▸ Apoio

Consulte os nossos guias de configuração e as FAQ, ou utilize a barra de pesquisa abaixo para encontrar informaçōes relevantes

Setup: OPNsense and DNS over TLS

Introduction

OPNsense is an open-source firewall, used in both consumer and commercial environments.

OPNsense utilizes Unbound, which has built-in DNS over TLS support, with the configuration being accessible in the GUI.

Before making changes to a production environment, we recommend taking a backup of the existing configuration.

Step 1

  • Navigate to Services -> DNS over TLS on the left-side menu
  • Click the + button
opnsense1.png
Add 4 entries:

Server IP: 9.9.9.9
Server Port: 853
Verify CN: dns.quad9.net

Server IP: 149.112.112.112
Server Port: 853
Verify CN: dns.quad9.net

Server IP: 2620:fe::fe
Server Port: 853
Verify CN: dns.quad9.net

Server IP: 2620:fe::9
Server Port: 853
Verify CN: dns.quad9.net

If your network does not have IPv6, which you can test here, then IPv6 addresses should not be added, as it may result in a percentage of your DNS requests failing.
OPNsense_2.png
The configuration should look like the following

Click on Apply to save the changes.
OPNsense_3.png

Step 2

  • Navigate to System -> Settings -> General on the left-hand menu.
  • Disable Allow DNS server list to be overriden by DHCP/PPP on WAN
  • Click Save
  • Click Apply at the top of the page
OPNsense_5.png

To can confirm that OPNsense is now sending your queries via DNS over TLS, you can run a packet capture in command line, such as:

# tcpdump -i em0 'port 853'

You may have to adjust the interface name from em0 to that of your device's WAN interface.

You can also run a test from a macOS, Linux, or Windows system on the network.