Solutiontls-cert-bundle turned out to be important, no surprise there. Appended
tls-cert-bundle: "/usr/local/etc/ssl/cert.pem" to the top of the file.
Also, I had originally added two entries in the GUI under "DNS over TLS". I assumed my config would override them; however, looks like it was in addition to. Once those were disabled and a service restart, started seeing traffic logs in Cloudflare pretty quickly. Firewall rules are working, too.
OriginalI've configured my Opnsense instance per this tutorial: https://homenetworkguy.com/how-to/configure-dns-over-tls-unbound-opnsense/
- 1.1.1.1/help shows I'm using DoT (and not DoH)
- I can see traffic going over 853 to the intended Cloudflare IPs from the correct source IP
- DNS resolution is working*
From all the resources I've found, they all cover public resolvers. In my case, I'm using Cloudflare One, where I am given a specific DoT endpoint and restrict it to my static IP CIDR. I've got a firewall rule to block various categories; however, those are not blocked (using https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/test-dns-filtering/#test-a-security-or-content-category) and I see no traffic in the logs (over the past few days).
Did come across this: https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/dns/dns-over-tls/#2-configure-your-dot-client I added what it suggested (minus the tls-cert-bundle) to /usr/local/etc/unbound.opnsense.d/cf-one.conf and rebooted. Unfortunately, that didn't seem to do anything. (Config seemed to be automatically copied to /var/unbound/etc and the GUI notes there's a custom override, so at least Unbound is aware of it.)