Archive > 21.7 Legacy Series

How to Configure DNS in Opnsense With Unbound and W/Unbound

(1/9) > >>

mush2020:
I'm getting lost in forum by searching for how should be DNS configured for the first time Opnsense is up and running.
If Unbound plugin is installed then what should be the correct configuration in Opnsense and Unbound.
I have ISP router with CGNAT
Opnsense WAN port (igb1) is set to DHCP
Opnsense LAN port (igb0) is only used for managing Opnsense (SSH,GUI,etc)
Opnsense (igb2) Wifi port is connected to Wifi-Router/AP- Here Opnsense leases IPv4 addresses to wifi clients

With this setup,
1.I don't want any clients (Windows, iOS and Android) to use any other DNS servers, like some Android devices and Smart Home devices use Google DNS 8.8.8.8
2. Want to use DNS provider that filters out or blocks access to all adult, pornographic and explicit sites, proxy and VPN, threat protection,etc...
3. Should enforce safe search
4. Clients should be identified by hostname with static entry (Looks like some Android devices keep changing MAC addresses)

I'm not sure what is the correct configuration if i want to use only Opnsense with my ISP router as DNS
What is the correct configuration if i want to use Opnsense + Unbound Plugin with DNS filtering.

I have read many post and tutorials its all confusing with DNS configuration.
I'm trying AdGuard that is not working as given in few tutorials and forum member's working setups.

Anyone could point to right direction would be appreciated.

cookiemonster:
You're right, there is a lot of information, which is a good thing, but it takes some reading. There will be more than one way of achieving what you want. All of them are correct. Everyone has a slighthly different setup/requirement combo.
1.I don't want any clients (Windows, iOS and Android) to use any other DNS servers, like some Android devices and Smart Home devices use Google DNS 8.8.8.8
Search on the tutorials section. There you want to use rules to force a redirection for port 53. DoT or DoH are additional cases.

2. Want to use DNS provider that filters out or blocks access to all adult, pornographic and explicit sites, proxy and VPN, threat protection,etc...
You could achieve it by using an upstream free resolver like cloudflare that provides filtered dns servers. In this case it can be put in Unbound settings directly.

3. Should enforce safe search
Similar to 2 but I'm not entirely sure. Pihole/ADGuard might help here.

4. Clients should be identified by hostname with static entry (Looks like some Android devices keep changing MAC addresses)
This is in Services > Unbound DNS > General. "DHCP Static Mappings" read the tooltip help.
But the router can't force a client from changing their mac. Needs doing at the device. But you can try to force the hand of the device owners by for instance allowing dhcp by whitelisting mac. Services > DHCPv4 > "deny unknown clients", that sort of thing. There are some threads I think in General in the forum.

mush2020:
@cookiemonster Thanks for your response.
I've gone through some of the tutorials and posts to understand the configuration for DNS+Unbound+Adguard

So i have Unbound (5353) with NAT Port Forward Rule(see attached).
In System-General- No DNS set(see attached)
DNS over TLS- Using Cleanbrowsing(see attached)
Adguard- configuration not complete as i want to understand how that works and get right configuration.

One concern is about NAT Port Forward Filter rule association (see attached) what should be the selection and why?

I need to understand DNS request/response flow when ISP Router+ Opnsense+ Unbound + Adguard + Wireless AP involved

If my host either on LAN and/or Wifi requests for google.com How is request flows and who responds?
If badsite.com requested how the DNS request/response flow works?
What about Opnsense WAN Interface? do WAN also uses DNS. Im not sure how many Opnsense interfaces involve in DNS traffic in/out?

Superduke:
You can pretty much accomplish everything you want with an Unbound redirect to AdGuard plugin.  That's the setup I have (with a Unifi switch/AP downstream) and it works great.

Initially I used Unbound strictly with a selection of blocklists, but I found my use case changed as my kids got older and I wanted better control.  Adguard does that for me and I've even setup a Wireguard tunnel back to home....which they haven't yet figured out...lol.

Either way, check around (I think Reddit has some good tutorials on Adguard/Unbound setup)....

mush2020:
@Superduke, Thanks for your input. I did not get your use case for having Wireguard.
I believe WG is again similar to OpenVPN. Is there any added benefits for DNS and Web filtering by using WG?

I can't get AGH working properly for parental control and threat protection.

I'm not sure where is the issue, as soon as I enable 2 web safe browsing options, Internet stops(DNS Timed Out).

I could not get any indication from Unbound logs or FW logs yet.

Not sure if anyone using Unbound+AGH has faced such issue.

Navigation

[0] Message Index

[#] Next page