I've got my opnsense box setup running adguard (plugin), unbound and kea dhcp. It all works quite well. I have it so adguard dns is set to 127.0.0.1:53535 (unbound) for upstream, bootstrap and private reverse dns. unbound uses cloudflare (1.1.1.1 and 1.0.0.1) for the dns over tls.
Now my VPN provider supplies DNS Server, DNS-over-HTTP or DNS-over-TLS addresses. However for the DNS Server, there isnt any ports supplied (presumably will be 853 like everyone else) nor a server address, just the IP. For the DoH and DoT it supplies just the address, no ip or port. Can these be used in unbound?
Cheers!
I haven't done DoT in Unbound myself, but the UI in OPNsense specifically asks for the IP address of the server. It also asks for the server's Common Name (CN). You should be able to obtain that from a shell with something like:
root@opnsense:~ # echo Q | openssl s_client -brief 9.9.9.9:853
Can't use SSL_get_servername
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: C = CH, ST = Zurich, L = Zurich, O = Quad9, CN = dns.quad9.net
Hash used: SHA256
Signature type: ECDSA
Verification: OK
Server Temp Key: X25519, 253 bits
DONE
root@opnsense:~ #
Are these VPN provider DNS servers accessible over the internet, or do you have to go through the VPN to get to them? If the latter, you may have another bootstrapping consideration to make....