Messages

There's a few requests for this feature:
- https://github.com/opnsense/core/issues/8424
- https://github.com/opnsense/tools/issues/476

As of 25.7.2, there's no support.

Code Select Expand

Version 1.23.1
Configure line: --with-libexpat=/usr/local --with-libnghttp2 --with-ssl=/usr/local --enable-dnscrypt --disable-dnstap --with-dynlibmodule --enable-ecdsa --enable-event-api --enable-gost --with-libevent --with-pythonmodule=yes --with-pyunbound=yes ac_cv_path_SWIG=/usr/local/bin/swig LDFLAGS=-L/usr/local/lib --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/share/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd14.3
Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 3.0.17 1 Jul 2025
Linked modules: dns64 python dynlib respip validator iterator
DNSCrypt feature available


Yep, same issue spontaneous popped up overnight, with lots of SERVFAIL errors. Setup is Adguard[53] -> Unbound[53530] -> DoT[Quad9/Cloudflare].

Recent OPNsense update v25.7.1 -> v25.7.2 about 4 days ago.

Unbound errors reported:

Code Select Expand

unbound dns error: ssl handshake cert error: hostname mismatch
unbound error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
dns unbound all the configured stub or forward servers failed, at zone got SERVFAIL

Similar errors report previously did not help (tls-cert-bundle was already set in dot.conf).

https://forum.opnsense.org/index.php?topic=41553.0 SSL Handshake errors between unbound and DNS overTLS enabled forwarders

Fortunately, I just set up AdGuard as primary DNS over DoH/DoT (rather than forwarding to Unbound), but still can't figure out Unbound's underlying DoT issue. I'd prefer to keep using Unbound because configuration, documentation, and security is well known compared to AdGuard.