Text only | Text with Images

OPNsense Forum

English Forums => 25.7 Series => Topic started by: Vexz on September 07, 2025, 08:01:15 PM

Title: DNS over TLS stopped working
Post by: Vexz on September 07, 2025, 08:01:15 PM
I don't know when it started, I just noticed that my DoT configuration no longer works and my ISP has been getting my unencrypted DNS requests for God knows how long. Great, exactly what I didn't want to happen. Maybe it stopped working since the upgrade to 25.7 (I use 25.7.2 atm), I don't know. What I do know is that it worked just fine before and I didn't touch anything that should have any influence on how my OPNsense sends DNS traffic of any kind to the internet.

Unbound on my OPNsense is my DNS resolver. This is my DoT configuration:
(https://i.imgur.com/sMdrkng.png)

Afaik there's nothing more to it than that, right? In the past this made all outbound DNS requests use DoT. My OPNsense no longer sent unencrypted DNS traffic to the internet. Did something change about that?
Title: Re: DNS over TLS stopped working
Post by: patient0 on September 07, 2025, 08:12:55 PM
I wouldn't know why it worked in the past but you filled in the 'Domain' field very wrong.

The 'Domain' field is for what domain(s) you want to be resolved by the DNS server in the IP field. And in 'Verify CN' you enter the domain of the DoT, e.g. in your case one.one.one.one.

For example if you want somedomain.net to be resolved by 1.2.3.4 and all other with 1.1.1.1:

Domain: somedomain.net, IP: 1.2.3.4, Verify CN: some-dns-server.com
Domain <empty>, IP: 1.1.1.1, Verify CN: one.one.one.one
Title: Re: DNS over TLS stopped working
Post by: Vexz on September 07, 2025, 08:40:33 PM
Quote from: patient0 on September 07, 2025, 08:12:55 PMI wouldn't know why it worked in the past but you filled in the 'Domain' field very wrong.

The 'Domain' field is for what domain(s) you want to be resolved by the DNS server in the IP field. And in 'Verify CN' you enter the domain of the DoT, e.g. in your case one.one.one.one.

For example if you want somedomain.net to be resolved by 1.2.3.4 and all other with 1.1.1.1:

Domain: somedomain.net, IP: 1.2.3.4, Verify CN: some-dns-server.com
Domain <empty>, IP: 1.1.1.1, Verify CN: one.one.one.one
Maybe this will clarify your confusion:
(https://i.imgur.com/8RXOPCi.png)

Edit:
You actually lead me to what was wrong. Of course it worked when I checked on https://one.one.one.one/help/ if it's working. God dammit, this "Domain" setting fooled me big time. Now that it's empty, it's working fine. Thank you very much!
Title: Re: DNS over TLS stopped working
Post by: patient0 on September 07, 2025, 08:42:28 PM
Click on the (i) next to 'Domain' and read what it says, that will clear it up for you.
Text only | Text with Images