Split Horizon DNS in 2025

Notavi · August 5, 2025, 12:04pm

I’ve got a simple homelab setup where I’ve used subdomains of a domain I own for my internal services.

These are then served off of either a PowerDNS authoritative server, or direct from Unbound on OPNSense. All DNS queries go direct to Unbound, which then handles resolving the query either internally or externally (as appropriate)

This seems to work fine for desktops and laptops, but for phones I’ve also had to resort to adding a firewall rule to intercept outbound DNS traffic and route it to Unbound for the sake of my Android phone (which seems to always add the Google DNS server on top of any I configure via DHCP, and then query it first - ignoring my own DNS servers). Without that rule, my phone asks google about the internal domain, gets an NXDOMAIN response and decides the site doesn’t exist.

To which I find myself with two questions:

Is there a better way of doing this that still lets me keep those subdomains as internal to my network? Redirecting all outbound port 53 seems heavy handed.
What will happen as DNS over HTTPS becomes more common? - it can’t be intercepted this way.

The latter seems especially pertinent with IPv6 slowly emerging - as I might be able to manage remembering some IPv4 addresses manually (but DNS is still handy, and also enables the use of reverse proxies), but managing IPv6 addresses by hand is untenable.

LTS_Tom · August 6, 2025, 2:06am

There is not really a solution for that outside of blocking the places they connect which will force the devices to try other options.

bb77 · August 6, 2025, 6:20am

Yes. Keep it simple. Don’t use an authoritative name server in your local network, and instead of forward-zone or other methods of delgating your local zones, just use local-data in Unbound. In other words, manage the local DNS records/host overrides directly in Unbound. This is likely sufficient in a home network unless you need the PowerDNS API because you have a lot of automation going on that constantly needs to create or change DNS records.

However, that’s probably not what’s causing the issue as it seems to work on your desktops and laptops, which I assume also get their DNS configuration via DHCP. So, my first guess would be that the issue is probably related to the ‘Private DNS’ setting on your phone. Have you tried setting it to ‘Automatic’ or turning it off entirely?

Of course, it could still be somehow related to your overall DNS infrastructure and/or your DHCP settings, especially since you wrote about “my own DNS servers” (plural).

If the forward zones and/or local DNS records/host overrides have been set in Unbound on OPNsense, ensure that OPNSense is the only DNS server being handed out via DHCP.
Do not hand out any public DNS resolvers alongside the local one, because you cannot control which one the client devices will use. There is no guarantee that they will always pick the first one on the list.
If you want to ensure redundancy, you could hand out multiple local DNS resolvers. However, you would then also need to set up the forward zones and/or local DNS records, as well as possible public upstream servers, on each of those.

I also wanted to mention that I’m using pfSense and haven’t switched to the KEA DHCP server yet. As far as I know, it still has, or at least it had until recently, certain issues with handing out DHCP reservations reliably, which may also affect DNS allocations. I’m not sure if switching back to ISC is still an option in OPNsense. If it is though, it might be worth a shot to rule out KEA as a possible cause.

If you’ve tried all of these things and it still doesn’t work, maybe describe your configuration in more detail, or post config files and/or screnshots of your Unbound, PowerDNS and DHCP settings.

That really depends on whether you’re still able to control it, i.e., disable it or configure your own DoH server. I’d expect that to remain possible on most devices and apps like browsers.

However, for devices or apps that have hardcoded DoH settings, it could become hard, or even impossible, to control. You could try blocking known public DoH servers but:

It becomes a tedious cat-and-mouse game, and
Some devices might stop working properly if they require internet access and their DNS gets blocked.

Although… that second point could also be considered a feature.

bb77 · August 6, 2025, 10:12am

I rewrote my post above because I hadn’t read your post properly the first time!

My current reply also takes the authoritative nameserver into account.