I got confused by DNS over TLS feature in Unbound DNS resolver in Opnsense - I thought it will allow clients to connect to opnsense Unbound on port 853 and benefit from encryption and authentication. Turns out that DNS over TLS is only offered from Ubound to another recursive DNS server.
Could anyone please advise me how/if this can be setup in opnsense? I want clients to connect to opnsense Unbound on port 853 using DNS over TLS (using unbound as a recursive resolver).
or should I just setup wireguard tunnel instead? It'd be probably better than SSL anyway. a bit confusing to use wireguard for something that has already three separate RFC proposals (and dnscrypt), but perhaps it will come in handy for some other purpose later anyway (and running a stub resolver didn't seem that appealing anyway).
I guess you could run getdns/stubby and Unbound/dnsmasq as its upstream resolver with the help of firewall rules.
I haven't tried it that way. Instead, I use Unbound for the local clients and Unbound uses stubby as its upstream. The "other way around".
I just don't get why you'd want to encrypt the client side but that's no criticism. We all do things our way ;)
> I guess you could run getdns/stubby and Unbound/dnsmasq as its upstream resolver with the help of firewall rules.
I don't think opnsense let's you do that? There doesn't seem to be any configuration to insert your own certificate. I know unbound can do it, but I don't know if any changes that are now made via webgui won't get overwritten by opnsense?
> I just don't get why you'd want to encrypt the client side but that's no criticism. We all do things our way ;)
thank you, too often questions like that get derailed by someone telling you that your initial assumptions are wrong, but as you mentioned that's besides the point. I want to protect dns requests of other nodes if any one of them ever got compromised.
>I don't think opnsense let's you do that? There doesn't seem to be any configuration to insert your own certificate. I know unbound can do it, but I don't know if any changes that are now made via webgui won't get overwritten by opnsense?
Yes, these settings outside the OPN UI are to be managed separately. However it seems from the issues logged in their github repo that it is not setup to encrypt client requests, so seems not an option.
Maybe using AdGuardHome, with the option:
"Enable encryption"
If encryption is enabled, AdGuard Home admin interface will work over HTTPS, and the DNS server will listen for requests over DNS-over-HTTPS and DNS-over-TLS.
No worries, thanks for confirming. I don't mind setting wireguard to secure this dns traffic (and perhaps other traffic as well) and it seems to be a pretty common solution. I imagine crypto offered by wireguard would be better than ssl anyway.