List of DNS providers that support DNS over TLS (DoT)

  • https://quad9.net: 9.9.9.9,149.112.112.112
  • https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls: 1.1.1.1,1.0.0.1
  • https://www.cira.ca/en/canadian-shield/configure/dns-tls: 149.112.121.10,149.112.122.10

Enable encrypted DNS

  • Services => Unbound DNS => General => Enable DNSSEC support
  • Services => Unbound DNS => DNS over TLS => Use system nameservers

Configure upstream DNS servers to forward to

  • System => Settings => General => DNS servers

Add these DNS servers:

9.9.9.9, WAN_GW
149.112.112.112, WAN_GW

Test

Flush local DNS caches

sudo resolvectl flush-caches

Basic tcpdump test

tcpdump -u -vvv -i re0 port 53 or port 853 or port 443

Port mirroring test