OPNsense running well...a little confused about DNS setup.

[nerlins]

I think I set up my DNS incorrectly, due to some reading I've done on the forum. I found a thread from user @comet, which was all over the place:

https://forum.opnsense.org/index.php?topic=8505.0

Currently I have set DNS servers in the Settings/General area, but I think that is incorrect. I want to use the Unbound Resolver, and found this article:

https://www.cjross.net/dns-security-and-adblock-with-opnsense-part-1/

It does not mention adding servers in the General settings, but within Misc. settings of Unbound. I also  came across this topic:

https://forum.opnsense.org/index.php?topic=10670.0

I would like all traffic to go through Quad9, but be able to use encrypted DNS, and add blacklists to Unbound.

The first guide makes sense, but it looks like the author is not using the General DNS server settings. Would that be correct?

I don't know enough about DNSCrypt, but the second guide appears to me that DNSCrypt uses its own DNS servers to reach IPs out of my internal network? I don't see where @p1n0ck10 lists specific DNS servers to use, becuase he says to omit the entries in General settings.

I'd appreciate a nudge in the right direction. I am moving from consumer grade routers, and feel stumped here. I can't seem to Google a proper answer.

[nerlins]

I followed the first guide, and skipped entry of DNS servers in the general settings. All seems to be working. I think I see that- if no one cares to answer...- DNSCrypt uses Cloudfare. Looking at the bottom of the page I see his settings snapshots. So then it does appear to use it's own server settings. I'll stick with what I've set up.

[CJ]

I think I set up my DNS incorrectly, due to some reading I've done on the forum. I found a thread from user @comet, which was all over the place:

https://forum.opnsense.org/index.php?topic=8505.0

Currently I have set DNS servers in the Settings/General area, but I think that is incorrect. I want to use the Unbound Resolver, and found this article:

https://www.cjross.net/dns-security-and-adblock-with-opnsense-part-1/

It does not mention adding servers in the General settings, but within Misc. settings of Unbound. I also  came across this topic:

https://forum.opnsense.org/index.php?topic=10670.0

I would like all traffic to go through Quad9, but be able to use encrypted DNS, and add blacklists to Unbound.

The first guide makes sense, but it looks like the author is not using the General DNS server settings. Would that be correct?

I don't know enough about DNSCrypt, but the second guide appears to me that DNSCrypt uses its own DNS servers to reach IPs out of my internal network? I don't see where @p1n0ck10 lists specific DNS servers to use, becuase he says to omit the entries in General settings.

I'd appreciate a nudge in the right direction. I am moving from consumer grade routers, and feel stumped here. I can't seem to Google a proper answer.

I just stumbled across this topic.  The reason there's no server in the General tab is because I'm using DoT to connect to the Quad9 servers.  If I used the General tab it would have gone out unencrypted.

Hope that helps.

[nerlins]

Haven't logged in here in a while. I appreciate you responding. I have almost forgotten about that part of the setup, but I'm pretty sure I followed yours exactly and have had encrypted DNS working well since then.

[CJ]

Glad I could help.

[opnnewbie]

Last night I got confused too by unbound related-settings.

My setup intends to be: employees -> BIND DNS server on company server -> unbound on opnSense router -> CloudFlare

The BIND DNS server should deal (unencrypted traffic to begin with) with unbound on opnSense and nothing more.
The unbound server/service on opnSense should query CloudFlare (encrypted traffic here; ie: DNSsec) answering BIND.

At this point I have the setup working sans DNSsec to CloudFlare which I am researching/laerning-how-to right now.

The point that relates to this post is that I, too, got confused by the settings under System | Settings | General | DNS servers.
I set those to 1.1.1.1 and 1.0.0.1 for CloudFlare (by the way setting their gateways to my WAN gateway).
unbound is configured to listen on LAN and going to the outside through WAN.
unbound is not configured for DNS Query Forwarding; Enable Forwarding Mode is disabled.

It is working but ... did I get the configuration right ?

[cookiemonster]

A small point: DNSsec is not encryption.

[opnnewbie]

A small point: DNSsec is not encryption.

You're right; my fault:

From https://en.wikipedia.org/wiki/Dnssec: The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

From https://developers.cloudflare.com/1.1.1.1/encryption/: To prevent this and secure your connections, 1.1.1.1 supports DNS over TLS (DoT) and DNS over HTTPS (DoH), two standards developed for encrypting plaintext DNS traffic. This prevents untrustworthy entities from interpreting and manipulating your queries.

Since I do not see any related options in the GUI under unbound I guess I should research something akin the following: https://www.dnsknowledge.com/unbound/configure-unbound-dns-over-tls-on-linux/

[opnnewbie]

Since I do not see any related options in the GUI under unbound ...

It seems I missed it ... my fault again:

https://.../ui/unbound/dot/index

Here I have DNS-over-TLS (aka DoT) support