Configuring DNS-over-TLS with OPNSense

Privacy is becoming more and more important in the ever-developing world of the Internet. Of course, you have the ongoing issues with security on the Internet – a lot of the main workings are ancient. And the other thing we now have more and more is targeted advertisement – where companies exist solely to gather as much information about an individual as possible and present to them adverts that they think would matter to them.

One mechanism that is used for this is the ancient DNS system – used to translate something like “google.com” to it’s IP address “”. Typically, DNS operates unencrypted using UDP – where a request is sent in plain-text and is open to being interrupted and replaced with something else (called a “man-in-the-middle” attack).


The main problem here is that there is no way with traditional DNS of knowing if the returning answer is from the DNS server you originally requested. The effect of leaving everything unencrypted is allowing companies (like your ISP) to be able to log your DNS traffic (and maybe sell it to advertisers).

So we need to do two things:

  • Verify connections back from the DNS server are legit
  • Encrypt the connection

This is where DNS-over-TLS comes in! TLS uses a TDP connection to form a two-way conversation with the DNS server and then also encrypts the traffic to prevent snooping. There is also DNS-over-HTTPS which employs a similar method to “hide” your DNS traffic as standard HTTPS requests to websites.

TLS is an encrypted protocol that makes it extremely difficult (although not impossible) to read the DNS requests sent from your browser to the DNS server. A handshake is made using keys to ensure all the traffic is between the router and DNS server is legitimate. Mozilla is currently trialling built in DNS-over-TLS functionality in Firefox, however this still limits you to one browser on your desktop PC – you may also want to use your phone for instance. The best way to go about this is to perform the encryption of DNS requests in the router.

Fortunately, pfSense and OPNsense support the new service provided by CloudFlare. There are alternatives (such as Quad9 – that can also be used – infact you can use these as backups in case CloudFlare goes down (or use Quad9 as your primary). Either way it is recommended to use a secondary DNS service as a backup, and then a tertiary service such as can be used as a final backup to ensure you never go offline.

I am running OPNsense – though the setup for pfSense is very similar to this. The bulk of the configuration is achieved through the Unbound DNS > General page:

Above is my configuration – you should add multiple “forward-addr” lines to allow for multiple DNS servers to be used if one or more are offline. You will want “DNS Query Forwarding” to be disabled.

And that is it! Once that is set, make sure that Unbound is restarted using the restart icon at the top of the screen. You can test if it works using the “Packet Capture” tool under Interfaces > Diagnostics and looking at data transmitted over port 853:

You will see your public IP connecting to the DNS service using TCP over port 853! 

And that’s it! Your DNS requests will now be encrypted. Safe browsing!