WAN Firewall Rule
6. [  ] Enable comprehensive logging
7. [  ] Configure main router to use OPNsense as DNS
8. [  ] Test DNS resolution and filtering
9. [  ] Set up monitoring dashboards
10. [  ] Configure log rotation and retention
11. [  ] Create configuration backup

Testing Your Setup

1. DNS Functionality Test

# Test from client device
nslookup google.com [OPNsense-IP]
dig @[OPNsense-IP] google.com

# Test ad blocking
nslookup doubleclick.net [OPNsense-IP]  # Should be blocked

2. Traffic Monitoring Test

• Generate various traffic types
• Check real-time monitoring graphs
• Verify logging is working
• Test filtering rules

This setup gives you enterprise-grade DNS filtering and network monitoring while keeping your existing router as the main gateway! You now have a robust DNS filtering and traffic monitoring system that enhances privacy, security, and performance across your network. From blocking unwanted content to analyzing traffic patterns and securing DNS queries, this setup empowers you to take full control of your digital environment. Don’t forget to keep your system updated, back up your configuration regularly, and explore additional plugins like Sensei for even deeper insights. Happy networking!

Created & Maintained by Pacific Northwest Computers

Pacific NW Computers

www.linktr.ee/pnwcomputers

www.pacificnwcomputers.com

📞 Pacific Northwest Computers offers remote and onsite support across: 
Vancouver WA, Battle Ground WA, Camas WA, Washougal WA, Longview WA, Kelso WA, and Portland OR