OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: dinguz on June 19, 2021, 02:19:13 pm
-
I have tried to enable DoT in unbound by setting one or more servers in the 'DNS over TLS Servers' entry on the 'miscellaneous' page, as described in several tutorials found on the www. Unfortunately, as soon as anything is in that field, unbound fails to start. I have increased the log level to give me clues, but the only thing that is logged is 'daemonize unbound dhcpd watcher.', and nothing after that.
Otherwise my setup is working perfectly, just as soon as anything is entered in the 'DNS over TLS Servers' field, unbound fails to start.
Any ideas as to what I'm doing wrong, or where to start to investigate this further? Are there any prerequisites in the configuration to be able to use DoT, as in do I need to enable/disable certain other settings for it to work?
-
Hi
i used this guide which make it work for me.
Log Level 2 will show #853 connections (DoT)
for DNSBL whitelisting i used http://www.regexlab.com/wild2regex to create the whitelist entries.
So you can enable blocklists and exclude pages you still want.
Did not configure anything on the WAN side related to Firewalls.
Locally i forward my pot 53 to localhost.
-
If anyone stumbles upon this: it had to do with the sequence in which the configuration files are read.
When enabling DoT, the second-last part of the configuration that is loaded is the DoT config file, which is a zone declaration. This leads to anything in the Custom Options field (which makes the last part the config file) also being treated as a zone statement. The solution is to provide context in the custom options field, like this:
server:
do-ip6: no
aggressive-nsec: yes