The need for quantum safe cryptographic ciphers has never been...
Read More
DNS is the phone book of the internet, but traditional DNS requests aren’t encrypted, leaving them open to eavesdropping or manipulation. That’s where DNS over TLS (DoT) comes in, encrypting DNS queries for enhanced privacy and security.
If you use OPNsense, a powerful open source firewall, you can enable DNS over TLS with the built in Unbound DNS resolver. Even better: by leveraging Cloudflare’s DNS blacklists, you can block malware and filter content to keep your family or organization safe.
This guide walks you step by step through configuring DNS over TLS on OPNsense using Unbound, and explores how Cloudflare’s free DNS filtering adds another crucial security layer.
DNS over TLS on OPNsense - Why Use DNS Over TLS (DoT)?
Privacy: Your ISP or network snoops can’t see which sites you’re visiting.
Security: Prevents DNS spoofing and man in the middle attacks.
Peace of Mind: When paired with threat blocking lists, you reduce risks from malware, phishing, and inappropriate content.
DNS over TLS on OPNsense - Prerequisites
OPNsense firewall (latest version recommended)
Unbound DNS enabled (default on OPNsense)
Admin access to the OPNsense web interface
Step-by-Step: Configuring DNS Over TLS on OPNsense
Enable Unbound DNS (if not already active)
Go to Services → Unbound DNS → General
Ensure “Enable Unbound” is checked
Configure DNS Over TLS Servers
Still in the Unbound DNS settings, find the DNS over TLS section
Enter Cloudflare’s DNS servers:
1.1.1.1 and 1.0.0.1 (for standard privacy)
For family filtering: 1.1.1.3 and 1.0.0.3 (Cloudflare’s malware and adult content blocking)
Set the appropriate port (usually 853 for DoT)
Adjust Advanced Settings
Go to the Advanced tab
Add or ensure these options are set:
Enable DNSSEC Support (for authenticating responses)
TLS Upstream (ensures upstream queries are encrypted)
Save and apply changes
Update Firewall Rules
- Ensure outbound traffic on port 853 (TCP) is allowed for Unbound to communicate with external DNS servers
Test Your Configuration
- Use tools like Cloudflare’s Browsing Experience Security Check or
diganddrillcommands to confirm encrypted DNS queries
About Cloudflare DNS Blacklists
Cloudflare offers free DNS filtering to block malware and protect families or businesses from unwanted content:
1.1.1.2 / 1.0.0.2: Blocks malware and known threats
1.1.1.3 / 1.0.0.3: Blocks both malware and adult content
By using these servers with DNS over TLS, OPNsense users can combine privacy, security, and content filtering in one step, no need for extra plugins or paid subscriptions.
DNS over TLS on OPNsense - Best Practices & Final Tips
Keep OPNsense and Unbound updated for security patches
Periodically test that DNS queries remain encrypted
Adjust Cloudflare filtering as needed (malware only vs. malware + adult content)
Consider DNSSEC for added integrity
Call to Action
Have you secured your home or business network with DNS over TLS?
What DNS filtering tools do you use?
Share your tips or questions in the comments, and subscribe for more practical security guides!
Secure Browsing for All: Setting Up DNS Over TLS with Unbound on OPNsense (and Why Cloudflare’s DNS Blacklists Matter)
DNS is the phone book of the internet, but traditional...
Read More
Inside the Ivanti Storm: Understanding the Ongoing Connect Secure Vulnerabilities
Enterprise VPNs are meant to be the gatekeepers of remote...
Read More
Booking.com phishing campaign – ClickFix Campaign Spoofs Booking.com for Malware Delivery
Phishing attacks keep evolving, and so do the tactics cyber...
Read More
Leave a Reply