Hello,
I set up Unbound recently to encrypt my DNS requests to 1.1.1.1 and 9.9.9.10. I then setup a NAT rule to push any port 53 request back to localhost for Unbound to grab and encrypt. This works as expected.
The next part is to set the kids' devices to use BIND so that I can use some of the DNSBLs there as well as force safe-search for Google, Bing, etc. I'm doing this with another NAT rule which works great. What I want is for BIND to forward requests to Unbound so that the non-blacklisted requests are encrypted. I guess I don't understand the "DNS Forwarders" field? Right now BIND is just hitting the Internet itself to look these up even though I have 127.0.0.1 in the "DNS Forwarders" field. I see them via tcpdump.
Is there any way to get this done?
Thanks so much!
For protecting and monitoring kids' activities online either pi-hole.net or quidsup.net --NoTrack might be better suited for the task. Youtube is your friend here.
With 19.1.3 you can also just use dnscrypt-proxy plugin. It will encrypt DNS and has DNSBL aboard.
I'm not an expert, but a block rule
Block port 53 any NOT LANaddress
should do the trick and not allow any DNS except via the sense, or?
I'll check out dns-proxy, but I'm not sure that would solve this as I think it might be firewall/NAT issue. My WAN interface rules look like this now:
(https://forum.opnsense.org/index.php?action=dlattach;topic=11944.0;attach=6489)
But I still see DNS requests going out on the WAN interface.