Transition from OpenDNS to CF for Teams/Gateway

Trying to see about switching to Cloudflare from OpenDNS. Mostly because it doesn’t seem the OpenDNS/Cisco seems to want to support DNS over TLS.

I’ve been running unbound on my local network as a resolver fronting OpenDNS, but unbound only seems to support DoH, not DoT. Looking at Cloudflare’s information for, it seems like the option is there, but I don’t see any configuration options for how to set this up. Is it as simple as “use from the Location IP address?”

Second issue: with OpenDNS, there’s an API to allow me to automatically update my location when my external IP changes (which unfortunately seems to happen with disturbing regularity). If the answer is to use from my location, is there a similar process to automatically update my location for Gateway? I’m currently sending myself pushbullet alerts when it’s detected, but if I can do it automatically, that’s a much better process. I just can’t seem to find any documentation on that.

So… it doesn’t seem like Gateway supports DoT, only DoH.

There is also no API to update the IP, but as long as you use the specific DoH subdomain you don’t need to care.

The conundrum is that unbound does not support DoH. So I must either double-proxy using cloudflared (which wouldn’t be the end of the world) or give up using unbound.

The reason I’m hung up on using unbound is that it is trivial to add local-domain overrides. Using Pi-Hole (as an example, because I started there) I found that even compared to “only” OpenDNS, I was blocking WAY more ads. But it’s limited (mostly) to running on ARM-based hardware. Then I found a script for unbound that allows to populate the local zones directly into my unbound config. This allows me to use much better hardware, and still accomplish the same goal. By blocking before the forward request, I can even cut down on DNS traffic upstream :smiley:

It’s worth noting that DoT using port 853 does work on the Gateway resolvers.

I can also confirm that and and do NOT link back to the gateway account, but that’s probably not needed considering that you CAN use port 853 on and

That doesn’t solve the Dynamic IP issue, which if CloudFlare is serious about providing their service to homes, they probably need to address.

I’ve also discovered that Cloudflare’s proxy/anonymizer category does not block DoH providers (which honestly, isn’t that shocking, given that they are behind, but OpenDNS’s category does. If I’m attempting to protect my home (or work!) network from unauthorized use, I really should be able to block those. Blocking anything at DNS is worthless, if all that’s required to bypass it is to set up DoH in Firefox to

This is my config in Unbound (as plugin in OPNsense). Solves the dynamic IP issue…

# TLS Config
tls-cert-bundle: "/etc/ssl/cert.pem"
# Forwarding Config
	name: "."
	forward-tls-upstream: yes
	forward-addr: [email protected]
	forward-addr: [email protected]
	forward-addr: 2a06:98c1:54::[email protected]

This is actually super helpful, thank you.

I did not know that you could specify an SNI for the unbound config in this way, but it will undoubtedly come in handy in the future. Maybe for someone else…

For myself, I’ve dropped using unbound anyway, and switched to AdGuard Home. It’s slightly less performant compared to a native unbound solution, but not so much as to be noticeable, and it gives me just as much customization, with the added benefit of a UI for easily unblocking (or blocking again) sites from the log. It also provides a DHCP server, since my ISP is stupid and doesn’t allow me to specify the DNS servers I want if I am using their routers DHCP… (This of course makes me even more suspicious of their DNS shenanigans :smiley: )