hi all,
enabled DNS over TLS via here
https://www.zenarmor.com/docs/network-security-tutorials/how-to-configure-dot-on-opnsense
getting stuck when i create my own fw rules and nat to stop 53 out
as i have a few fw rules, should i create the block for 53 at the bottom so its first or at the top
thanks,
rob
Firewall rules are processed from top to bottom, so top
thanks RamSense
doing this command on my opnsense
tcpdump -i vtnet0 port 853
should i replace vtnet0 with my lan or wan interface?
thats very wierd i made a floating rule to block 53 and it worked as i couldnt access any websites anymore but when i did a tcpdump on my lan interface on 53 i could see loads of activity so somethings wierd, so it looks like my DoT isnt working
thanks,
rob
reading this
In order to provide a secure and verified environment, it is advisable to use a firewall rule to prohibit any outgoing DNS traffic on port 53 when using DNS over TLS. If clients choose to directly query other nameservers on their own, a NAT redirect rule can be used to send these requests to 127.0.0.1:53, which is the local Unbound service. This will ensure that these requests are sent over TLS.
ive done the block rule
IPv4+6 TCP/UDP * * ! RFC1918 53 (DNS) * * block LAN DNS to internet
but how do i set up the NAT
what do i put in
destination - any
destination port range - 53
redirect target ip - 127.0.0.1/32 or "this firewall"
redirect target port - 53
thanks,
rob
bumping this please as i need help
also I heard encrypting your DNS via DoH or DoT still leaks the SNI to your ISP, is there anyway round this to fully encrypt my DNS via opnsense?
thanks,
rob
Quote from: robertkwild on April 21, 2026, 09:51:29 AMalso I heard encrypting your DNS via DoH or DoT still leaks the SNI to your ISP
It doesn't leak the content of your query; that's encrypted. SNI reveals the hostname of the server you connect to. Your ISP will see that you use, for example, Quad9 or Cloudflare.
They see this anyway. Your requests have a destination IP.
With DoT I think it's more important to make sure you use the "Verify CN" option so that it's not easy for someone to spoof the server certificate.
thanks, can i get some help with how to setup this
NAT redirect rule can be used to send these requests to 127.0.0.1:53, which is the local Unbound service. This will ensure that these requests are sent over TLS.
Thanks,
Rob
Lots of threads about this already, but here goes...
You need one rule to block outbound DNS on port 53 from each of your internal networks. So for example on your LAN interface, you would put a rule like:
Interface: LAN
Quick: <checked>
Action: Reject (or Block)
Version: IPv4+IPv6
Protocol: TCP/UDP
Source: any
Source port: any
Dest: !ThisFirewall (inverted destination)
Dest port: 53
Next, you need a Destination NAT rule (again, one per interface) to redirect requests on port 53 to Unbound. There are opinions about whether or not to redirect all requests, but IMO it doesn't make sense to redirect ones that are anyway destined for the firewall (Unbound). So I redirect only the requests to "!ThisFirewall." If you choose to you can redirect on Dest=any. You do you.
For IPv4 it's simple, you use 127.0.0.1 as the redirect target:
Interface: LAN
Version: IPv4
Protocol: TCP/UDP
Source: any
Dest: !ThisFirewall (inverted destination)
Dest port: 53
Redirect target: 127.0.0.1
Redirect port: 53
Now before you save the NAT rule, there will be an option at the bottom for the type of firewall rule. What you choose there will determine whether or not you need to create a third rule. Easiest is to choose "Pass" and then you're done.
For IPv6 it's the same process regarding the NAT rule except you can't use ::1 as the redirect target. It's not routable, so that needs a work-around. https://forum.opnsense.org/index.php?topic=51269.msg262743#msg262743
Easiest is to add a VIP to your existing loopback device, something like fdff::1. Any short, valid ULA will do. Then you can use that ULA as the redirect target.
Better is to create a dedicated loopback device for redirects and assign it a static ULA in interface settings, then use that.
Hope that helps.
Hi,
thanks for that!
I made these rules
https://i.postimg.cc/tJRRpBjY/dest-NAT.png
https://i.postimg.cc/XJsSc3Rc/rule.png
for my destNAT i have made the "firewall rule" "pass" as you said but still doesnt work as im testing it on a vm and when i make my DNS use my opnsense DNS works but when i change it 1.1.1.1 it doesnt work i get no internet
ok interesting
i changed both destNAT and fw rule the "dest" to "!RFC1918" and still didnt work
as soon as i changed "version" from "ipv4+ipv6" to "ipv4" under destNAT it worked
sorry what do you mean by this please sorry
Easiest is to add a VIP to your existing loopback device, something like fdff::1. Any short, valid ULA will do. Then you can use that ULA as the redirect target.
Better is to create a dedicated loopback device for redirects and assign it a static ULA in interface settings, then use that.
Quote from: robertkwild on April 21, 2026, 04:01:47 PMI made these rules
https://i.postimg.cc/tJRRpBjY/dest-NAT.png
https://i.postimg.cc/XJsSc3Rc/rule.png
Your "Block DNS" rule is blocking all destinations. Change that to Dest=!ThisFirewall, otherwise you will block clients from being able to reach Unbound directly at the firewall interface address.
Remember, in the examples I gave, we are not redirecting all DNS. We are redirecting only the requests which are not addressed to Unbound. So, you need to keep the normal path to Unbound open.
Quote from: robertkwild on April 21, 2026, 04:01:47 PMwhen i make my DNS use my opnsense DNS works but when i change it 1.1.1.1 it doesnt work
I'm sorry I don't know how to interpret this. Can you rephrase? What do you mean by "make my DNS use my opnsense?" Where are you setting 1.1.1.1?
Quote from: robertkwild on April 21, 2026, 04:46:43 PMas soon as i changed "version" from "ipv4+ipv6" to "ipv4" under destNAT it worked
The destNAT rule does not work with both protocols. You need separate destNAT rules for IPv4 and IPv6.
That is why I mentioned that for IPv4 you supply the redirect target as 127.0.0.1. For IPv6 (separate NAT rule) you need to supply a ULA address. You cannot combine those into a single NAT rule.
Quote from: robertkwild on April 21, 2026, 04:51:04 PMsorry what do you mean by this please sorry [...]
Are you using IPv6 and do you have Unbound listening for requests on IPv6? In that case, do this:
Go to Interfaces->Virtual IPs->Settings. Add one like in the screenshot below.
loopback-VIP.png
Then in your IPv6 destNAT rule, you use "fdff::1" as the redirect target.
ok ive added the "IP Alias" thanks but i dont see it when i add the destNAT as when i click the drop down under "redirect target ip" i dont see it as an option, i can see all my "aliases" should i make it into an alias?
It will not show in aliases unless you create one. It's just like a static IP address. You can type it directly into the rule, same way you entered 127.0.0.1.
thanks OPNenthu,
Im a bit confused then, whats the point of making an VIP for it even tho i can enter it directly in?
The VIP is needed so that that the IP gets assigned to the loopback (lo0) interface. You can see it in Interfaces->Overview.
ok thanks OPNenthu makes sense, thanks for all your help in this and now its all working, just want to say a big thank you to you!!!!!
Glad it helped :)