When you connect to a website or service, you're using the Domain Name System (DNS), which is essentially a giant internet directory. Think of it like opening up the phone book, but instead of companies and phone numbers, it's domain names and IP addresses. These addresses are what devices and software use instead of human-friendly domains like xda-developers.com.
The DNS is usually managed by a third-party, which could be anyone from your internet service provider (ISP) to Cloudflare or Google. I've upgraded plenty of parts to my local area network (LAN), but one thing I've not touched since making some major renovations is DNS. I've left it pointing to Cloudflare with Google as backup, and everything worked well through OPNsense.
Some network upgrades I've made include faster switches, 10Gb node links, more powerful access points, and VLANs. But while all of these changes made some notable improvements to the overall network, it was custom locally managed DNS that really brought everything together. The best part? No new hardware required, no licenses, and no complicated design. A few settings and I'm good to go.
After bringing DNS into the fold, everything felt slightly snappier, more reliable, and easier to manage. Running OPNsense too? Here's how to do it on your own LAN (and why you'd want to).
Why you'd want to use a local DNS
And what it means for your LAN
When people read about virtual private networks (VPN), reverse proxies, and DNS, they think big enterprise networking and complicated setups, but this couldn't be further from the truth. Depending on the LAN and how it's configured, getting a custom local DNS up and running can be as simple as a single setting change. The firewall/router can run a DNS resolver.
This forwards queries upstream to other sources when required, but caches responses locally, allowing local devices to use your own resolver instead of querying external DNS servers directly. For OPNsense, we can use Unbound, which is an invaluable tool for DNS overriding, resolving, blocking, and management. Instead of having all devices contact some outside server, they query the firewall.
Not only does this improve performance thanks to everything being kept on a local front, but it is also more reliable and resilient to outside factors. Lookups are cached and available without delay. There's a lower latency and reliance on external services when using your own DNS. It's great for normal hardware, but is almost a must-have for network-attached storage (NAS) and self-hosted services.
DNS is the most powerful tool in your home lab
It's the backbone of any successful home lab
It's more private
Even if you don't roll with a continuous network-wide VPN connection and attempt to block everything to maintain the highest level of privacy, running your own DNS can help avoid leaking out unnecessary information. When hitting DNS servers, you're effectively allowing your activities to be logged by someone else. Using a local DNS server like Unbound helps to prevent this.
Routing all DNS requests through your firewall helps with blocking and redirecting specific domains. Local overrides are incredibly easy to manage, and troubleshooting is a touch easier should things go wrong.
How to configure your own DNS server
Using OPNsense and Unbound
The best part of running OPNsense on a custom firewall box is being able to make changes to just about every aspect of the LAN. All we need to do is enable Unbound within OPNsense and avoid the software from redirecting device clients to external DNS sources and use a locally managed alternative instead.
- Go to Services > Unbound.
- Click General.
- Check "Enable Unbound".
- Select the network interfaces (LAN, VLANs).
- Check "Domain Name System Security Extensions (DNSSEC)".
- Go to System > Settings > General.
- Delete any entries under DNS Servers.
That's all there is to it. OPNsense will now advertise its own IP as the DNS server for the network. To take things to the next level, host overrides can be created within Unbound for local services like Home Assistant and Jellyfin. This super-powerful tool can even use published lists for blocking to help with reducing advertising and tracking.
I encrypt DNS and use Unbound as a recursive resolver to get the best of both worlds — Here's how
I wanted more privacy and control, so I built my own encrypted DNS setup with Unbound — and it works great.
You should already be doing this
Networking is full of potential upgrades. Running your DNS is a worthwhile endeavor. It's one of the best things I've done for my LAN. Instead of providing all your details to external sources when querying domain names, your network will now cache everything for faster loading with each request. The LAN is smarter, there's no middleman, and I can improve privacy across the board. One thing we do recommend with many aspects of the home lab, especially DNS, is redundancy.
I'll be configuring an SBC soon as a dedicated DNS and filtering gateway with the fallback option of Unbound, should it go down for some reason.