OPNsense Forum

Hello OPNsense Community,

I'm reaching out for some guidance on an issue I've encountered while trying to route DNS queries from Unbound over TLS through an OpenVPN connection. My goal is to ensure all DNS requests from my network are encrypted and routed through the VPN for enhanced privacy and security.

Background:
I have Unbound configured to use DNS over TLS with upstream providers like Cloudflare (1.1.1.1) to encrypt DNS queries. This setup works perfectly when Unbound is set to use the WAN interface. However, I want these DNS over TLS requests to be routed over my OpenVPN connection (specifically, a NordVPN connection configured on OPNsense).

Issue:
After changing the outgoing network interface in Unbound to the OpenVPN interface, my DNS requests started getting blocked by the system's default deny rule, as indicated by log entries showing "Default deny / state violation rule" for traffic intended for Cloudflare's DNS over TLS service on port 853.

This issue does not occur when routing DNS over the WAN interface, suggesting a specific challenge with routing encrypted DNS traffic over the VPN.

Attempts to Resolve:

• I've tried creating allow rules on the firewall for the OpenVPN interface to permit traffic on port 853 (TCP/UDP), targeting DNS servers.
  
• I've checked my NAT rules to ensure there's no inadvertent redirection or blocking of DNS traffic.
  
• I've considered the approach used in pfSense (as OPNsense shares a similar heritage) where NAT port forward rules are created to capture and redirect DNS requests to the local resolver (Unbound), which then securely forwards them over TLS. However, I'm uncertain how to adapt this effectively in OPNsense or if there's a more straightforward solution I'm overlooking.

Questions for the Community:

• Has anyone successfully configured Unbound to route DNS over TLS queries through an OpenVPN interface on OPNsense?
• If so, how did you overcome the default deny rule blocking these requests?
  
• Are there specific firewall or NAT configurations that are crucial for this setup to work that I might be missing?

Any insights or alternative approaches to ensure DNS queries are encrypted and routed through the VPN would be greatly appreciated.

Thank you in advance for your assistance and for sharing any experiences or solutions that might help resolve this challenge.

Hi,
even this post is already two month old, I want to reply, since I run in to the exact same problem, not just with opnsense also with pfsense. The only way I got DNS over TLS running over the VPN Tunnel, was by deactivating DNSSEC Support under the unbound options.

Maybe this helps someone..