Text only | Text with Images

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: e97 on June 05, 2024, 07:20:05 PM

Title: Use specified DNS servers instead of ISP DNS from DHCP
Post by: e97 on June 05, 2024, 07:20:05 PM
Hello recently upgraded from 23.x to 24.x. Currently on OPNsense 24.1.6-amd64

Previously setup my DNS using a few different servers (1.1.1.1, 8.8.8.8, 9.9.9.9 lol) and verified with
Code Select
dig https://www.dnscheck.tools/ and https://www.dnsleaktest.com/

I followed the instructions here https://forum.opnsense.org/index.php?topic=8505.0

Have unbound Enabled.

Recently I noticed a slow down in browsing and diagnosed the issue to using ISP DNS (provided by DHCP) instead of the servers I specified.

For OPNsense 24.x Whats the correct procedure / settings to use specified DNS instead of ISP DNS provided by DHCP on WAN?
Title: Re: Use specified DNS servers instead of ISP DNS from DHCP
Post by: ThyOnlySandman on June 06, 2024, 12:52:14 AM
This what I set

System , Settings, General - DNS servers blank
Disable -  Allow DNS server list to be overridden by DHCP/PPP on WAN
Disable -  Do not use the local DNS service as a nameserver for this system

Unbound on LAN INT listening port 53
LAN firewall rules , source internal vlans to destination (this firewall) port 53
Unbound access lists allowing internal vlans

Unbound - DNS over TLS

8.8.8.8
853
dns.google.com

1.1.1.1
853
cloudflare-dns.com

Clients DNS set to opnsense DNS.  Or if internal DNS servers like domain controllers, client's DNS set to DC.  DC forwards set to opnsense 53.  Internal DNS unencrypted 53.  External queries over TLS 853 to ones you specify.
Title: Re: Use specified DNS servers instead of ISP DNS from DHCP
Post by: e97 on June 06, 2024, 05:26:51 PM
Quote from: ThyOnlySandman on June 06, 2024, 12:52:14 AM
This what I set

System , Settings, General - DNS servers blank
Disable -  Allow DNS server list to be overridden by DHCP/PPP on WAN
Disable -  Do not use the local DNS service as a nameserver for this system

Unbound on LAN INT listening port 53
LAN firewall rules , source internal vlans to destination (this firewall) port 53
Unbound access lists allowing internal vlans

Unbound - DNS over TLS

8.8.8.8
853
dns.google.com

1.1.1.1
853
cloudflare-dns.com

Clients DNS set to opnsense DNS.  Or if internal DNS servers like domain controllers, client's DNS set to DC.  DC forwards set to opnsense 53.  Internal DNS unencrypted 53.  External queries over TLS 853 to ones you specify.

Thank you! That seems to have fixed the issue and now I got a bit of a security upgrade with DNS over TLS  ;D
Text only | Text with Images