Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unbound-Control DNS over TLS Bug (unbound-control Shows tls-upstream: no Despite DNS over TLS Being Enabled) #8386

Open
dlbdatadata opened this issue Mar 1, 2025 · 3 comments
Open

Unbound-Control DNS over TLS Bug (unbound-control Shows tls-upstream: no Despite DNS over TLS Being Enabled) #8386

dlbdatadata opened this issue Mar 1, 2025 · 3 comments
Labels
upstream Third party issue

Comments

@dlbdatadata
Copy link

Hello, this issue seems relatively minor relative to the list of things the OPNSense team is working on but my dns has been attacked so I have gotten to know these settings intimately! Ha!

So I thought it would be good to share a small bug I found (I think) for those who use OPNSense for intense DNS security (like myself).

Description:
When configuring DNS over TLS (DoT) in OPNsense (Services > Unbound DNS > DNS over TLS), Unbound correctly sends queries over port 853 (verified via tcpdump).

However:
unbound-control get_option tls-upstream incorrectly returns no.
The main unbound.conf does not include forward-zone entries, making it seem like DoT is not active.
DoT settings are instead stored in a separate file (/var/unbound/etc/dot.conf), which is not immediately obvious.
This discrepancy can lead to confusion when doublechecking and troubleshooting DoT functionality.

Expected Behavior:
unbound-control should correctly reflect DoT settings (tls-upstream: yes).
Either Unbound’s main config should include forward-zone entries or documentation should clarify how DoT settings are applied.

Steps to Reproduce:
Configure Unbound DoT in OPNsense GUI (Services > Unbound DNS > DNS over TLS).
Run unbound-control get_option tls-upstream → Outputs no.
Run tcpdump -i port 853 → Shows active DoT traffic.
Check /var/unbound/unbound.conf → No forward-zone entries.
Check /var/unbound/etc/dot.conf → Contains DoT settings.
System Information:

OPNsense Version: 25.1.2
Unbound Version: 1.22.0_1

Workarounds:
Use tcpdump to verify encrypted queries.
Manually inspect /var/unbound/etc/dot.conf for DoT settings.

Additional Context:
The issue is not just cosmetic—users relying on unbound-control for validation and DNS statistical anomaly detection may mistakenly think DoT is disabled.
@fichtner
Copy link
Member

fichtner commented Mar 1, 2025

Wouldn’t it make more sense to open a bug report with Unbound?

@fichtner fichtner added the upstream Third party issue label Mar 1, 2025
@dlbdatadata
Copy link
Author

dlbdatadata commented Mar 1, 2025
edited
Loading

Wouldn’t it make more sense to open a bug report with Unbound?

No, if you read the detailed post, this issue is specific to the implementation of Unbound on OpnSense. It is an issue with Unbound.

@fichtner
Copy link
Member

fichtner commented Mar 1, 2025

Well, just a thought. I don’t mind someone finding a bug in core. Just add a PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
upstream Third party issue
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fichtner @dlbdatadata