Introduction

DNS-over-TLS (DoT) encrypts DNS traffic, preventing third-party monitoring or tampering. OPNsense, a popular open-source firewall, supports DoT out of the box through the integrated Unbound DNS resolver. This guide walks you through setting up encrypted DNS using Unbound for improved security and privacy.

What is Unbound DNS?

Unbound is a modern, high-performance recursive DNS resolver developed by NLnet Labs. Within OPNsense, Unbound acts as the system’s default DNS engine. Instead of relying on third-party resolvers like Google or Cloudflare, Unbound performs full DNS resolution by querying root servers directly.

Core Capabilities of Unbound:

• Full support for DNSSEC to validate DNS integrity
• Local DNS overrides for internal hosts
• Native DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) support
• Per-client access controls
• Fast, efficient DNS caching

Why Use Unbound in OPNsense?

1. Enhanced Security

• Encrypted DNS queries using DoT help prevent eavesdropping and manipulation.
• DNSSEC ensures responses are verified at every step of resolution.
• Recursive resolution eliminates dependency on upstream DNS providers.

2. High Performance

• Lightweight and resource-efficient — ideal even for embedded systems.
• Local caching drastically reduces latency for repeated queries.
• Optimized for real-time performance, even under high load.

3. Advanced Control

• Full customization of DNS zones, blacklists, and redirects.
• Restrict access by IP, interface, or query type.
• Easily integrates with VLANs, aliases, and firewall policies.

4. Privacy Focused

• No DNS logs by default — ideal for privacy-conscious setups.
• Completely avoids third-party DNS services unless explicitly configured.

5. Seamless Integration with OPNsense

• Managed through a simple web UI
• Ties into DHCP static mappings
• Works harmoniously with other OPNsense services

Limitations to Consider

1. Cold Start Latency

Initial queries can be slower than cloud DNS providers, especially after reboots or cache clears, since Unbound must resolve each domain from scratch.

2. Manual Configuration Needed

Features like DoT, DNS blocklists, or custom rules often require deeper configuration. This can be challenging for beginners.

3. No Built-In Ad Blocking

Unbound doesn’t block ads out of the box. Users must manually configure and maintain DNS blocklists.

4. Minimal Logging & GUI

Unlike Pi-hole or AdGuard Home, Unbound lacks a rich dashboard or per-client query log. Power users may need additional tools to monitor DNS traffic.

Step-by-Step: Enabling DNS-over-TLS in OPNsense

Part 1: Configure DoT in Unbound

1. Go to Services → Unbound DNS → DNS over TLS in the OPNsense web GUI.
2. Click Add (+) to create a new DoT entry.
3. Enable the entry by ticking the Enabled checkbox.
4. Leave the Domain field blank to apply forwarding globally.
5. Specify the DNS server’s IP (e.g., 1.1.1.1).
6. Set the Port to 853 — the standard for DoT.
7. Enter the DNS server’s hostname (e.g., cloudflare-dns.com) under Verify CN to validate the TLS certificate.
8. Save the settings. Optionally, add a second (IPv6) DoT server.
9. Click Apply to activate changes.

Part 2: Update General and DHCP Settings

1. Go to System → Settings → General.
2. Remove any predefined DNS servers to ensure Unbound handles all DNS.
3. Uncheck the option to allow DNS overrides from DHCP/PPP.
4. Save changes.
5. Navigate to Services → DHCPv4 → LAN.
6. Clear the DNS server fields to inherit the default Unbound configuration.
7. Save and restart DHCP if prompted.

Conclusion

Unbound DNS with DNS-over-TLS in OPNsense delivers strong privacy and control without reliance on third-party DNS services. While setup requires a bit more effort than using external resolvers, the result is a secure, self-reliant DNS infrastructure — ideal for privacy-focused users and advanced network environments.

Сообщение How to Secure DNS with DNS-over-TLS in OPNsense Using Unbound появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.

Introduction

OPNsense has traditionally relied on the ISC DHCP server for IP address management. However, with ISC DHCP reaching its end-of-life, it’s time to consider transitioning to Kea DHCP—a modern, modular, and high-performance DHCP server developed by the same team at the Internet Systems Consortium (ISC).Wikipedia+2OPNsense Forum+2YouTube+2

Kea DHCP offers a contemporary approach to IP address allocation and centralized management, making it an ideal choice for both production environments and home labs.Wikipedia+3Netgate Forum+3Reddit+3

Advantages of Kea DHCP

• Dynamic Configuration Reloads: Modify lease configurations without restarting the service, ensuring uninterrupted network operations.Wikipedia+3Wikipedia+3Reddit+3
• Modular Architecture: Activate only the components you need, optimizing resource usage.
• Database Integration: Store lease information in MySQL or PostgreSQL databases for scalability and reliability.
• RESTful API: Automate and manage configurations programmatically, enhancing flexibility.
• Extensibility: Implement custom logic through hooks and scripts to meet specific network requirements.
• Active Development: Benefit from ongoing support and updates from the ISC and the broader community.YouTube+4Wikipedia+4Ars Technica+4

Considerations and Limitations

• Resource Consumption: Kea’s advanced features may demand more system resources, particularly when using REST APIs or database backends. This could impact performance on low-powered devices like Raspberry Pi or in lightweight container environments.OPNsense Forum
• High Availability (HA): Unlike ISC DHCP, Kea’s HA capabilities are still evolving. While some HA features exist, they may not match the robustness of ISC’s failover mechanisms.

Setting Up Kea DHCP in OPNsense

OPNsense has integrated Kea DHCP for some time, allowing users to configure it directly through the web interface.

Prerequisites:

1. Disable ISC DHCP: Navigate to Services → ISC DHCPv4 and uncheck the «Enable» option.Reddit
2. Enable Kea Control Agent: Go to Services → Kea DHCP → Control Agent, check «Enable,» and save the settings.Reddit+1Wikipedia+1
3. Configure Kea DHCPv4:
   • Navigate to Services → Kea DHCPv4.
   • Check «Enable» and select the appropriate interface (e.g., LAN).Reddit+1docs.opnsense.org+1
   • In the «Subnets» tab, click «Add» and enter the following:Reddit
     • Subnet: e.g., 192.168.1.0/24
     • Pools: e.g., 192.168.1.100 - 192.168.1.200
     • Router (Gateway): e.g., 192.168.1.1
     • DNS Servers: e.g., 192.168.1.1
   • Save and apply the configuration.

Once configured, Kea DHCP will begin assigning IP addresses within the specified range. Existing leases from ISC DHCP will remain active until they expire or are renewed under Kea.Wikipedia+3YouTube+3YouTube+3

Migration Tips

• Static Lease Migration: OPNsense supports exporting and importing static leases in CSV format, facilitating transitions between DHCP servers.
• DNS Integration: Ensure that static mappings are correctly reflected in your DNS resolver (e.g., Unbound) to maintain hostname resolution.
• Testing: Before deploying in a production environment, test the Kea DHCP configuration in a controlled setting to identify and resolve potential issues.

Conclusion

Transitioning to Kea DHCP in OPNsense offers a modern, flexible, and scalable solution for network administrators. While it introduces new features and capabilities, it’s essential to be aware of its current limitations and plan accordingly. As Kea continues to mature, it stands as a robust replacement for the legacy ISC DHCP server.

References:

• Kea DHCP Official Documentation
• OPNsense Project
• ISC Kea GitHub Repository

Сообщение Transitioning to Kea DHCP in OPNsense: A Modern Alternative to ISC DHCP появились сначала на Boxvirt - Proxmox & OPNsense Infrastructure Guides.