OPNsense NextDNS Configuration – Can't Enable DoH or DoT
Hello fellow forum members,
I hope you all are doing well. I've encountered an issue with my OPNsense setup that I'm hoping some of you can help me solve. I've successfully installed the CLI version of NextDNS on my OPNsense router, but I'm having difficulty enabling DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) as the protocols.
Setup Details
- OPNsense version: 23.7.5
- NextDNS CLI version: 1.41.0
- Zenarmor is also in use and configured to allow DoH traffic.
Issue Description
Even after installation and configuration, when I visit test.nextdns.io
, it shows that my protocol is still UDP. I've also tried disabling Unbound to see if it was causing conflicts, but no luck there.
What I've Tried
- Checked all NextDNS CLI configurations.
- Allowed DoH traffic in Zenarmor.
- Used the bypass function in Zenarmor for test purposes.
- Restarted OPNsense.
- Restarted NextDNS service via SSH
Questions
- Is there anything specific in the OPNsense settings that I should look for?
- Are there any known conflicts with Zenarmor?
- What logs should I be looking at to troubleshoot this issue?
- Are there specific firewall rules I should be checking?
Any insights or guidance on solving this problem would be greatly appreciated. Thank you for taking the time to read my post and for any help you can provide.
C:\Users\Fabio>curl -v https://dns.nextdns.io/info --connect-to ::45.90.28.0:443
* Connecting to hostname: 45.90.28.0
* Connecting to port: 443
* Trying 45.90.28.0:443...
* Connected to (nil) (45.90.28.0) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* using HTTP/1.x
> GET /info HTTP/1.1
> Host: dns.nextdns.io
> User-Agent: curl/8.0.1
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: application/json
< Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
< Timing-Allow-Origin: *
< Date: Wed, 11 Oct 2023 21:17:38 GMT
< Content-Length: 80
<
{"locationName": " Frankfurt, Germany", "pop": "zepto-fra", "rtt": 5740}* Connection #0 to host (nil) left intact
Copy
2 replies
-
No one can help?
-
Hi!
I just had the same issue. I've found the solution in this thread: https://forum.opnsense.org/index.php?topic=25736.0
Basically you just need the GUI, and go to "DNS over TLS" in the Unbound settings, and add:
- The NextDNS IP in "Server IP"
- 853 in "Server port"
- Your custom hostname (<yourid>.dns.nextdns.io, the URL in your NextDNS profile) in "Verify CN" field
Everything work as expected for me and I do have DoT while browsing test.nextdns.io.
Hope it helps!
Regards,
Arty
Content aside
- 11 mths agoLast active
- 2Replies
- 1865Views
-
3
Following