How to Configure DNS over TLS (DoT) Using Unbound DNS in OPNsense

Increase the security and privacy of DNS requests? Yes please...

How to Configure DNS over TLS (DoT) Using Unbound DNS in OPNsense Photo by jarmoluk from Pixabay

Introduction

Previously, I wrote about how to configure DNS over HTTPS using DNSCrypt-Proxy. Since Unbound DNS in OPNsense does not support DNS over HTTPS (DoH) directly, it was necessary to use the DNSCrypt-Proxy plugin. The plugin also supports DNS over TLS (DoT). However, I discovered while browsing Reddit that Unbound gained native support for DoT at some point in time, which is very nice. Because of built-in support for DoT, the configuration of DNS over TLS becomes pretty trivial.

For the uninitiated, DNS over TLS is another way to encrypt DNS requests. Some of the differences between DoT and DoH are that DoT uses UDP and port 853 while DoH uses TCP and port 443. DNS requests sent via DoH will blend in with other HTTPS traffic while DNS over DoT will be more noticeable on port 853. Both methods should provide similar levels of security. However, the DoH option may provide some increase in privacy. For those who want to monitor their networks, DoT may be a better option since that traffic is separate from all of the other HTTPS web traffic.

Add the DoT Servers to Unbound

I am going to use CloudFlare’s DNS servers as an example, but it should work with any DoT server. To add DoT servers, go to “Unbound DNS > Miscellaneous”. In the “DNS over TLS Servers” box, enter the following addresses and port numbers for CloudFlare’s IPv4 and IPv6 DNS servers:

Unbound Miscellaneous

Click the “Apply” button after the DNS servers.

Testing the DoT Configuration

Cloudflare has a webpage on their 1.1.1.1 website in which you can test if DoT or DoH is currently in use if you are using Cloudflare. I noticed that I had to refresh the page after the first check in order for it to show “Yes” for using “1.1.1.1” and show “Yes” for “DoT”. I am not sure why I had to do that but once I did that, subsequent refreshes would consistently show “Yes” for “DoT”. Also, that page may additionally test if the browser has its own DoT or DoH configuration enabled. For example, my output in both Chrome and Brave browsers only show DoT being used:

Chrome and Brave DoT Test

But Firefox shows that DoH is also being used (I cannot recall if Firefox has DoH enabled by default):

Chrome and Brave DoT Test

A better way to check if DNS queries are being sent over port 853 would be to go to “Unbound DNS > Advanced” and change the log level to 2 or higher. Then click “Save”. Be sure to “Apply Changes” at the top of the page in order for the changes to take effect.

Unbound Log Level

You should see some replies from the CloudFlare DNS servers on port 853:

Unbound Log Level

Conclusion

That is all you need to do! Native support for DoT makes the process pretty simple. If you want to go further, you can redirect all DNS port 53 requests leaving your network to your Unbound DNS service so that it will be using DoT as well. Also if you want to only use DoT, you could use a public DNS block list to attempt to reduce the amount of DNS over HTTPS traffic as much as possible (in case you have rogue apps/devices which encrypt all DNS traffic over HTTPS to bypass your DNS filters or to provide their own built-in security features).