I have submitted a bug report to Unbound on Github. If you are also experiencing this issue and have anything to add that I didn't include, please share a comment or comment directly to Unbound on Github.
I've tried reinstalling Unbound, but the issue persists. My setup follows all OPNsense instructions for setting up DNS over TLS. DNS traffic flows over the service and the DNSBL is working but the upstream DNS traffic is unencrypted. No DNS servers are set anywhere else in OPNsense and I have a firewall rule blocking outbound DNS on port 53. The firewall shows DNS traffic going out to the port specified in Unbound.
The link to the issue you opened would help people.
The Github report is here: github.com/NLnetLabs/unbound/issues/1379
They should probably refer back to here. It might be their Unbound but is the OPN implementation. Please note I am not saying the implementation is wrong but we should be able to assist.
You've stated that the dns queries are going unencrypted. May I ask how you verified this?
If I enable DoT on Unbound OPN's settings, by looking at a packet capture, the traffic is encrypted.
I use DoT permanently but in a different way, however the verification of it working is the same.
Related:
https://github.com/opnsense/core/issues/8386
?
Quote from: chemlud on November 25, 2025, 10:22:29 PMRelated:
https://github.com/opnsense/core/issues/8386
?
very well spotted. It seems the likely explanation.
I already wondered how this was possible - for me, DoT works as expected as verified by a tcpdump. So it is only the column in the grid that display the wrong value, mainly a cosmetic problem.