pfSense

Using latest stable pfSense: 2.4.5-RELEASE-p1 (amd64)

Attempting to configure two-tier DNS cache, using either BIND or DNS Forwarder (dnsmasq) for first-level cache and for local DHCP names (due to #5413), and using DNS Resolver (unbound) at the second level to take advantage of DNSBL. I set BIND/dnsmasq to port 53 and 853 for TLS (BIND only), and intend to run DNS Forwarder (Unbound) on loopback address ports 5053 and 5853, respectively. Although I can set both of these in the Unbound GUI (services_unbound.php), the second setting, for TLS port, is not applied to the config file, so when the Unbound service restarts it listens on 5053 for unencrypted and 853 for encrypted. I've tried a few different port numbers for both, and the unencrypted port configuration is always applied while the encrypted port is never applied (always stays 853).

I think this is a problem with the GUI/pfSense, because when I ssh in and review the unbound config file at /var/unbound/unbound.conf, I can see the port: setting get updated while the tls-port: setting remains 853. I even manually set tls-port: 5853 in unbound.conf and it was changed back to 853 the next time I saved changes in the GUI.