OPNSense Setup Secured Unbound DNS with DNS over TLS (DoT)

OPNSense Setup Secure Unbound DNS configured with DNS over TLS (DoT)

Updated: 3/31/21

 

First we are going to remove any DNS servers from the routers configuration, and make sure the router gets looped back to itself for DNS quires.

1.  Login to your OPNSense admin panel, go to “System”, click “Settings”, then “General”

2. Under “DNS Servers” delete any entries and make sure all fields are blank. This is to ensure the DNS loops back to the router. Also make sure the “Do not use the local DNS service as a nameserver for this system” check box is NOT checked, click “Save”.

Now we will configure Unbound DNS and set TLS certificate bundle and specify public DNS servers.

3. Click “Services”, then “Unbound DNS”, then “General”

4. Follow the configuration instructions below:

A. Make sure the “Enabled” check box is checked.

B. Change the Network interfaces to “LAN” (your local network, that you want to use the DNS).

C. Next to “DNSSEC” Check the “Enable DNSSEC Support” box.

D. With “DHCP Registration” the “register DHCP leases” check box should NOT be checked.

E. “DHCP domain override” should be empty.

F. “DHCP Static Mappings” should NOT be checked.

G. next to “IPv6 Link-Local” the “Register IPv6 Link-Local address” check box should NOT be checked.

H. “TXT Comment Support”, “Create corresponding TXT records” check box should NOT be checked.

I. “DNS Query Forwarding”, “Enable Forwarding Mode” check box should NOT be checked.

J. Set “Local Zone Type” to “transparent”

 

K. Under “Custom Options” enter the following:

server:
tls-cert-bundle: "/etc/ssl/cert.pem"

forward-zone:
name: "."
forward-tls-upstream: yes

 

L. Next add your preferred DNS server entries, place the entries below the “Forward-tls-upstream…” line:

CloudFlare DNS

# CloudFlare DNS
forward-addr: [email protected]#cloudflare-dns.com
forward-addr: [email protected]#cloudflare-dns.com

 

Quad9 DNS

# Quad9 DNS
forward-addr: [email protected]#dns9.quad9.net
forward-addr: [email protected]#dns9.quad9.net

 

Google DNS

# Google DNS
forward-addr: [email protected]#dns.google
forward-addr: [email protected]#dns.google

 

Adguard DNS

# AdGurad DNS
forward-addr: [email protected]#dns.adguard.com
forward-addr: [email protected]#dns.adguard.com

 

Adguard Family Protection DNS

# Family Protection DNS
forward-addr: [email protected]#dns-family.adguard.com
forward-addr: [email protected]#dns-family.adguard.com

 

Clean Browsing DNS

# CleanBrowsing DNS
forward-addr: [email protected]#family-filter-dns.cleanbrowsing.org
forward-addr: [email protected]#family-filter-dns.cleanbrowsing.org

 

You can remove the # comment if necessary, in the custom options box you should have the top entries and preferred DNS server entries example below:

server:
tls-cert-bundle: "/etc/ssl/cert.pem"

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: [email protected]#cloudflare-dns.com
forward-addr: [email protected]#cloudflare-dns.com

M. Set “Outgoing Network Interfaces” to “WAN” (Outside network to modem)

 

N. Make sure the check box by “WAPD Records” is NOT checked.

4. Click “Save”, (apply settings if asked) then click the refresh button at the top right corner

Next we will set the DHCP to assign the router as the DNS server to the clients of the network.

5. In the main menu, click “Services”, then DHCPv4, then, “LAN” (Inside local network interface)

 

6. Under “DNS Servers”, both fields should be blank. The system default DNS is it self, as we configured it.

 

7. Click “Save”, then click the refresh button at the top right corner

Thats it, you might need to disconnect and reconnect some devices so they can get new DHCP settings.

 

 

 

References and Acknowledgements:

Special Thanks to: opnfwb , Daniel Aleksandersen

https://forum.opnsense.org/index.php?topic=22340.0

https://www.ctrl.blog/entry/unbound-tls-forwarding.html

https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c9

https://kb.adguard.com/en/general/dns-providers

About the author: Amro Sahli

You must be logged in to post a comment.