Messages

Are you saying that some devices on your lan are actually using DOT?, ie port 853 and not port 53

I would like them to have the option to use DoT, since unbound supports it, but I can't say if any actually do. Like I said, in my previous setup it was just a checkbox and a cert select dropdown to enable it, so I did.

As for DoH, I don't really care to support it for local clients. Part of the point of that protocol is to hide DNS traffic and skirt around things like the NAT redirect rules and DNSBLs I have setup. I obviously can't just block traffic with a destination of port 443 and neither can anyone else, so the best I can do to prevent things like IoT devices from trying to use DoH is to block the IPs of known DoH servers.

Thank you for your response! If I am understanding your steps correctly, you are describing how to configure Unbound to do upstream DNS queries using DoT and redirect local DNS traffic to Unbound. This is unfortunately not my issue.
I have already setup DoT rules in Unbound for upstream queries, and I have already configured NAT rules to redirect all local DNS traffic to Unbound on OPNsense, and I have also setup IP and DNS block lists for known DoH (dns over https, port 443) hosts to mitigate those "escapees" you mentioned.
What I am asking about, is a way to configure unbound to respond to DoT requests from devices on the local network. It looks like this feature is still pending in this open PR here: https://github.com/opnsense/core/pull/6558
The closed PR I linked to above had a link to this one that I missed last night. Based on the discussion in this new PR, I am not hopeful this will be added to the GUI any time soon. There was at least a mention in this new PR's discussion about a way to add custom unbound configuration files, so I may be able to configure DoT that way, as Unbound itself natively supports responding to DoT requests.

I'm a bit new to OPNsense, having recently come from the other *sense, but it's surprising to me that there is no way to configure unbound to listen on port 853 and respond to DoT requests. This is as simple as an enable checkbox and a certificate select dropdown on said other *sense.
So far all I have found is this closed PR from two years ago: https://github.com/opnsense/core/pull/5468

I'm really liking OPNsense so far. Once I got used to the UI, I actually find many of the settings to be laid out more intuitively, but this would seem to be a glaring omission.
I don't suppose there is any chance that I have just missed something and this is actually supported?