How to Configure DNS in Opnsense With Unbound and W/Unbound

[mush2020]

I'm getting lost in forum by searching for how should be DNS configured for the first time Opnsense is up and running.
If Unbound plugin is installed then what should be the correct configuration in Opnsense and Unbound.
I have ISP router with CGNAT
Opnsense WAN port (igb1) is set to DHCP
Opnsense LAN port (igb0) is only used for managing Opnsense (SSH,GUI,etc)
Opnsense (igb2) Wifi port is connected to Wifi-Router/AP- Here Opnsense leases IPv4 addresses to wifi clients

With this setup,
1.I don't want any clients (Windows, iOS and Android) to use any other DNS servers, like some Android devices and Smart Home devices use Google DNS 8.8.8.8
2. Want to use DNS provider that filters out or blocks access to all adult, pornographic and explicit sites, proxy and VPN, threat protection,etc...
3. Should enforce safe search
4. Clients should be identified by hostname with static entry (Looks like some Android devices keep changing MAC addresses)

I'm not sure what is the correct configuration if i want to use only Opnsense with my ISP router as DNS
What is the correct configuration if i want to use Opnsense + Unbound Plugin with DNS filtering.

I have read many post and tutorials its all confusing with DNS configuration.
I'm trying AdGuard that is not working as given in few tutorials and forum member's working setups.

Anyone could point to right direction would be appreciated.

[cookiemonster]

You're right, there is a lot of information, which is a good thing, but it takes some reading. There will be more than one way of achieving what you want. All of them are correct. Everyone has a slighthly different setup/requirement combo.
1.I don't want any clients (Windows, iOS and Android) to use any other DNS servers, like some Android devices and Smart Home devices use Google DNS 8.8.8.8
Search on the tutorials section. There you want to use rules to force a redirection for port 53. DoT or DoH are additional cases.

2. Want to use DNS provider that filters out or blocks access to all adult, pornographic and explicit sites, proxy and VPN, threat protection,etc...
You could achieve it by using an upstream free resolver like cloudflare that provides filtered dns servers. In this case it can be put in Unbound settings directly.

3. Should enforce safe search
Similar to 2 but I'm not entirely sure. Pihole/ADGuard might help here.

4. Clients should be identified by hostname with static entry (Looks like some Android devices keep changing MAC addresses)
This is in Services > Unbound DNS > General. "DHCP Static Mappings" read the tooltip help.
But the router can't force a client from changing their mac. Needs doing at the device. But you can try to force the hand of the device owners by for instance allowing dhcp by whitelisting mac. Services > DHCPv4 > "deny unknown clients", that sort of thing. There are some threads I think in General in the forum.

[mush2020]

@cookiemonster Thanks for your response.
I've gone through some of the tutorials and posts to understand the configuration for DNS+Unbound+Adguard

So i have Unbound (5353) with NAT Port Forward Rule(see attached).
In System-General- No DNS set(see attached)
DNS over TLS- Using Cleanbrowsing(see attached)
Adguard- configuration not complete as i want to understand how that works and get right configuration.

One concern is about NAT Port Forward Filter rule association (see attached) what should be the selection and why?

I need to understand DNS request/response flow when ISP Router+ Opnsense+ Unbound + Adguard + Wireless AP involved

If my host either on LAN and/or Wifi requests for google.com How is request flows and who responds?
If badsite.com requested how the DNS request/response flow works?
What about Opnsense WAN Interface? do WAN also uses DNS. Im not sure how many Opnsense interfaces involve in DNS traffic in/out?

[Superduke]

You can pretty much accomplish everything you want with an Unbound redirect to AdGuard plugin.  That's the setup I have (with a Unifi switch/AP downstream) and it works great.

Initially I used Unbound strictly with a selection of blocklists, but I found my use case changed as my kids got older and I wanted better control.  Adguard does that for me and I've even setup a Wireguard tunnel back to home....which they haven't yet figured out...lol.

Either way, check around (I think Reddit has some good tutorials on Adguard/Unbound setup)....

[mush2020]

@Superduke, Thanks for your input. I did not get your use case for having Wireguard.
I believe WG is again similar to OpenVPN. Is there any added benefits for DNS and Web filtering by using WG?

I can't get AGH working properly for parental control and threat protection.

I'm not sure where is the issue, as soon as I enable 2 web safe browsing options, Internet stops(DNS Timed Out).

I could not get any indication from Unbound logs or FW logs yet.

Not sure if anyone using Unbound+AGH has faced such issue.

[RamSense]

I use AGH also and really love it (before I used pihole).
My setting of NAT IP is not 127.0.0.1 but I use the OpnsenseIP, in my case 192.168.1.1

In AGH DNS setting As upstream DNS servers:
https://dns.cloudflare.com/dns-query
https://dns.quad9.net/dns-query

parallel requests

bootstrap dns servers
192.168.1.1:5353

private reverse dns servers
192.168.1.1:5353

[mush2020]

@RamSense, thanks.
I tried changing NAT from 127.0.0.1 to WiFi interface IP. But what should be selected for Filter Rule Association under NAT rule, by default if there is no description it shows Rule. If description added then it shows the description. Should it be default or Pass or None?

I tested AGH again after adding WiFi interface IP and enable
browsing security web services
parental control web services
No more Internet (connected host shows DNS request timed out)

For now i cannot use these AGH 2 protection options.

Additionally i checked if WiFi host DNS is modified to DNS provider like 1.1.1.1
Then host can use this DNS instead of getting blocked and DNS requests are successful.

I then changed to 127.0.0.1 in WiFi interface NAT rule as before then host with DNS provider IP address cannot have internet. NAT rule working as needed.

Can anyone help here to trace and fix the issue.

[Superduke]

Any reason why you have those port forward rules in place?  You shouldn't need them afaik. 

I have DNS static mapping also set via the Unbound GUI as well as DHCP lease registration.  Apart from that, an the listening port change from 53 to whatever (5353 in your case) there isn't anything else to change in OPNSense I believe.

In the AGH interface, you need to put in your OPNSense IP:Listening Port in both of upstream and bootstrap.

That should pretty well be it. 

[Superduke]

@Superduke, Thanks for your input. I did not get your use case for having Wireguard.
I believe WG is again similar to OpenVPN. Is there any added benefits for DNS and Web filtering by using WG?

I can't get AGH working properly for parental control and threat protection.

I'm not sure where is the issue, as soon as I enable 2 web safe browsing options, Internet stops(DNS Timed Out).

I could not get any indication from Unbound logs or FW logs yet.

Not sure if anyone using Unbound+AGH has faced such issue.

WG itself isn't filtering anything of course.  It's just a secure tunnel back to my OPNSense/AGH box....which then performs the blocking/filtering.  So basically I have my kids' devices route all of their traffic back through WG to home so the safe search and safe browsing settings are applied to them....just like if they were at home on the WIFI.

[mush2020]

As per some of the tutorials for redirecting DNS, i had these NAT port forward rules.
If i disable on specific interface NAT rule then with any manual DNS IPs request are passing through, else with the rule i could see in Firewall RDR log which host is using which DNS IP, any how manual DNS IPs requests are timed out.

Rest for AGH i have done most of the configuration as you mentioned and from tutorials.

AGH still does not work with protection features enabled.

Is there any specific DNS configuration i might be missing in Opnsense or Unbound or AGH?

[Superduke]

If you want to use Cloudflare or other providers for DNS, you can set that up in Unbound using DoT with no port forwarding at all.....not sure why the tutorials say to do so....

[mush2020]

In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)

If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org

As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.

Any of my setting could be DNS issue for AGH protection settings?

[Superduke]

In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)

If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org

As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.

Any of my setting could be DNS issue for AGH protection settings?

Do you wish to use AGH in this setup?  If yes, then 853 and your DNS service need to be setup in AGH not Unbound.   If you are using Unbound then yes of course you need to set that up.

[Superduke]

In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)

If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org

As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.

Any of my setting could be DNS issue for AGH protection settings?

Honestly, everything you want is in AGH.....no need for Cleanbrowsing DNS really....and you can even set up a per client override....and use whatever blocklists you want...although pretty well all of the best stock ones are built-in.

[Superduke]

In Unbound DNS over TLS i tested by removing 853 port and left blank.
It rather accepts the blank field but after applying internet is not available.
So I'm to my working settings(see attached)

If all DNS providers DoT works only on TCP/853. If so then we would need this port in Unbound.
Unbound does accept DoT domains like family-filter-dns.cleanbrowsing.org

As seen in Cleanbrowsing(see attached) for IP over port is specified, additionally domain could be used too.

Any of my setting could be DNS issue for AGH protection settings?

Just a thought....but do you have the DNS namesservers setup under General settings?  And then have the DNS Query Forwarding checked in Unbound?