Overview
I lied. This is not actually for ad-blocking. What I have found is that ad-blocking on my home networking is more of an inconvenience than anything, especially for Jai. Instead, Iโve configured opnsense to use specific DNS servers (Quad9) to reduce the risk malware.
DNS over TLS
Go to Services โ Unbound DNS โ DNS over TLS. Add the following entries to custom forwarding:
- 9.9.9.9:853
- 149.112.112.112:853
These are the Quad9 DNS servers.
To ensure that your DNS server is being used, and not your ISPs, you will have to go to System โ Settings โ General and uncheck Allow DNS to be overriden by DHCP/PPP on WAN.
To check that Quad9 is being used, go to Interfaces โ Diagnostics โ DNS Lookup, and search a domain. If 127.0.0.1 is only returned, you are good to go.
DNSSEC
We want to make sure out DNS over TLS queries are secure (this makes sure that we are getting the DNS response and it has not been hijacked).
To enable, go to Services โ Unbound DNS โ General and check Enable DNSSEC Support.