Feature #8030

Unbound: Add support for DNS over TLS to internal clients

Added by Mathew Keith over 1 year ago. Updated 12 months ago.

DNS Resolver
Target version:
Start date:
Due date:
% Done:


Estimated time:


Add support for DNS over TLS to internal clients.

A description of the feature can be found here.

Unbound has supported it for a while. I don't see much value in enabling this for internal clients, so I am making this mostly to document what would need to be done to include support to clients.

Add a checkbox to the Advanced settings:
Label: DNS over TLS
Description: Provide DNS over TLS port 853 to internal clients. Uses webConfigurator Cert.

If checked, add the following to unbound's config under the server section:
ssl-service-key: "<path to key used in webConfigurator>"
ssl-service-pem: "<path to cert used in webConfigurator>"
ssl-port: 853

Associated revisions

Revision 1fa69c27 (diff)
Added by Jim Pingle 12 months ago

Add GUI controls to the DNS Resolver for providing DNS over TLS service to local clients. Implements #8030


#1 Updated by Mathew Keith over 1 year ago

Also need to add the following lines:
interface: ::0@853

The interface address being set to match normal dns settings.

#2 Updated by Mathew Keith over 1 year ago

I did some more research on this. A simple checkbox that adds the following lines to the config should do the trick:
#EDIT - needed to accept tcp 853
interface-automatic: no
ssl-service-key: "/var/etc/cert.key"
ssl-service-pem: "/var/etc/cert.crt"
ssl-port: 853
interface: ::0@853

As far as a use case goes I can only imagine this being useful over an open WIFI AP. Android has added the option to enable DNS over TLS to the AOSP here:

This should mean that a connected android device will utilize the service if available at some point down the line. The rest of DNS over TLS implementation will happen in the unbound development.

#3 Updated by Mathew Keith over 1 year ago

Edit: I was able to get this to work. info posted below.

Forum link:

#4 Updated by Mathew Keith over 1 year ago

I'd like to request that this FR be closed. When I created it I did so because I didn't think it was possible to do through the Custom Options due to the certificate. Since this is stored on the drive and has a static path this really should be done through the Custom Options for the foreseeable future. Particularly while implementation is still being worked on.

If I find a way to get it working I'll post the custom options to the forum for anyone who wants to try it.

#5 Updated by Jim Pingle over 1 year ago

Also it would need significantly more logic here than you've shown thus far. For instance, you can't always assume that the GUI is set to HTTPS, it would need a dedicated ca/certificate selection. Plus, you would have to have additional binding options. You could assume the same binding options as the main unbound service, but you can't always bind it to any/all unless that's what the user chose to do.

No harm in keeping it open without a target though, so it can remain as-is.

#6 Updated by Mathew Keith over 1 year ago

I was able to get this to work using the following:

#this prevents port 853 tcp from working. Not sure why? Turning off
interface-automatic: no

interface: ::0@853
ssl-port: 853
ssl-service-pem: "/var/etc/cert.crt"
ssl-service-key: "/var/etc/cert.key"

As you noted, that cert is only present if https is enabled. I could add the above to the web config and file to be used, and work with the interface selection, but the cert drop down selector (and writing to disk) is beyond my ability.

#7 Updated by Jim Pingle 12 months ago

  • Project changed from pfSense Packages to pfSense
  • Category changed from Unbound to DNS Resolver
  • Assignee set to Jim Pingle
  • Priority changed from Very Low to Normal
  • Target version set to 2.4.4

#8 Updated by Jim Pingle 12 months ago

See also: #8415 and #8388

#9 Updated by Jim Pingle 12 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#10 Updated by James Dekker 12 months ago

Tested on on 2.4.4.a.20180406.1258, works as expected.

#11 Updated by Jim Pingle 12 months ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF