DNS over TLS stopped working

Started by Vexz, September 07, 2025, 08:01:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 07, 2025, 08:01:15 PM Last Edit: September 07, 2025, 08:02:58 PM by Vexz
I don't know when it started, I just noticed that my DoT configuration no longer works and my ISP has been getting my unencrypted DNS requests for God knows how long. Great, exactly what I didn't want to happen. Maybe it stopped working since the upgrade to 25.7 (I use 25.7.2 atm), I don't know. What I do know is that it worked just fine before and I didn't touch anything that should have any influence on how my OPNsense sends DNS traffic of any kind to the internet.

Unbound on my OPNsense is my DNS resolver. This is my DoT configuration:


Afaik there's nothing more to it than that, right? In the past this made all outbound DNS requests use DoT. My OPNsense no longer sent unencrypted DNS traffic to the internet. Did something change about that?
September 07, 2025, 08:12:55 PM #1
I wouldn't know why it worked in the past but you filled in the 'Domain' field very wrong.

The 'Domain' field is for what domain(s) you want to be resolved by the DNS server in the IP field. And in 'Verify CN' you enter the domain of the DoT, e.g. in your case one.one.one.one.

For example if you want somedomain.net to be resolved by 1.2.3.4 and all other with 1.1.1.1:

Domain: somedomain.net, IP: 1.2.3.4, Verify CN: some-dns-server.com
Domain <empty>, IP: 1.1.1.1, Verify CN: one.one.one.one
Deciso DEC740
September 07, 2025, 08:40:33 PM #2 Last Edit: September 07, 2025, 08:47:07 PM by Vexz
Quote from: patient0 on September 07, 2025, 08:12:55 PMI wouldn't know why it worked in the past but you filled in the 'Domain' field very wrong.

The 'Domain' field is for what domain(s) you want to be resolved by the DNS server in the IP field. And in 'Verify CN' you enter the domain of the DoT, e.g. in your case one.one.one.one.

For example if you want somedomain.net to be resolved by 1.2.3.4 and all other with 1.1.1.1:

Domain: somedomain.net, IP: 1.2.3.4, Verify CN: some-dns-server.com
Domain <empty>, IP: 1.1.1.1, Verify CN: one.one.one.one
Maybe this will clarify your confusion:


Edit:
You actually lead me to what was wrong. Of course it worked when I checked on https://one.one.one.one/help/ if it's working. God dammit, this "Domain" setting fooled me big time. Now that it's empty, it's working fine. Thank you very much!
September 07, 2025, 08:42:28 PM #3
Click on the (i) next to 'Domain' and read what it says, that will clear it up for you.
Deciso DEC740
Print
Go Up Pages1
User actions