Unbound supports listening for normal DNS traffic on port 53, but also supports listening to DNS-over-TLS and DNS-over-HTTPS: docs (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html).
While this isn't supported via GUI, I was able to add a new loopback interface with static IPv4 and IPv6 addresses and have Unbound listen to those interfaces in an unbound config file. I took the setup from this (https://forum.opnsense.org/index.php?topic=43918.msg219007#msg219007) forum comment.
I already have Let's Encrypt certificates for my router so I could just write the paths in the config file.
It looks like this:
server:
# I tried the below setting as well without any luck
#interface-automatic-ports: "53 853"
# These are the IP addresses of the loopback interface
interface: fd9d:745e:5eb7::53@53
interface: fd9d:745e:5eb7::53@853
interface: 10.121.53.53@53
interface: 10.121.53.53@853
tls-port: 853
# I filled this in with the path to the certificate
# This is loaded before the chroot is entered, so I don't need to worry about permissions
tls-service-key: "/var/etc/acme-client/keys/<my-numbers>/private.key"
tls-service-pem: "/var/etc/acme-client/certs/<my-numbers>/fullchain.pem"
However I am unable to connect to port 853 on my OPNsense box.
Running dig +tls @opnsense.example.com google.com results in Connection to <ip-addr>#853 for google.com failed: connection refused.This is true for all IP addresses listed.
Nothing appears in my firewall logs nor my Unbound logs, so I assume that there is something else causing the issue.
Any help would be appreciated.
I have not tried this, but if you limit the binding interfaces to RFC1918 and ULA IPs on "loopback interfaces", how do you expect anyone from the internet to access these non-routeable IPs on interfaces that are local to your OpnSense? For me, this sound like a double "no" and that is not even considering missing firewall rules to allow access from the WAN side.
> how do you expect anyone from the internet to access these non-routeable IPs on interfaces that are local to your OpnSense?
The IP addresses assigned to the loopback interface work for port 53; I can confirm that the router is properly listening on those addresses for internal traffic.
The WAN shouldn't need to access those IP addresses anyways, as the external DNS requests are performed on the router's other (globally routed) interface.
sockstat | grep :53Will show you which processes listen on interfaces for port 53 (DNS).
For requests to make it to processes internally (from the outside), processes have to listen, and traffic needs to be allowed in (PF, FW).
So you are trying to access Unbound from the LAN side.
1. For port 53, there are automatic floating rules to allow traffic. For 853, there are no such rules, so you have to create them.
2. If you really assigned those ULAs and RFC1918 IPs to the loopback interface: you still cannot access a loopback interface from outside the box itself. I would try assigning the IPs to the LAN interface via virtual IPs.