Enable encrypted DNS on OPNsense

List of DNS providers that support DNS over TLS (DoT)#

• https://quad9.net: 9.9.9.9,149.112.112.112
• https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls: 1.1.1.1,1.0.0.1
• https://www.cira.ca/en/canadian-shield/configure/dns-tls: 149.112.121.10,149.112.122.10

Enable encrypted DNS#

• Services => Unbound DNS => General => Enable DNSSEC support
• Services => Unbound DNS => DNS over TLS => Use system nameservers

Configure upstream DNS servers to forward to#

• System => Settings => General => DNS servers

Add these DNS servers:

9.9.9.9, WAN_GW 149.112.112.112, WAN_GW

Test#

Flush local DNS caches#

sudo resolvectl flush-caches

Basic tcpdump test#

tcpdump -u -vvv -i re0 port 53 or port 853 or port 443

Port mirroring test#

• See the OpenWrt port mirroring guide.