Thanks for watching, to do this with pi-hole you will need to continue pointing your hosts to pi-hole as their DNS server to benefit from the ad blocking. In your pi-hole upstream DNS providers settings, you will need to setup a custom DNS provider and point it to your OPNSense firewall running the unbound DNS server. This should achieve the same result because the local hosts will query pi-hole firstly for the address, and if pi-hole cant resolve the address, it will then forward this over to OPNSense which will then forward it via DoT to the upstream provider. Hopefully this helps.
Thanks for watching, no, you will run into issues with the DNS configs because the failover uses those DNS servers as monitoring addresses on each WAN interface. If you want to use both DoT and failover you will probably need to setup Unbound DNS on another server in your network and configure your clients to use that as their DNS server and then put some restrictions on your firewall to only DNS traffic out the LAN from that server IP to prevent the users from overriding your DNS settings. I have not test the above suggestion, but in theory it may work, hopefully it helps.
@@ls111cyberEd I once set failover and Unbound with DoT enabled in pfSense, and both seemed to be working, no particular issue actually, but I didn't test the setup accurately. Thanks
Can you make a video on DNS OVER HTTPS(DOH) its more secure than tls ,opnsense has removed the custom oprtions under unbound so its confusing how to add custom options to make it work
Thanks for watching, I will consider this as a future video. DoH is not necessarily more secure than DoT, both hide your DNS traffic which is what this is all about. You could argue that DoH gives you better privacy by essentially "blending" the DNS traffic with the HTTPS traffic so someone snooping in on the traffic wont know the difference, however, at the same time this could also be a con because from the network administrators point of view, they wont be able to control or isolate the DNS traffic separately, in that case DoT would be preferred.
Thank you for your videos. I followed your video. But I have my outbound dns port changed to port 54 instead of 53. Due to setting up adguard, saying port 53 is already in use, so I changed it to 54. After following your instructions, my internet stops working? Please could you help thanks
![[How To] Set up AdGuard Home on OPNsense](http://i.ytimg.com/vi/7RC7q5WOYC0/mqdefault.jpg)
I migrated from UDM to OPNsense to get more visibility on my home network. Unbound DNS built in to OPNsense is awesome. Great video !
Thanks for watching! I agree, OPNsense is a great product and when you install extensions like Zenarmor it makes it even better.
Can I ask why you're using Google DNS rather than Quad9 DNS on a privacy focused video..?
Excellent video, thank you so much
Thanks for this, me thinks ill try this !
Trying to determine this solution in relation to settings for pi-hole running on a docker container?
Thanks for watching, to do this with pi-hole you will need to continue pointing your hosts to pi-hole as their DNS server to benefit from the ad blocking. In your pi-hole upstream DNS providers settings, you will need to setup a custom DNS provider and point it to your OPNSense firewall running the unbound DNS server. This should achieve the same result because the local hosts will query pi-hole firstly for the address, and if pi-hole cant resolve the address, it will then forward this over to OPNSense which will then forward it via DoT to the upstream provider. Hopefully this helps.
@@ls111cyberEd this part I was missing -thank you
@@ls111cyberEd is this a better solution then going directly from pihole to quad9?
Is it possible to setup DoT with a multi wan? I don’t see a gateway option on unbound.
Good. However, is this setup going to work along with failover I saw in a previous video of yours? Thanks
Thanks for watching, no, you will run into issues with the DNS configs because the failover uses those DNS servers as monitoring addresses on each WAN interface. If you want to use both DoT and failover you will probably need to setup Unbound DNS on another server in your network and configure your clients to use that as their DNS server and then put some restrictions on your firewall to only DNS traffic out the LAN from that server IP to prevent the users from overriding your DNS settings. I have not test the above suggestion, but in theory it may work, hopefully it helps.
@@ls111cyberEd I once set failover and Unbound with DoT enabled in pfSense, and both seemed to be working, no particular issue actually, but I didn't test the setup accurately. Thanks
Can you tell us how a rule would look like for redirecting traffic to unbound?
wont the logs also contains the website you visited with the dns included if its working properly?
Can you make a video on DNS OVER HTTPS(DOH) its more secure than tls ,opnsense has removed the custom oprtions under unbound so its confusing how to add custom options to make it work
Thanks for watching, I will consider this as a future video. DoH is not necessarily more secure than DoT, both hide your DNS traffic which is what this is all about. You could argue that DoH gives you better privacy by essentially "blending" the DNS traffic with the HTTPS traffic so someone snooping in on the traffic wont know the difference, however, at the same time this could also be a con because from the network administrators point of view, they wont be able to control or isolate the DNS traffic separately, in that case DoT would be preferred.
thank you!
You're welcome!
how would you configure this using windows server for dns?
You need OPNsense, so either virutalize it or install it bare metal instead of Windows
Thank you for your videos. I followed your video. But I have my outbound dns port changed to port 54 instead of 53. Due to setting up adguard, saying port 53 is already in use, so I changed it to 54. After following your instructions, my internet stops working? Please could you help thanks
OR JUST USE QUAD 9!