Unbound: Help with mystery needed

[kartman]

I've been learning about DNS leaks and have recently moved to DNS over TLS. I think I've correctly cleared out the legacy DNS settings in OPNsense but, when comparing 2 devices on my network, I'm getting confusing results.

The machines are Win11 and Ubuntu and both are pointed at the OPNsense box for DNS lookups. Using Mullvad connection test, the Win machine is showing no leaks but the Ubuntu machine is showing a leak. My confusion is that both machines should be forced through the same DNS over TLS via Unbound.

What is the best way to do a "traceroute" on DNS processing? I've been looking at Unbound logs but, frankly, I have no idea why the 2 machines are reporting different outcomes on the same test.

[meyergru]

What do you mean by "pointed at the OPNsense"? The problem with modern browsers is that they do not use the system DNS, but DoH, thus circumventing your Unbound instance.

You cannot even divert DoH by NAT, but only block. Essentially, to prevent DNS leaks completely (well, not really), you need to block DoT, block DoH to known DoH IPs only (because otherwise, you block any https traffic) and use a NAT rule to divert port 53 to your local Unbound (with some caveats).

[Boxer]

Firefox by default uses DoH (Cloudflare) but can be turned off to use system DNS. May be worth flushing the browser and system dns caches and testing again.

[kartman]

Firefox by default uses DoH (Cloudflare) but can be turned off to use system DNS. May be worth flushing the browser and system dns caches and testing again.

This is interesting... I don't typically use Firefox but, in this test, one machine was Chrome and the other was Firefox... These last couple of replies have taught me something! Much appreciated and more digging to do now.