OPNsense Forum

Hi, I'm looking for information, but the topic is very complex and fragmented. I'm not sure if this is the right section; if so, I apologize.

The question is simple to say, but far from done.
On the one hand, I'd like my firewall to monitor all DNS queries to filter out ads and other malicious/unwanted content. On the other, I'd like all outgoing queries from my firewall to be secure and anonymized (as much as possible).

I've found several discussions online, but they're starting to get old, so they don't match the latest versions of OPNsense and the various plugins/services, or things have simply changed.

I'd like to start a discussion, perhaps to be updated over time based on the evolution of OPNsense and the world out there. Possibly divided into sections for those who use third-party plugins like PiHole/ADGuard integrated into the OPNsense installation or on other VMs/CTs/devices within their network, those who only use unbound/firewall rules, and those who want to use a combination of these tools. As you can imagine, it's all incredibly complex and has a lot of variables.

Hi, good ask. From my point of view there is not one way to go. There are multiple roads to follow, just what you like most.
I'm no pro on this topic, but after my extended search/reading/trying; I came to this setup:

Opnsense with Adguard Home plugin + as upstream DNS Opnsense Bind (with DNSSEC) (with NO DNS Forwarders)

This way only the DNS Root servers get queried, and not one DNS server has all your queries, most privacy other than with DoH DoT DNSCrypt.

The privacy question is something we can debate endlessly.  For every argument on why one thing is better, there is likely a valid counterargument.  A lot depends on your specific context.

- Where do you live?
- What is your threat model?
- Who are you trying to hide your DNS queries from?  Who are you OK giving them to?

For example, one argument could be that using Unbound in recursive resolver mode is better for privacy because it spreads your queries and no one server has your full query.

A counterpoint to that is that your ISP can see those and maybe you don't want them selling your data.  In that case, DoT to an upstream resolver like
Quad9 might be better.  (In which case you probably also want a VPN so they don't see the dest. IP in your connections.)

And then someone else will counter-counter with an argument that encryption can be broken and "they" can man-in-the-middle you or decrypt your data anyway.

...


Pick your poison.  At the end of the day someone is going to get your queries.  You choose who you intend to give them to and how, but also accept that unintended audiences can and probably will get them.

OK, that's a start.

I would therefore divide the issue into two parts:

• Filter requests from clients within the network
• Smart TVs
• Android devices
• various "smart" systems
• Clients (win/linux/ios/etc)
• Improve privacy.

I know that smart TVs and Android systems with GAPPS are the most complex to filter.
Their manufacturers have vested interests and make a lot of money profiling users, so they do everything they can to obtain as much data as possible.
For other "smart" devices, it's necessary to analyze them on a case-by-case basis.
Clients are potentially the simplest to manage, although much also depends on the individual applications, which could bypass the system DNS and use other ones.

According to my information, the situation is as follows:

• Classic DNS on port 53

Easy to intercept and filter

• DoH TCP/443

Requires MITM to be analyzed

• DoT TCP/853

Requires MITM to be analyzed

• DoQ TCP/853

Requires MITM to be analyzed

• Android (with GApps): DoT TCP/853
• Apple: DoT TCP/853 + DoH TCP/443
• Browser: (Chrome Secure DNS/Firefox TRR): DoH TCP/443 but filterable with an extension like AdGuard

DoH and DoQ are easily blocked if they use port 853; block that with the firewall and the systems must use something else.

There's little you can do about DoH; either you start doing MITM or it passes.
And this could be a separate section.

For firewall exit, I see the following applicable strategies:

• Full recursive (DNSSEC + QNAME minimization)
• Encrypted forwarder (DoT/DoH/DoQ)
• ODoH / Anonymized DNSCrypt

As you rightly said, it's more of a matter of choosing the lesser of two evils.

IMHO people very quickly overcomplicate things and start doing weird stuff that makes no sence at some point so let's keep things simple :

- You have OPNsense.
- You could use it's Unbound for your "Query Root DNS Server needs".
- Or you could use Pi-Hole + Unbound the way it's explained here : https://docs.pi-hole.net/guides/dns/unbound/

Now let's kill the biggest issue here : Your Clients and their Applications !!

Quote from: Mario_Rossi on April 04, 2026, 02:05:37 PMSmart TVs

Often you get a lof of weird ads shown because of two things :
- You accepted too many EULA's when setting up your TV !!
For example LG WebOS TV's only need the first two and not all 3/4/5 of them selected ;)

- The software installed/used on the device.
The easiest example here is Android TV :

1. Get rid of the Android TV Home Launcher updates !!
This will (hopefully) set you back to the days when the Launcher did not have any ads shown at all and will make sure you have a clean Home Screen with just the stuff you are using and nothing more than that.

If that fails then start thinking about alternatives : https://duckduckgo.com/?q=alternative+android+tv+home+launcher&ia=web
There are both free and paid ones and all of them can be set as the default via ADB Tools after Enabling Developer Mode ;)

2. Make sure to use so called "Modded Clients" as much as possible !!
The easiest example here is not using the official YouTube app and using SmartTube instead : https://github.com/yuliskov/SmartTube

There are also alternative options for LG WebOS TV's after getting yourself a free Developer Account and installing the Developer Mode app which you can find here : https://github.com/webosbrew/dev-manager-desktop

QuoteAndroid & iOS devices

Basically ditch them completely or at least as much as possible !!

- For Android there two options :
1. Unlock Bootloader and flash completely alternative software like UB Ports Ubuntu Touch or Jolla SailFish.
2. Unlock Bootloader and flash Custom ROMs or even Privacy Minded ROMs like /e/ OS or GrapheneOS for example.

But you really want that YouTube app when running some flavor of Android don't you ?!
Luckily there is https://github.com/MorpheApp/ for that these days! ;)

- For iOS there is not much you can do :
Either ditch it or just use as little services as possible...

QuoteClients (win/linux/ios/etc)

Simple :

Avoid Microsoft/Apple/Google as much as possible.
So NO Windows/MacOS/ChomeOS at all !!

And if you really have to then again try using their software a little as possible :
For example : Need a browser ?
Try LibreWolf or Pale Moon instead of Edge/Safari/Chrome.

And if you are using some kind of webbased software that was developed by one of those fake webdevelopers that like supporting "Internet Explorer 6 v2.0" a.k.a. anything based on Chromium, then there is a modded version of that browser available too : https://github.com/uazo/cromite

QuoteDNS over HTTPS - Port 443

All browsers based on Mozilla Firefox have a so called 'Canary Domain' and when combined with Pi-Hole for example the Local DNS Server is respected and used instead of DoH : https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet

QuoteThat annoying QUIC Protocol

You can ofcourse block it via OPNsense for anything that isn't a browser, but you can also use Advanced/Hidden Settings in browsers to Disable it :
- Mozilla Firefox based browsers : about:config
- Chromium based browsers : chrome://flags
For Microsoft Edge : edge://flags

There are a lot of DNS related Settings in the last two, so make sure you go through all of them and re-check after each update if they have not been reverted to the default settings !!



And that's pretty much it! :)



I wouldn't bother doing anything more than the above to be honest...

We've already done the simple things... now let's move on to the complex ones XD

Jokes aside, I agree with what you write.
Anyway, sometimes it's nice to experiment.
At work, we use a PaloAlto firewall; the approach is fundamentally different, but not any simpler... quite the opposite.

Updating Opnsense made my unbound and firewall rules a bit tangled up, so I ran into some serious problems.
I quickly dug up the AdGuard Home CT, which I stored in Proxmox, reset unbound, and redid the basic firewall and DHCP rules.

I've been wanting to experiment with certificates, proxies, and IPs for a while.

I read a lot of requests about DNS management, but they're always very limited to specific cases. I wanted to create a broader discussion so that users looking for information can find a starting point.

Your point remains very valid. I went from a non-smart TV to a 2025 Samsung, and boy, are they full of junk.
I basically reject everything, but if you want to use some things, you have to accept them. I was thinking about switching to a Tegra, but it's always the same old story, the same if I decided to use a mini PC... besides the fact that they're still expensive devices, consume a lot of power, and need maintenance.
Being able to leverage Opnsense and everything else around it to improve the situation wouldn't be bad.


P.S. I use Firefox as my primary browser and Vivaldi as my secondary one.
I'm a Microsoft system administrator, so I can't migrate to Linux :-P

you can if you wanted, run AdGuardHome on your OPNsense. Simple add the os-adguardhome-maxit plugin.

Quote from: Mario_Rossi on April 04, 2026, 04:30:19 PMWe've already done the simple things... now let's move on to the complex ones XD

Hehe :)

I forgot to mention Redirecting all DNS Requests to your own DNS Server.
See : https://forum.opnsense.org/index.php?topic=9245.0

QuoteJokes aside, I agree with what you write.

Thnx! :)

QuoteI quickly dug up the AdGuard Home CT, which I stored in Proxmox

Having Proxmox around or just a small Intel NUC-like "Server" to host/test some stuff is nice to have too indeed!

QuoteI read a lot of requests about DNS management, but they're always very limited to specific cases. I wanted to create a broader discussion so that users looking for information can find a starting point.

Messing around with blocking DNS related IP Addresses and Domains is something I would only look into at the moment that I notice that I have no other choice than applying it because of a certain device/OS/application.

QuoteYour point remains very valid. I went from a non-smart TV to a 2025 Samsung, and boy, are they full of junk.
I basically reject everything, but if you want to use some things, you have to accept them.

Yep... :(

QuoteI was thinking about switching to a Tegra

The Nvidia Shield TV users are all hoping for a hardware-wise upgraded model on of these days, but the 2019 Pro model is still a very nice device to have IMHO.

In my case it's the older 2017 model that I am using, but I also use some stuff on the LG WebOS TV directly :)

QuoteP.S. I use Firefox as my primary browser and Vivaldi as my secondary one.

The issue with Firefox is that they are not as Privacy focused as they claim to be/use to be for a while now...

I only use it as a backup browser next to LibreWolf and Pale Moon.

QuoteI'm a Microsoft system administrator, so I can't migrate to Linux :-P

That's not a valid excuse! :P

Quote from: cookiemonster on April 04, 2026, 09:02:06 PMyou can if you wanted, run AdGuardHome on your OPNsense. Simple add the os-adguardhome-maxit plugin.

I don't like messing around with unofficial plugins or those that require "trickling."
I tried that plugin a while ago, but it took up hardware resources and required ssh activity for firewall adjustments I didn't like.
I installed AGH on a Proxmox LCX. One day, with more time, I think I'll move it to the Docker VM.

Meanwhile, I've managed to get everything working in the following chain:

• AGH on the external container responds on port 53/443/853 and turn to unbound on 35353
• Unbound listens on 35353 and turn to DNSCrypt-Proxy on 127.0.0.1:45353
• DNSCrypt-Proxy listens on 45353 and turn to DNSCrypt/DoH/DNSSEC/NoLog/NoFilter/Ephemeral Keys/TLS Disable Session Tickets server

AGH filters (no cache), unbound caches and resolves internal addresses, DNSCrypt-Proxy (no cache) makes external requests

The firewall pass all requests on 53/853 from the various VLANs to the AGH IP only and drop them from other IPs.
With a NAT rule, I intercept all requests made to the various IPs on ports 53/853 and forward them to AGH.

Meanwhile, I also managed to create a wildcard certificate for my lab using the acme plugin (I have a domain/site on OVH) and I'm gradually adding the certificates to the various services. For now, I've automated copying the certificates to the AGH CT.

The next step is to understand how to do and implement https inspection.

Quote from: Mario_Rossi on April 06, 2026, 05:59:55 PMThe next step is to understand how to do and implement https inspection.

Easy: You don't. See this, point 12 (https://forum.opnsense.org/index.php?topic=42985.0).

Quote from: meyergru on April 06, 2026, 07:45:11 PM

Quote from: Mario_Rossi on April 06, 2026, 05:59:55 PMThe next step is to understand how to do and implement https inspection.

Easy: You don't. See this, point 12 (https://forum.opnsense.org/index.php?topic=42985.0).

"You can't" is relative; point 12 itself states that it's difficult (not impossible) and requires resources that can only be justified within a corporate context.

At work, we have Paloalto and perform https inspection, with, of course, bypass rules that we often add.
It's definitely a very different context; we have AD and distribute certificates via policies, as well as a ton of integrations between Paloalto and the Microsoft world (Enter).

A home lab should be a place where you can experiment and gain experience without worrying about shutting down the entire company.

Try to do it with your IoT devices and you will see what I mean. Essentially, they will have no internet access at all, because you cannot inject your own CA into most of them. If you then exempt them from HTTPS inspection, you are all set when somebody uses an IP in the exempt range.

That means: a homelab with IoT devices and stuff means exemptions are neccessary and then anybody can use those IPs. Even if you use VLANs, if you do not also have 802.1x (aka "enterprise features"), anybody can circumvent it. I never said that it can only be justified in an enterprise context - it is only achievable in an enterprise context (with a lot of work), not in your average home network with lacking features and given requirements. And as you say: "At work...".

That is what I meant by "you can't". You can - but it will not keep your kids safe, not even speaking of them using LTE on their mobile phones when they find blocking in your WLAN or using a free VPN. Ad blocks and other stuff can easily be done via DNS blocks, so what can you actually achieve?

I think that this is not worth the effort, but you do you.

Quote from: meyergru on April 07, 2026, 10:53:29 AMYou can - but it will not keep your kids safe, not even speaking of them using LTE on their mobile phones when they find blocking in your WLAN or using a free VPN.

Maybe the kids don't have any SIM card in use or maybe it's a Tablet with just WiFi ?!

VPN stuff can be blocked or simply make sure Dad & Mom are the only ones who can install stuff ?!

QuoteSo what can you actually achieve?

IMHO having a good talk with your kids and not letting the Phone/Tablet/TV/Gaming Console be their "Nanny" is still the best, but the more tools you have got the better! :)

Okay, my intent wasn't to bring up kids and the like.
And the fact that you mention 802.1x reminds me of another thing to implement/test: NAC functionality.

What else would be the intent of HTTPS introspection? As I said, Adblocking (and even kid safety) can be done with DNS and / or IP blocking (that is, iff you also control DNS tightly).

The easiest point to intercept HTTPS traffic is on the endpoint device itself, not by interfering with traffic on any intermediary (to prevent that is essentially a design goal of traffic encryption in the first place).

In my experience, if you want enterprise-level security, you conceptually will have to use a layered approach, because punctual measures will be circumvented sooner or later. If you do not need to protect your users from themselves, you do not need most of that, anyway.

That of course includes 802.1x, DNS redirection (plus blocking of DoT and DoH, which is also hard), and control of HTTPS traffic (preferably on the endpoint), not to forget blocking VPN traffic of any kind.

To do all of that is a major effort which most people - including me - will not take, but it is certainly a nice playing field.

I think this is as good a thread as any to request a peer review of a DNS rule matrix and maybe some others will get something from it, too.

I made some updates to try and take DoQ (DNS-over-QUIC) and DoH3 (DNS-over-HTTP/3) into account, but this might have some holes in it that I'd be grateful to get feedback on.  Blocking these protocols and all their known/common ports (at a minimum) is becoming tedious.

The goals:

• Redirect plain DNS (Do53) to OPNsense on a loopback device
• Block plain DNS escapes and also DoT (tcp/853) outbound
• Block DoQ to standard UDP ports (853, 784) outbound
• Block DoH (tcp/443) and DoH3 (udp/443) to public DNS IP lists ...but try to minimize breakage of HTTP/3 and QUIC for general web traffic!
• Cover a few lesser known but still "standard" or semi-standard ports
• Selectively allow some web clients to Quad9 for all encrypted protocols including their new DoH3/DoQ (https://quad9.net/news/blog/quad9-enables-dns-over-http-3-and-dns-over-quic/).  These are mainly Androids with "private DNS" turned on and have no plain DNS fallback for when at home.

For the resolver IP block lists ("NETS_PUBLIC_DNS") I use these:

• https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv4.txt
• https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/refs/heads/master/doh-ipv6.txt
• https://public-dns.info/nameservers.txt
• https://raw.githubusercontent.com/oneoffdallas/dohservers/master/iplist.txt
• https://raw.githubusercontent.com/oneoffdallas/dohservers/refs/heads/master/ipv6list.txt
• https://raw.githubusercontent.com/jameshas/Public-DoH-Lists/refs/heads/main/lists/doh_ips_plain.txt

*There is an embedded alias within this one for adding negated overrides (!host) in case an important site breaks.

For DNS-based block lists in Unbound I use:

• [hagezi] DoH/VPN/TOR/Proxy Bypass (built-in)
• [hagezi] Dynamic DNS blocking (built-in)
• https://dbl.ipfire.org/lists/doh/domains.txt

*Ditto, Unbound supports allowlist overrides to fix the occasional break.

Rules on local interface group:
dns-rule-matrix.png

DNAT (using auto "Pass" rule):
port-forward.png

Ports alias:
ports-dns-alias.png


Are there cracks here for things to slip through, aside from 1) remote services on non-standard ports, and 2) missed resolver IPs in block lists?

Quote from: OPNenthu on April 07, 2026, 11:28:08 PMbut try to minimize breakage of HTTP/3 and QUIC for general web traffic!

Why ?!

The whole reason QUIC exists is so that it can be used for advertising since it bypasses your DNS based adblocking !!

If you can kill it : JUST DO IT! :)
_{Not like Nike LOL!}

There's no easy way to block any of these as they can run on non-standard ports.  What method do you recommend that doesn't require enterprise level setups?  Can my rules be improved upon other than just bluntly blocking udp/443 and udp/853?

Quote from: OPNenthu on April 08, 2026, 03:50:33 AMWhat method do you recommend that doesn't require enterprise level setups?

- Chromium based browsers : chrome://flags
- Microsoft Edge specific : edge://flags
- Mozilla Firefox based browsers : about:config
With the small exception that the regular Android version does not support this sadly and only the Android Nightly version does !!

Simply do whatever you can as much as possible and hope for the best :)

I think I've achieved a good level of DNS management.

These are my NAT rules:
nat.png
I take everything not destined for AGH on port 53 and 853 and forward it to AGH.
I take everything not arriving from AGH to Unbound and forward it to AGH (so only AGH can query Unbound).
I take everything not arriving from Unbound/OPNsense to DNSCrypt and forward it to AGH (so only Unbound/OPNsense can query DNSCrypt).


While these are my firewall rules:
rule.png
All local networks can reach AGH on ports 53/443/853 UDP/TCP.
The smart TV on the Guest VLAN can only access the Internet through ports 80 and 443 UDP/TCP; everything else is blocked.
Other objects on the Guest VLAN can only access the Internet.

This is the AGH encryption configuration
AGH.jpg

In the AGH logs, I see that it handles:
Type: A, Simple DNS
Type: AAAA, Simple DNS
Type: A, DNS over TLS
Type: HTTPS, Simple DNS

All DNS traffic (and variants) passing through standard ports should be handled.
Now everything else is missing, and for that I can't find anything better than a Layer-7 filter.
Without paying for external software like Zenarmor, the only valid alternative at home is Suricata.

I while ago I was trying to accomplish something similar, here's what I did:

- local Unbound + blocklists
- NAT rule redirecting all DNS queries to locally running unbound
- OPNsense firewall blocking known DoH/T/... hosts traffic, to accomplish that I'm relying on public lists like https://github.com/hagezi/dns-blocklists and https://github.com/dibdot/DoH-IP-blocklists + https://github.com/galmeida/blocklist-dns-resolver. blocklist-dns-resolver allows me to exclude entries from those lists based on their domain or IP. I realized I needed blocklist-dns-resolver because some GitHub CDN hosts and app servers used by iOS and MacOS are in those lists.

Okay, but here we're still talking about DNS filters on more or less standard ports.
Everything that's encrypted DNS and on non-standard ports can't be stopped with these lists on unbound or various DNS servers.
We need a layer 7, possibly without HTTPS inspection, but one that can at least understand from the patterns what's in the packet and can at least read the SNI field.

Quote from: nero355 on April 04, 2026, 03:40:27 PM- Or you could use Pi-Hole + Unbound the way it's explained here : https://docs.pi-hole.net/guides/dns/unbound/

Their main website (https://pi-hole.net/) get blocked on my end by a DoH IP list.  Looks like a CDN domain (*.b-cdn.net) according to uBlock origin and it has a high abuse score to boot:

https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/37.19.207.37

I've used Pi-Hole in the past and wanted to experiment with it again in a Proxmox container, but I don't want to whitelist these IPs.  Not a good look for a privacy-focused DNS project :-/

No issue with their GitHub repo, though.

As I haven't used Pi-Hole in years and haven't followed the project, do you still find them trustworthy now in 2026?  Any concerning developments or money ties?

Quote from: OPNenthu on April 14, 2026, 03:17:22 AM

Quote from: nero355 on April 04, 2026, 03:40:27 PM- Or you could use Pi-Hole + Unbound the way it's explained here : https://docs.pi-hole.net/guides/dns/unbound/

Their main website (https://pi-hole.net/) get blocked on my end by a DoH IP list.  Looks like a CDN domain (*.b-cdn.net) according to uBlock origin and it has a high abuse score to boot:

https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/37.19.207.37

I've used Pi-Hole in the past and wanted to experiment with it again in a Proxmox container, but I don't want to whitelist these IPs.
Not a good look for a privacy-focused DNS project :-/

In all of the years that I have used Pi-Hole and helped people on various forums with all sorts of questions this is the first time that I read something like that : Are you sure it's not a False Positive ?!

QuoteNo issue with their GitHub repo, though.

What does https://discourse.pi-hole.net/ do for you ?

AFAIK it's hosted on the official Discourse CDN so it should not show you any issues and you could post the above results there and see what they say :)

QuoteAs I haven't used Pi-Hole in years and haven't followed the project, do you still find them trustworthy now in 2026?
Any concerning developments or money ties?

It's a small team of about 8 people and some do the development and some do the support on a couple of places : That's it! ;)

Sometimes other people contribute too and the code only gets added after approval by the other developers ofcourse.

There is no Spyware/Adware/Telemetry/Ads/Subscriptions or any kind of company involved !!


FYI :
I can't remember what I have started using using Pi-Hole but it has got to be more than 10 years by now and there wasn't any moment of doubt or reason to reconsider their trust during that period ;)

In fact when Pi-hole v6.x.x got released somewhere around February 2025 I was seriously 'STOKED!' as they say :
- No more LigHTTPd.
- No more PHP.
- CivetWeb does almost everything now and is part of the whole FTLDNS package.
- C++ is now the way forward.
- DNSmasqd is ofcourse still part of FTLDNS.
- The API is also still available.
- Super Sweet New webGUI that's a 1:1 translation of the pihole.toml config file which is in a league of it's own when you see how nicely commented it is via SSH when you edit it via nano or vi :)

Basically while a lot of software and websites are getting seriously bloated they made the whole thing a lot more compact and removed some dependencies.
Not just to avoid issues, but now the whole thing also runs on a wider range of Linux distros as a bonus !!

Quote from: nero355 on April 14, 2026, 04:01:21 PMAre you sure it's not a False Positive ?!

Today it's working, so either the node was removed from a list I am using, or I got routed to a different one this time.  It's very rare for that to happen so that's why I was surprised.

I guess this also illustrates the difficultly with DoH filtering.  Any servers that are found to provide DNS get added to the list, but in some cases those same IPs serve other purposes and/or web content.  So you have a tough choice: unblock or not.

Quote from: nero355 on April 14, 2026, 04:01:21 PMIn fact when Pi-hole v6.x.x got released somewhere around February 2025 I was seriously 'STOKED!' as they say :
- No more LigHTTPd.
- No more PHP.
- CivetWeb does almost everything now and is part of the whole FTLDNS package.
- C++ is now the way forward.
- DNSmasqd is ofcourse still part of FTLDNS.
- The API is also still available.
- Super Sweet New webGUI that's a 1:1 translation of the pihole.toml config file which is in a league of it's own when you see how nicely commented it is via SSH when you edit it via nano or vi :)

Good updates, although what's curiously still missing from the list is native DoT forwarder support in Unbound.  I get this out of the box with OPNsense (no custom add-ons like 'stubby' or 'dnscrypt-proxy' needed).

IIRC, the devs have a philosophy that recursive resolution with Unbound is the best thing since sliced bread and not worth using anything else.  They must be EU based and trust their ISP not to hoover plain DNS over the wire (or they tunnel it) :)

Serious question: what's the killer functionality of Pi-hole that Unbound in OPNsense (as of 26.1) doesn't have?  Besides, I guess, data retention period for reports which is rather limited in OPNsense.

Quote from: OPNenthu on April 17, 2026, 03:45:33 AMWhat's curiously still missing from the list is native DoT forwarder support in Unbound.
I get this out of the box with OPNsense (no custom add-ons like 'stubby' or 'dnscrypt-proxy' needed).

If it's in Unbound for OPNsense then it should be in Unbound for Debian/other Linux distros ?!

QuoteIIRC, the devs have a philosophy that recursive resolution with Unbound is the best thing since sliced bread and not worth using anything else.
They must be EU based and trust their ISP not to hoover plain DNS over the wire (or they tunnel it) :)

I know that two of them are German but one of them is just a Moderator and one is American and I think one is from the U.K. :)

There have been recent reports from users who are experiencing similar things to what you are describing however, but it doesn't happen that often!

But to be honest : I don't see everyone turning to CloudFlare for their DNS Resolving and Anti-DDoS services as the solution for such issues like most people seem to do...

QuoteSerious question: what's the killer functionality of Pi-hole that Unbound in OPNsense (as of 26.1) doesn't have?
Besides, I guess, data retention period for reports which is rather limited in OPNsense.

Aside from the whole webGUI telling you a lot more than just Unbound does, my personal favorite is the fact that you can customize soo much if the default available options turn out to have any shortcomings and since version 6.x.x even that has been made available in the webGUI !! :)

So now there is almost 0,0 reason to dive into your Pi-Hole instance via SSH and edit files manually : The webGUI got you covered!

Thanks @nero355, I appreciate you letting me pick your brain a bit.

Quote from: OPNenthu on April 17, 2026, 05:58:39 PMThanks @nero355, I appreciate you letting me pick your brain a bit.

You are welcome! :)

Let me know if you have other questions, because I know it's often difficult to get the right information about certain things because people are afraid to tell the whole truth or simply don't know the software good enough...