How to Configure DNS over TLS (DoT) Using Unbound DNS in OPNsense
Previously, I wrote about how to configure DNS over HTTPS using DNSCrypt-Proxy. Since Unbound DNS in OPNsense does not support DNS over HTTPS (DoH) directly, it was necessary to use the DNSCrypt-Proxy plugin. The plugin also supports DNS over TLS (DoT). However, I discovered while browsing Reddit that Unbound gained native support for DoT at some point in time, which is very nice. Because of built-in support for DoT, the configuration of DNS over TLS becomes pretty trivial.
For the uninitiated, DNS over TLS is another way to encrypt DNS requests. Some of the differences between DoT and DoH are that DoT uses UDP and port 853 while DoH uses TCP and port 443. DNS requests sent via DoH will blend in with other HTTPS traffic while DNS over DoT will be more noticeable on port 853. Both methods should provide similar levels of security. However, the DoH option may provide some increase in privacy. For those who want to monitor their networks, DoT may be a better option since that traffic is separate from all of the other HTTPS web traffic.
Add the DoT Servers to Unbound
To configure DNS over TLS, go to the “Services > Unbound DNS > DNS over TLS” page. You will see the empty page the first time you visit it. Click on the “+” button to add a new DNS over TLS server. I am going to use CloudFlare’s DNS servers as an example, but it should work with any DoT server.
You will notice on the “DNS over TLS” page an option for “Use System Nameservers”. That option can be left unchecked to ensure the DNS servers configured on DNS over TLS are used. Note that you do not need to enter any DNS servers on the “System > Settings > General” page if you are using DNS over TLS.
You may leave the “Domain” box empty unless you want queries for a specific domain to use a different DNS server. There may be scenarios where this would be helpful, but if you leave it blank, all DNS queries will use the specified DNS server. Enter the 1.1.1.1 for the “Server IP” and 853 for the “Sever Port”. The “Verify CN” option is not required by highly recommended to validate the Common Name on the DoT server’s certificate. It helps to improve security by ensuring you are connecting to the desired server and not some “man in the middle” server. For the 1.1.1.1 server, the CN is cloudflare-dns.com. I found the proper values for the “Verify CN” option on an OPNsense forum post.
After clicking “Save”, you will notice the server appear in the list. You need to click the “Apply” button for the changes to take effect.
Before applying the changes, you should add the secondary 1.0.0.1 DNS address as well as add the IPv6 DNS server addresses (2606:4700:4700::1111 and 2606:4700:4700::1001) if you are using IPv6 on your network. You can see below what a minimally complete least should look like since you should specify a secondary server for both IPv4 and IPv6 DNS servers.
Cloudflare alternatively offers DNS servers which block malware content and malware content plus adult content. To use those servers you simply use different IP addresses. You also need to use a different CN value as well. Use the table below instead of the values in this example if you wish to use the filtered DNS provided by Cloudflare. The port is 853 for all DoT servers so I am not including that value in the table.
| DNS Filter | Server IP | Common Name |
|---|---|---|
| Malware | 1.1.1.2 | security.cloudflare-dns.com |
| Malware | 1.0.0.2 | security.cloudflare-dns.com |
| Malware | 2606:4700:4700::1112 | security.cloudflare-dns.com |
| Malware | 2606:4700:4700::1002 | security.cloudflare-dns.com |
| Malware + Adult | 1.1.1.3 | security.cloudflare-dns.com |
| Malware + Adult | 1.0.0.3 | security.cloudflare-dns.com |
| Malware + Adult | 2606:4700:4700::1113 | security.cloudflare-dns.com |
| Malware + Adult | 2606:4700:4700::1003 | security.cloudflare-dns.com |
Testing the DoT Configuration
Cloudflare has a webpage on their 1.1.1.1 website in which you can test if DoT or DoH is currently in use if you are using Cloudflare. I noticed that I had to refresh the page after the first check in order for it to show “Yes” for using “1.1.1.1” and show “Yes” for “DoT”. Sometimes it requires me to refresh the page multiple times. I am not sure why I had to do that but once I did that, subsequent refreshes would consistently show “Yes” for “DoT”. Perhaps the test prematurely returns “No” before it is fully complete.
Also, that test page may additionally check if the browser has its own DoT or DoH configuration enabled. For example, my output in both Chrome and Brave browsers only show DoT being used:
But Firefox shows that DoH is also being used (I cannot recall if Firefox has DoH enabled by default):
A better way to check if DNS queries are being sent over port 853 would be to go to “Unbound DNS > Advanced” and change the log level to 2 or higher. Be sure that “Log Queries” checkbox is checked as well. Then click “Save”. Be sure to “Apply Changes” at the top of the page in order for the changes to take effect.
You should see some replies from the CloudFlare DNS servers on port 853:
Conclusion
That is all you need to do! Native support for DoT makes the process pretty simple. If you want to go further, you can redirect all DNS port 53 requests leaving your network to your Unbound DNS service so that it will be using DoT as well. Also if you want to only use DoT, you could use a public DNS block list to attempt to reduce the amount of DNS over HTTPS traffic as much as possible (in case you have rogue apps/devices which encrypt all DNS traffic over HTTPS to bypass your DNS filters or to provide their own built-in security features).
