≡ Menu
Home > Unbound > How to set up and configure DNS Over TLS (DoT) with OPNsense FreeBSD-based firewall

OPNsense set up and configure DNS Over TLS (DoT)

OPNsense is an open-source, FreeBSD-based firewall and routing security software. It also acts as a DNS resolver for all of your desktops and mobile devices. Let us see how to configure the OPNsense DNS resolver to encrypt all DNS queries to protect from eavesdropping to increase our privacy and security.

All DNS queries routed using plaintext. We either use UDP and TCP protocol 53 in plaintext, and your ISP or an attacker/hacker can monitor transmissions even if you use HTTPS, the DNS queries and answers of the site leaked. Hence we need to encrypt our DNS queries to protect ourselves. DNS over TLS (DoT) is nothing but a security protocol for encrypting DNS traffic using the Transport Layer Security (TLS) protocol. The main objective is to increase your security and privacy. Some benefits of DNS over TLS:

  • Avoid manipulation DNS.
  • Get rid of man-in-the-middle attacks.
  • No more eavesdropping.

OPNsense set up and configure DNS Over TLS (DoT)

OPNsense is a free and open-source firewall and routing engine. It is a fork of pfSense firewall, and pfSense was forked from m0n0wall software. All of these are based upon industry strength FreeBSD operating systems. Let us see how to configure OPNsense with DNS Over TLS (DoT) to increase your privacy and security.

Configuring OPNsense with DNS Over TLS (DoT)

I assume currently you have OPNsense up and running. First, open the firewall web UI. My firewall is running at Hence, open the web browser of your choice and feed URL:
Enter your username (root) and password.

How to configure DNS-over-TLS on OPNsense

OPNsense login

Click on the Services > Unbound DNS and Miscellaneous option:
OPNsense Unbond Dns over TLS

Unbond service configuration

How to configure DNS-over-TLS on OPNsense

OPNSense GUI have DoT feature integrated into the interface. You will see a web GUI option as follows:

Unbound DNS Miscellaneous options

Miscellaneous DoT GUI option

Next type nameservers to use for DoT. The syntax is pretty straightforward:
For example: ## IBM DNS Dot ## Cloudflare DNS DoT ## Google DNS DoT ## Your organization DNS DoT

How to configure Dns over TLS on Opnsense firewall

Enabling DNS over TLS with Cloudflare and Google as upstream service providers

Now all you have to do is restart the Unbound service. Click on the Services > Unbound DNS > General option > make sure you choose the “Enable DNSSEC Support” and finally click the reload/restart icon:
Restart Unbound DNS service on Opensense firewall

Restaring Unbound DNS service

How can I verify DNS encryption?

Use the ssh to log into your firewall ssh port from your Windows or macOS/Linux system:
ssh -l root
Get shell and type:
# cat /var/unbound/etc/dot.conf
DoT config added by the GUI:

  tls-cert-bundle: /etc/ssl/cert.pem
  name: "."
  forward-tls-upstream: yes

Let us do DNS tcpdump on the OPNsense firewall itself:
# tcpdump -i igb1 dst or or and dst port 853
The igb1 is my wan interface and we are interested in 853 port for DoT enabled DNS servers.


Now we have enabled and secure our DNS communication:

  • DNS over TLS to encrypt all DNS traffic from your LAN to upstream service provider.
  • DNSSEC to prevent DNS cache poisoning and other types of tampering attacks.

Head over to the Opnsense documentation to dig deep into other firewall features and enjoy your worry-free secure DNS and Internet browsing.

{ 7 comments… add one }
  • akil October 30, 2020, 11:00 pm

    Very clear precise explanation

  • jay November 6, 2020, 4:24 am

    I would suggest blocking TCP and UDP port 53 as well as 853 except for our firewall IP address to avoid accidental plain text DNS queries.

  • Dude March 5, 2021, 11:29 am

    Clear and useful tutorial.

  • Tina August 6, 2021, 7:06 am

    Very useful to avoid ISP snooping.

  • Wendy September 12, 2021, 2:22 am

    They changed UI. Would you mind updating this page?

  • tony September 15, 2021, 3:05 pm

    What Wendy said, UI has been updated. Are you able to update the guide ?

  • Paul September 21, 2021, 7:02 am

    The new UI options are “Host”, “Port”, and “Verify CN”. Host and port are obvious. Verify CN you can look up for each DNS provider. Without Verify CN, MITM attacks are still possible. Verify CN is used to confirm the validity of the TLS certificate that’s presented by the remote DNS server.

    Cloudflare (, and CloudFlare with Malware blocking (, use a CN of cloudflare-dns.com

    IBM’s Quad9.net (, etc) and Quad9 with malware blocking (, etc) uses a CN of ns.quad9.net

Leave a Comment