Unknowingly Split-Brain DNS

[fakebizprez]

I have not been able to verify my Unbound DNS over TLS is configured correctly. I've followed every tutorial to the letter, and every test I've run, port 853 is nowhere to be found.

Current Configuration:

• General DNS settings: All fields left blank
• DNS over TLS: Configured with Cloudflare's DNS over TLS servers

Background Context:
My local domain happens to be a legitimate domain that I own and have registered through Cloudflare. This configuration has been in place since my initial OPNsense installation, and I haven't implemented any advanced configurations like DNS overrides.

Question:
If I were to create DNS overrides for each VM in my network, would this ensure that local VM resolution uses DNS over TLS when accessed from my workstation?
I'm trying to understand if my current setup is preventing proper DNS over TLS functionality, and whether implementing local DNS overrides would resolve the issue.
Any guidance on troubleshooting DNS over TLS verification or recommendations for proper local domain handling would be greatly appreciated.

[OPNenthu]

To forward to Quad9 via DoT in Unbound just add an entry for each upstream IP you want to forward to in the "DNS over TLS" tab.  Keep the value "dns.quad9.net" constant for the "Verify CN" field.  You can confirm it's working with this link: https://on.quad9.net/

Unless you take additional active measures to restrict DNS on your network, clients are free to ignore your Unbound instance.  There's nothing preventing web browsers and IoT devices, for example, from using whatever DoT or DoH provider they want.

You can easily redirect plain DNS requests to your Unbound instance via port forwarding, and you can simply block DoT/DoQ requests that don't originate from Unbound by filtering TCP & UDP on ports 853 and 8853.  There are some edge cases to consider as well since DNS providers may use alternate custom ports like 9953 (Quad9).

You cannot easily cope with DoH though, at least not with a simple firewall setup.  The closest solution I've found for that so far is to use IP lists for public DNS providers and block any HTTPS requests to those IPs, but this is a blunt tool.  It tends to break CDNs because many DNS lists also include CDN IPs, or they use shared IP blocks with DNS services.  I've broken GitHub and Cloudflare sites this way, so am too still looking for a better solution short of proxying HTTPS traffic and engaging in man-in-the-middle antics.

Yes, you can individually configure network clients (via OS settings) or applications to force your DNS service.  I think this gets a little messy though and you can never rest trusting that nothing on the device won't go around your settings.

[fakebizprez]

Thank you.

I'm familiar with the firewall rules to force DoT. My concern right now is that I'm running a half-ass configured split-brain DNS and that is why I can't get any activity on port 853

[OPNenthu]

Sorry, I don't know why I thought you were asking about setting up Quad9. I misread that you are already using Cloudflare.

split-brain DNS

Ah, you are asking about split-horizon DNS.  Not in my current skillset so I'll back out here.

[fakebizprez]

Ah, yes, you know it's fun when it has two prefixes before -DNS .