Configure Unbound to listen for TLS requests on port 853?

[SuperWhisk]

I'm a bit new to OPNsense, having recently come from the other *sense, but it's surprising to me that there is no way to configure unbound to listen on port 853 and respond to DoT requests. This is as simple as an enable checkbox and a certificate select dropdown on said other *sense.
So far all I have found is this closed PR from two years ago: https://github.com/opnsense/core/pull/5468

I'm really liking OPNsense so far. Once I got used to the UI, I actually find many of the settings to be laid out more intuitively, but this would seem to be a glaring omission.
I don't suppose there is any chance that I have just missed something and this is actually supported?

[aimdev]

1. ensure you disable 
System: Settings: General
Allow DNS server list to be overridden by DHCP/PPP on WAN
2. Allow 853 on the lan
3. leave 53 port as is on unbound
4. setup your tls servers in unbound (dns over tls)
5. Firewall: NAT: Port Forward
         LAN   TCP/UDP   *   *   ! LAN net   53 (DNS)   127.0.0.1   53 (DNS)   Redirect DNS requests to internal DNS resolver
6. Firewall: Rules: LAN
   IPv4 TCP/UDP   *   *   127.0.0.1   53 (DNS)    *   *      Redirect DNS requests to internal DNS resolver
   IPv4+6 TCP/UDP   *   *   LAN address   53 (DNS)   *   *      Internal DNS LAN
7. Firewall: Rules: WAN
IPv4 TCP/UDP   ! LAN net   *   *   53 (DNS)   *   *      DNS to WAN in
   IPv4 TCP/UDP   *   *   *   53 (DNS)   *   *      DNS to WAN
8. unbound transparent and disable  Use System Nameservers on the tls servers page

9. reboot

10. check dns using option on the browser leaks web site

I had a few escapees where the dns server was hard coded into the device (IOT's mainly). as a precaution I blocked the 'popular' dns
ip address's. use the firewall logging to see whats happening :)

I am not saying this is the best approach, I am sure someone will correct me but it worked for me after a lot of experimentation.

Sorry about the formatting.

[SuperWhisk]

Thank you for your response! If I am understanding your steps correctly, you are describing how to configure Unbound to do upstream DNS queries using DoT and redirect local DNS traffic to Unbound. This is unfortunately not my issue.
I have already setup DoT rules in Unbound for upstream queries, and I have already configured NAT rules to redirect all local DNS traffic to Unbound on OPNsense, and I have also setup IP and DNS block lists for known DoH (dns over https, port 443) hosts to mitigate those "escapees" you mentioned.
What I am asking about, is a way to configure unbound to respond to DoT requests from devices on the local network. It looks like this feature is still pending in this open PR here: https://github.com/opnsense/core/pull/6558
The closed PR I linked to above had a link to this one that I missed last night. Based on the discussion in this new PR, I am not hopeful this will be added to the GUI any time soon. There was at least a mention in this new PR's discussion about a way to add custom unbound configuration files, so I may be able to configure DoT that way, as Unbound itself natively supports responding to DoT requests.

[newsense]

Not exposed in the GUI, you'll have to use AdguardHome for that.

For unbound edit the configuration file /usr/local/etc/unbound/unbound.conf and restart the service

Code (/usr/local/etc/unbound/unbound.conf) Select Expand


        # service clients over TLS (on the TCP sockets) with plain DNS inside
        # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
        # Give the certificate to use and private key.
        # default is "" (disabled).  requires restart to take effect.
        # tls-service-key: "path/to/privatekeyfile.key"
        # tls-service-pem: "path/to/publiccertfile.pem"
        # tls-port: 853
        # https-port: 443


[aimdev]

Apologies for misunderstanding your requirement.
Are you saying that some devices on your lan are actually using DOT?, ie port 853 and not port 53
Also the solution for modifying unbound.conf, will the changes survive a reboot or upgrade?
As for DOH, not sure how those requests are detected within the https traffic.

[SuperWhisk]

Are you saying that some devices on your lan are actually using DOT?, ie port 853 and not port 53

I would like them to have the option to use DoT, since unbound supports it, but I can't say if any actually do. Like I said, in my previous setup it was just a checkbox and a cert select dropdown to enable it, so I did.

As for DoH, I don't really care to support it for local clients. Part of the point of that protocol is to hide DNS traffic and skirt around things like the NAT redirect rules and DNSBLs I have setup. I obviously can't just block traffic with a destination of port 443 and neither can anyone else, so the best I can do to prevent things like IoT devices from trying to use DoH is to block the IPs of known DoH servers.

[aimdev]

Re DOH
I am testing the free Zenarmor and I am seeing these blocks
   
Nov 12, 2024 17:24
192.168.0.12   54897   17.253.38.115   doh.dns.apple.com   doh.dns.apple.com   443   Blacklisted

Trouble is blocking baddies is like 'wack a mole'