Messages

THANK YOU! That worked!

I have no clue why unbound works like that, but thanks for helping me work though this issue.

This is /var/unbound/unbound.conf:

Code Select Expand

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:
chroot: /var/unbound
username: unbound
directory: /var/unbound
pidfile: /var/run/unbound.pid
root-hints: /var/unbound/root.hints
use-syslog: yes
port: 53
include: /var/unbound/advanced.conf
harden-referral-path: no
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
so-reuseport: yes
module-config: "python iterator"
num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8




# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::
interface-automatic: yes



# Private networks for DNS Rebinding prevention (when enabled)


# Private domains (DNS Rebinding)
include: /var/unbound/private_domains.conf

# Static host entries
include: /var/unbound/host_entries.conf

# DHCP leases (if configured)


# Custom includes
include: /var/unbound/etc/*.conf



python:
python-script: dnsbl_module.py

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: /var/unbound/unbound_server.key
    server-cert-file: /var/unbound/unbound_server.pem
    control-key-file: /var/unbound/unbound_control.key
    control-cert-file: /var/unbound/unbound_control.pem

And here's /var/unbound/etc/extra_config.conf:

Code Select Expand

server:
  # Listen on the second loopback interface
  # DNS-over-TLS
  interface: fd53:5353:0000::1@853
  interface: 192.168.0.1@853

  tls-port: 853

  # Let's Encrypt certificate
  tls-service-key: "/var/etc/acme-client/keys/abcd.1234/private.key"
  tls-service-pem: "/var/etc/acme-client/certs/abcd.1234/fullchain.pem"

The acme files exist, the addresses are listed in ifconfig, and I watched my Firewall logs and can confirm my Pass rule works.
I tried renaming the file to start with `00-` and to start with `zz-`.
No matter what, I still have the output of ` sockstat -l | grep unbound` only show listeners on `*:53` (and the local control port `:953`).

Maybe I'm just too unfamiliar with OPNsense internals, but I was able to get DoT working by directly editing /usr/local/etc/unbound/unbound.conf and then running `sudo service unbound onestart`. But now I have two separate `unbound` instances running!

Exactly the same certificate profile here.
I checked with `openssl` that the files are correct and have an EC key and x509 cert (which I'm using for the Web UI so it is valid).

I can't get `service unbound restart` to work because the rc.d script assumes I'm in the chroot; I want to try and restart unbound from the shell instead of using the UI to make sure that isn't a source of issues.

Yes, these directories match exactly (including the contents).

Where are the unbound logs located? I've been using the UI since there isn't a /var/log/unbound directory.
I think it could be an issue where the ACME private key is not readable (since it's owned by root:wheel), but I can't see any errors in the UI log. I believe unbound is started as root though so maybe this isn't a problem.

Using

Code Select Expand

sockstat -l I realize that unbound isn't listening on port 853. I assume that means the configuration is not being loaded: is `extra-config.conf` not a valid filename for the `opnsense.unbound.d` directory? It is correctly moved into the chroot.

Code Select Expand

$ # This is on the OPNsense box
$ openssl s_client -connect 192.168.0.1:853
0810A5FFB6220000:error:8000003D:system library:BIO_connect:Connection refused:/usr/src/crypto/openssl/crypto/bio/bio_sock2.c:125:calling connect()
0810A5FFB6220000:error:10000067:BIO routines:BIO_connect:connect error:/usr/src/crypto/openssl/crypto/bio/bio_sock2.c:127:
connect:errno=61

That config typo is just from copying into the forum, my config correctly uses the `/var/etc/acme-client/certs/.../fullchain.pem` path.

Hmm, thanks for the information but this still isn't working for me.
This may be an Unbound issue and not an OPNsense one, but I can't connect to the server.

Code Select Expand

$ dig @dns.example.com +tls google.com
;; Connection to 192.168.0.1#853(192.168.0.1) for google.com failed: timed out.
;; no servers could be reached

and on Unbound:

Code Select Expand

2025-11-02T13:33:36-06:00
Debug
unbound
[16668:0] debug: outnettcp got tcp error -1

2025-11-02T13:33:36-06:00
Debug
unbound
[16668:0] debug: outnettcp cb

2025-11-02T13:33:36-06:00
Debug
unbound
[16668:0] debug: close fd 37

2025-11-02T13:33:36-06:00
Debug
unbound
[16668:2] debug: outnettcp got tcp error -1

2025-11-02T13:33:36-06:00
Debug
unbound
[16668:2] debug: outnettcp cb

2025-11-02T13:33:36-06:00
Debug
unbound
[16668:2] debug: close fd 47

2025-11-02T13:33:36-06:00
Debug
unbound
[16668:0] debug: outnettcp got tcp error -1

2025-11-02T13:33:36-06:00
Debug
unbound
[16668:0] debug: outnettcp cb

2025-11-02T13:33:36-06:00
Debug
unbound
[16668:0] debug: close fd 40
...


Code Select Expand

# Config
server:
  # I have a static ULA setup in Virtual IPs
  interface: fd00:abcd::1@853
  interface: 192.168.0.1@853
  tls-service-key: "/var/etc/acme-client/keys/.../private.key"
  tls-service-pem: "/var/etc/acme-client/keys/.../fullchain.pem"


To avoid an XY problem, I want to allow clients to connect to unbound via DoT, with a config file that looks like this:

Code Select Expand

server:
  interface: 192.168.0.1@853
  tls-port: 853
  tls-service-pem: /path/to/public/cert.pem
  tls-service-key: /path/to/private/cert.key


[private]

I am trying to use some unexposed Unbound options that require referencing a TLS private key. I want to use my Let's Encrypt certificate which I renew each month via the ACME Client service, but there are two issues with just editing /usr/local/etc/unbound.opnsense.d/custom.conf.

• The certificate files are not part of the unbound chroot. I don't believe the chroot setup is editable in a way that is safe from OPNsense updates.
• The ACME Client puts its certificates in randomly-generated directory names, and uses the OPNsense Trust Store as the ultimate source of truth. Because that data is stored in XML I can't reference it from the unbound config.

I had run into this same issue with the Prometheus exporter plugin, and I hope that I'm just missing something.

FreeBSD 15 brings upgrades to `pf` that were previously only available on OpenBSD.
One exciting feature is the `af-to` translation rule: see the pf.conf manpage.
This allows the PLAT side of a 464XLAT translation to happen inside the firewall, instead of relying on userspace daemons such as Tayga.

From looking at the roadmap, there isn't any information on when the base OS will be upgraded to FreeBSD 15.
Is this something that has known blockers and could be sped along via GitHub contributions?
Or is there already a timeline set.

> how do you expect anyone from the internet to access these non-routeable IPs on interfaces that are local to your OpnSense?

The IP addresses assigned to the loopback interface work for port 53; I can confirm that the router is properly listening on those addresses for internal traffic.
The WAN shouldn't need to access those IP addresses anyways, as the external DNS requests are performed on the router's other (globally routed) interface.

Unbound supports listening for normal DNS traffic on port 53, but also supports listening to DNS-over-TLS and DNS-over-HTTPS: docs.
While this isn't supported via GUI, I was able to add a new loopback interface with static IPv4 and IPv6 addresses and have Unbound listen to those interfaces in an unbound config file. I took the setup from this forum comment.
I already have Let's Encrypt certificates for my router so I could just write the paths in the config file.
It looks like this:

Code Select Expand

server:
  # I tried the below setting as well without any luck
  #interface-automatic-ports: "53 853"

  # These are the IP addresses of the loopback interface
  interface: fd9d:745e:5eb7::53@53
  interface: fd9d:745e:5eb7::53@853
  interface: 10.121.53.53@53
  interface: 10.121.53.53@853

  tls-port: 853

  # I filled this in with the path to the certificate
  # This is loaded before the chroot is entered, so I don't need to worry about permissions
  tls-service-key: "/var/etc/acme-client/keys/<my-numbers>/private.key"
  tls-service-pem: "/var/etc/acme-client/certs/<my-numbers>/fullchain.pem"

However I am unable to connect to port 853 on my OPNsense box.
Running

Code Select Expand

dig +tls @opnsense.example.com google.com results in

Code Select Expand

Connection to <ip-addr>#853 for google.com failed: connection refused.This is true for all IP addresses listed.

Nothing appears in my firewall logs nor my Unbound logs, so I assume that there is something else causing the issue.
Any help would be appreciated.