Published: in Videos
How the New Unbound Extended Blocklists Work in OPNsense 25.7.8 (Full Guide)
OPNsense 25.7.8 introduces one of the biggest upgrades in recent Community Edition history: Extended DNS Blocklists for Unbound, previously exclusive to the Business Edition.
This update gives you per-network DNS filtering, letting you apply different blocklists to your LAN, IoT, Guest, or VLANs—all from Unbound.
In this article and walkthrough video, I'll explain how the new blocklist system works, how to set it up, and what early issues users have reported since release.
What Changed in OPNsense 25.7.8?
Before this release, Unbound could only use one blocklist configuration globally. You could whitelist, block domains, add wildcard blocking, and use a few advanced options—but all clients shared the same policy.
Prior to 25.7.8 (25.7.7_4):
-
One global blocklist
-
Basic whitelist, blocklist, wildcard entries
-
Advanced options:
-
Destination address
-
Return NXDOMAIN
-
Good, but limited—especially if you run multiple networks.
What’s New in 25.7.8? Multi-Blocklist Policies
The Unbound Blocklist page now lets you create multiple blocklist entries, each assigned to specific source networks (subnets).
New capabilities include:
✔ Multiple blocklist profiles
✔ Apply blocklists per interface, per VLAN, or per subnet
✔ Cache TTL for fine-grained control
✔ Built-in Blocklist Tester tool
✔ Same whitelist, blocklist, and wildcard options as before
This opens the door to things like:
-
Stricter filtering for Guest networks
-
Blocking telemetry on IoT networks
-
Allow-listing sensitive internal services on LAN
-
Keeping corporate and home networks isolated
How to Create a Blocklist in 25.7.8
-
Go to Services → Unbound DNS → Blocklist
-
Click Add
-
Enable the blocklist
-
Choose a DNSBL type
-
Add URLs for blocklists (if using a list-based DNSBL)
-
Add optional allow-lists or domain blocks
-
Under Source Net, enter the network(s) the policy applies to
Example:10.1.50.0/24 (Guest Network) 192.168.1.0/24 (LAN) -
Adjust advanced settings if needed:
-
Cache TTL
-
Destination address
-
Return NX Domain
-
-
Add a description
-
Save
New Blocklist Tester Tool
OPNsense now includes a built-in testing tool to verify whether a domain is:
-
Blocked
-
Allowed
-
What rule caused it
-
From which policy
Exactly what admins have wanted for years.
Example test:
ads.google.com
The Tester will show whether the domain is blocked and which rule triggered it.
Should You Upgrade to 25.7.8? Early Issues Reported
It’s a new release, so naturally the OPNsense forums have a few early reports. Here are the noteworthy ones:
1. DNS Caching Issues (Blocklist Cache Leak)
Some users reported domains blocked on one network being cached and then allowed on others.
A fix was quickly proposed to avoid caching entries affected by blocklist policy.
2. Dashboard Display/Plugin Issues
Reports of missing dashboard items after upgrade.
3. WireGuard Tunnel Reachability
Some users with dynamic IP + Starlink setups saw issues pinging WireGuard tunnel peers.
4. FreeRADIUS Authentication Issue
A Wi-Fi auth problem was identified and patched shortly after.
5. Update Loop (“COT request update”)
A few users reported the firmware update reappearing repeatedly, though this issue could not be universally reproduced.
My Recommendation: Upgrade?
Yes—if none of the issues listed affect you directly.
The upgrade brings major improvements, especially for anyone using:
-
Guest networks
-
IoT networks
-
VLAN segmentation
-
DNS filtering
-
Parental controls
-
Small business environments
A fix for the caching issue is already being worked on, and the other bugs seem limited to specific setups.
As always:
Before upgrading, make a snapshot.
I helped write the snapshots feature and always recommend using it.
Resources
-
OPNsense Documentation
https://docs.opnsense.org/ -
Extended DNS Blocklists Overview
https://docs.opnsense.org/vendor/deciso/extended_dnsbl.html