Introduction
DNS-over-TLS (DoT) encrypts DNS traffic, preventing third-party monitoring or tampering. OPNsense, a popular open-source firewall, supports DoT out of the box through the integrated Unbound DNS resolver. This guide walks you through setting up encrypted DNS using Unbound for improved security and privacy.
What is Unbound DNS?
Unbound is a modern, high-performance recursive DNS resolver developed by NLnet Labs. Within OPNsense, Unbound acts as the system’s default DNS engine. Instead of relying on third-party resolvers like Google or Cloudflare, Unbound performs full DNS resolution by querying root servers directly.
Core Capabilities of Unbound:
- Full support for DNSSEC to validate DNS integrity
- Local DNS overrides for internal hosts
- Native DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) support
- Per-client access controls
- Fast, efficient DNS caching
Why Use Unbound in OPNsense?
1. Enhanced Security
- Encrypted DNS queries using DoT help prevent eavesdropping and manipulation.
- DNSSEC ensures responses are verified at every step of resolution.
- Recursive resolution eliminates dependency on upstream DNS providers.
2. High Performance
- Lightweight and resource-efficient — ideal even for embedded systems.
- Local caching drastically reduces latency for repeated queries.
- Optimized for real-time performance, even under high load.
3. Advanced Control
- Full customization of DNS zones, blacklists, and redirects.
- Restrict access by IP, interface, or query type.
- Easily integrates with VLANs, aliases, and firewall policies.
4. Privacy Focused
- No DNS logs by default — ideal for privacy-conscious setups.
- Completely avoids third-party DNS services unless explicitly configured.
5. Seamless Integration with OPNsense
- Managed through a simple web UI
- Ties into DHCP static mappings
- Works harmoniously with other OPNsense services
Limitations to Consider
1. Cold Start Latency
Initial queries can be slower than cloud DNS providers, especially after reboots or cache clears, since Unbound must resolve each domain from scratch.
2. Manual Configuration Needed
Features like DoT, DNS blocklists, or custom rules often require deeper configuration. This can be challenging for beginners.
3. No Built-In Ad Blocking
Unbound doesn’t block ads out of the box. Users must manually configure and maintain DNS blocklists.
4. Minimal Logging & GUI
Unlike Pi-hole or AdGuard Home, Unbound lacks a rich dashboard or per-client query log. Power users may need additional tools to monitor DNS traffic.
Step-by-Step: Enabling DNS-over-TLS in OPNsense
Part 1: Configure DoT in Unbound
- Go to Services → Unbound DNS → DNS over TLS in the OPNsense web GUI.
- Click Add (+) to create a new DoT entry.
- Enable the entry by ticking the Enabled checkbox.
- Leave the Domain field blank to apply forwarding globally.
- Specify the DNS server’s IP (e.g.,
1.1.1.1). - Set the Port to
853— the standard for DoT. - Enter the DNS server’s hostname (e.g.,
cloudflare-dns.com) under Verify CN to validate the TLS certificate. - Save the settings. Optionally, add a second (IPv6) DoT server.
- Click Apply to activate changes.
Part 2: Update General and DHCP Settings
- Go to System → Settings → General.
- Remove any predefined DNS servers to ensure Unbound handles all DNS.
- Uncheck the option to allow DNS overrides from DHCP/PPP.
- Save changes.
- Navigate to Services → DHCPv4 → LAN.
- Clear the DNS server fields to inherit the default Unbound configuration.
- Save and restart DHCP if prompted.
Conclusion
Unbound DNS with DNS-over-TLS in OPNsense delivers strong privacy and control without reliance on third-party DNS services. While setup requires a bit more effort than using external resolvers, the result is a secure, self-reliant DNS infrastructure — ideal for privacy-focused users and advanced network environments.