Messages

> how do you expect anyone from the internet to access these non-routeable IPs on interfaces that are local to your OpnSense?

The IP addresses assigned to the loopback interface work for port 53; I can confirm that the router is properly listening on those addresses for internal traffic.
The WAN shouldn't need to access those IP addresses anyways, as the external DNS requests are performed on the router's other (globally routed) interface.

Unbound supports listening for normal DNS traffic on port 53, but also supports listening to DNS-over-TLS and DNS-over-HTTPS: docs.
While this isn't supported via GUI, I was able to add a new loopback interface with static IPv4 and IPv6 addresses and have Unbound listen to those interfaces in an unbound config file. I took the setup from this forum comment.
I already have Let's Encrypt certificates for my router so I could just write the paths in the config file.
It looks like this:

Code Select Expand

server:
  # I tried the below setting as well without any luck
  #interface-automatic-ports: "53 853"

  # These are the IP addresses of the loopback interface
  interface: fd9d:745e:5eb7::53@53
  interface: fd9d:745e:5eb7::53@853
  interface: 10.121.53.53@53
  interface: 10.121.53.53@853

  tls-port: 853

  # I filled this in with the path to the certificate
  # This is loaded before the chroot is entered, so I don't need to worry about permissions
  tls-service-key: "/var/etc/acme-client/keys/<my-numbers>/private.key"
  tls-service-pem: "/var/etc/acme-client/certs/<my-numbers>/fullchain.pem"

However I am unable to connect to port 853 on my OPNsense box.
Running

Code Select Expand

dig +tls @opnsense.example.com google.com results in

Code Select Expand

Connection to <ip-addr>#853 for google.com failed: connection refused.This is true for all IP addresses listed.

Nothing appears in my firewall logs nor my Unbound logs, so I assume that there is something else causing the issue.
Any help would be appreciated.