Skip to main content

Published: in Videos

OPNsense 25.7.9 Released – Unbound Blocklist Fixes, Tailscale Plugin 1.3 & More

By Sam Sheridan - 11th December, 2025

OPNsense has released version 25.7.9 on December 4th, 2025, arriving just a week after the 25.7.8 update. While the previous release introduced the brand-new Unbound Blocklist feature, it also surfaced a few issues—especially around DNS caching and blocklist behavior. Version 25.7.9 focuses on tightening up those areas while also delivering fixes to the Tailscale plugin and several smaller but important system improvements.

Below is a clear breakdown of what’s new, what’s fixed, and why this update matters.

Why 25.7.9 Was Released So Quickly

The 25.7.8 update brought major enhancements to Unbound blocklists, but users quickly noticed caching inconsistencies when using multiple blocklists with different network restrictions. A bug prevented DNS caching from being properly disabled, leading to unexpected DNS behavior.

OPNsense 25.7.9 resolves this issue and improves how the new blocklist migration process handles notifications and formatting.

If you’re using Unbound blocklists, this update is strongly recommended.

Key Fix: Unbound Blocklist Caching Issue

The headline fix in this release:

  • Corrects a bug where DNS caching continued even when multiple blocklists required different handling

  • Polishes notification logic during migration from old to new blocklist formats

  • Includes port updates for Unbound, upgrading it to 1.24.2, which resolves CVE-2025-11411, a domain hijacking vulnerability involving promiscuous NS records

This ensures more reliable DNS filtering and improved security across installations.

Tailscale Plugin 1.3 – No More Reusing Expired Pre-Auth Keys

Another important enhancement is the update I made to the Tailscale plugin, now at version 1.3.

The modified RC script now:

  • Prevents reuse of an authentication key if the device is already authenticated

  • Reduces issues where Tailscale would fail to authenticate after a pre-auth key expired

  • Offers more reliable reconnection behavior

If you rely on Tailscale for remote access or mesh networking, this update is especially helpful.

Firewall & Networking Improvements

OPNsense 25.7.9 includes several refinements across the firewall and networking stack:

Firewall

  • Quick-Allow blocklist actions now behave correctly

  • Filter logs are run immediately after rule application

  • Promiscuous mode is removed for cleaner operation

  • IPv6 improvements allow specific ICMP types (e.g., timex / param-prob)

GeoIP Aliases

To prevent confusion between country codes and two-letter TLDs, nesting of GeoIP aliases has been disabled.

Shell & Backend Improvements

The OPNsense team continues its long-term effort to harden shell command execution:

  • More replacements of raw exec calls with safer alternatives

  • Enhanced command translation for IPSec

  • Improved handling of model caching in IPSec connections

  • Various refinements across DHCP (ISC & Kea) and DNSMasq

These changes improve security, stability, and system maintainability.

User Interface Enhancements

Small but welcome UI improvements include:

  • Notification status now refreshes correctly after applying defaults

  • Removal of obsolete jQuery reboot grid files

  • Restructured DOM layout for the live log page

Plugin Updates

Several plugins received meaningful updates:

ACME Client

Now supports:

  • Hetzner DNS

  • Selectel.ru

  • Mijn.host

  • Azure DNS

  • ZoneEdit

NDP Proxy Go

  • Adds experimental PPPoE point-to-point upstream support

TURN Server Plugin

  • Adds a dedicated log page

  • Switches to local syslog logging

  • Removes outdated log files

Zabbix Agent

  • Adds star agent pollers

  • Supports max concurrent checks

  • Adds listen backlog option

OpenVPN

  • Upgraded to 2.6.14

  • TLS-Crypt v2 can now be applied to initial session packets

  • Drops Ubuntu 20.04 support

  • Improves crypto backend compatibility

  • Fixes DCO source IP handling in multi-home setups

Upgrading to OPNsense 25.7.9

As always, it’s recommended to (and why I created the snapshots feature):

  1. Create a system snapshot before upgrading

  2. Navigate to: System → Firmware → Updates

  3. Apply the available 25.7.9 update

In testing, this upgrade did not require a reboot, though this may vary depending on your configuration

Final Thoughts

OPNsense 25.7.9 is a focused stability and security update—especially important for users adopting the new Unbound blocklist system or relying on Tailscale. While not a feature-heavy release, it brings essential fixes and polish as we close out 2025.

If you prefer video walkthroughs, be sure to watch the full breakdown above.

Need help with OPNsense deployments or consulting?
Visit SheridanComputers.com for professional support

 

Tags:

opnsense tailscale unbound firewalls networking

Got Questions?

Find quick answers to common IT support questions

How quickly can you respond to IT issues?

While many companies claim a 15-minute response, we guarantee a one-hour response time for urgent issues. This realistic timeframe allows our expert team to mobilise properly and arrive fully prepared to diagnose and resolve the problem efficiently - ensuring quality support rather than a rushed service.

How long has Sheridan Computers been established?

We've proudly been established for over 15 years. Our enduring presence in the IT industry is a testament to our commitment to quality, innovation, and reliable service. We’re here for the long haul, continuously evolving to meet the needs of our customers today - and in the future.

IT Emergency?

24/7 emergency IT support available for existing clients

Call Emergency Support
Help & Support
Standard Support Hours

Monday - Friday 8:00 - 17:00
Saturday Closed
Sunday Closed
Client Access
Remote Support Tool Client Portal Login
Other Ways to Reach Us
Email Support
24/7 Emergency Support

Critical issues? Our emergency team is available 24/7 for existing clients.

Emergency Support Line