"
Ha! I can't believe that didn't occur to me. Thank you both very much, the world once again makes sense! The testers for quad9 and cloudflare indeed show I am using their services (after I isolate them to make sure I'm only using one). Thanks again!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
25.1, 25.4 Production Series / Re: "Leaking DNS servers" with Unbound, Adguard, and DNS over TLS
March 20, 2025, 02:01:05 PM #2
25.1, 25.4 Production Series / [SOLVED] "Leaking DNS servers" with Unbound, Adguard, and DNS over TLS
March 20, 2025, 06:15:53 AM
I'm new to OPNSense but very excited. I've got Adguard and Unbound working together, and I'm trying to set up DNS over TLS. From what I can see it seems to be working, but when I load the Mullvad connection check page (https://mullvad.net/en/check), it says I'm still leaking DNS servers.
Here's what I think are the important parts from my setup so far:
My LAN interface uses 192.168.9.0/24. I've disabled IPv6 everywhere I can find it.
Adguard:
Unbound:
System > Settings > General doesn't have any DNS servers listed. "Allow DNS server list to be overridden" is unchecked, as is "Do not use the local DNS service as a nameserver for this system.
Services > ISC DHCPv4 > LAN doesn't have any DNS servers listed. Gateway, Domain name, and Domain search list are all blank.
I set up a firewall Floating rule on the LAN interface to block all outgoing traffic on port 53. I also set up a NAT Port Forward rule on the LAN interface to redirect any port 53 traffic to 127.0.0.1 (port 53).
If I increase my Unbound log verbosity it looks like things are going well -- I see lines like this if I search for 853:
I don't see any similar lines when I look for "53" instead (obviously it finds the above lines, but nothing that looks like it's querying out on port 53).
I do have working internet, so my DNS settings are working, they're just not appropriately doing DNS over TLS. I used both https://mullvad.net/en/check and https://dnsleaktest.com/, both indicated I'm leaking DNS servers. I've run some ad testing sites, and they indicate Adguard is correctly filtering out ads, so I'm also confident that part is working.
Anyone have ideas of what I could have missed or done wrong? Thanks in advance for any advice!
Here's what I think are the important parts from my setup so far:
My LAN interface uses 192.168.9.0/24. I've disabled IPv6 everywhere I can find it.
Adguard:
- Listening on port 53
- Upstream, Bootstrap, and Private reverse DNS servers are all set to 192.168.9.1:5353
- "Use private reverse DNS resolvers" is checked.
Unbound:
- Listening on port 5353
- Listening to All network interfaces
- DNSSec Support is enabled
- Query Forwarding is empty
- DNS over TLS has the following entries:
- IP 9.9.9.9, port 853, verify CN dns.quad9.net
- IP 1.1.1.1, port 853, verify CN cloudflare-dns.net
System > Settings > General doesn't have any DNS servers listed. "Allow DNS server list to be overridden" is unchecked, as is "Do not use the local DNS service as a nameserver for this system.
Services > ISC DHCPv4 > LAN doesn't have any DNS servers listed. Gateway, Domain name, and Domain search list are all blank.
I set up a firewall Floating rule on the LAN interface to block all outgoing traffic on port 53. I also set up a NAT Port Forward rule on the LAN interface to redirect any port 53 traffic to 127.0.0.1 (port 53).
If I increase my Unbound log verbosity it looks like things are going well -- I see lines like this if I search for 853:
Code Select
2025-03-19T23:55:34-05:00 Informational unbound [69136:3] info: reply from <.> 9.9.9.9#853I don't see any similar lines when I look for "53" instead (obviously it finds the above lines, but nothing that looks like it's querying out on port 53).
I do have working internet, so my DNS settings are working, they're just not appropriately doing DNS over TLS. I used both https://mullvad.net/en/check and https://dnsleaktest.com/, both indicated I'm leaking DNS servers. I've run some ad testing sites, and they indicate Adguard is correctly filtering out ads, so I'm also confident that part is working.
Anyone have ideas of what I could have missed or done wrong? Thanks in advance for any advice!
Pages1
