OPNSense Setup Secured Unbound DNS with DNS over TLS (DoT)
OPNSense Setup Secure Unbound DNS configured with DNS over TLS (DoT)
First we are going to remove any DNS servers from the routers configuration, and make sure the router gets looped back to itself for DNS quires.
1. Login to your OPNSense admin panel, go to “System”, click “Settings”, then “General”
2. Under “DNS Servers” delete any entries and make sure all fields are blank. This is to ensure the DNS loops back to the router. Also make sure the “Do not use the local DNS service as a nameserver for this system” check box is NOT checked, click “Save”.
Now we will configure Unbound DNS and set TLS certificate bundle and specify public DNS servers.
3. Click “Services”, then “Unbound DNS”, then “General”
4. Follow the configuration instructions below:
A. Make sure the “Enabled” check box is checked.
B. Change the Network interfaces to “LAN” (your local network, that you want to use the DNS).
C. Next to “DNSSEC” Check the “Enable DNSSEC Support” box.
D. With “DHCP Registration” the “register DHCP leases” check box should NOT be checked.
E. “DHCP domain override” should be empty.
F. “DHCP Static Mappings” should NOT be checked.
G. next to “IPv6 Link-Local” the “Register IPv6 Link-Local address” check box should NOT be checked.
H. “TXT Comment Support”, “Create corresponding TXT records” check box should NOT be checked.
I. “DNS Query Forwarding”, “Enable Forwarding Mode” check box should NOT be checked.
J. Set “Local Zone Type” to “transparent”
K. Under “Custom Options” enter the following:
server: tls-cert-bundle: "/etc/ssl/cert.pem" forward-zone: name: "." forward-tls-upstream: yes
L. Next add your preferred DNS server entries, place the entries below the “Forward-tls-upstream…” line:
# CloudFlare DNS forward-addr: 220.127.116.11@853#cloudflare-dns.com forward-addr: 18.104.22.168@853#cloudflare-dns.com
# Quad9 DNS forward-addr: 22.214.171.124@853#dns9.quad9.net forward-addr: 126.96.36.199@853#dns9.quad9.net
# Google DNS forward-addr: 188.8.131.52@853#dns.google forward-addr: 184.108.40.206@853#dns.google
# AdGurad DNS forward-addr: 220.127.116.11@853#dns.adguard.com forward-addr: 18.104.22.168@853#dns.adguard.com
# Family Protection DNS forward-addr: 22.214.171.124@853#dns-family.adguard.com forward-addr: 126.96.36.199@853#dns-family.adguard.com
# CleanBrowsing DNS forward-addr: 188.8.131.52@853#family-filter-dns.cleanbrowsing.org forward-addr: 184.108.40.206@853#family-filter-dns.cleanbrowsing.org
You can remove the # comment if necessary, in the custom options box you should have the top entries and preferred DNS server entries example below:
server: tls-cert-bundle: "/etc/ssl/cert.pem" forward-zone: name: "." forward-tls-upstream: yes forward-addr: 220.127.116.11@853#cloudflare-dns.com forward-addr: 18.104.22.168@853#cloudflare-dns.com
M. Set “Outgoing Network Interfaces” to “WAN” (Outside network to modem)
N. Make sure the check box by “WAPD Records” is NOT checked.
4. Click “Save”, (apply settings if asked) then click the refresh button at the top right corner
Next we will set the DHCP to assign the router as the DNS server to the clients of the network.
5. In the main menu, click “Services”, then DHCPv4, then, “LAN” (Inside local network interface)
6. Under “DNS Servers”, both fields should be blank. The system default DNS is it self, as we configured it.
7. Click “Save”, then click the refresh button at the top right corner
Thats it, you might need to disconnect and reconnect some devices so they can get new DHCP settings.