# Privacy-Focused DNS Configuration Guides The configuration described using OPNsense’s Unbound DNS resolver set up with DNS over TLS (DoT) to encrypt all DNS queries, combined with Pi-hole on the same host to provide network-wide ad-blocking, with strict firewall rules and DNS redirect rules to prevent leaks, is currently one of the most private and secure DNS setups available for a home or small office network. ### Why This Is Highly Private * **DoT Encryption**: Encrypting all DNS traffic from OPNsense to upstream DNS servers with DoT protects against eavesdropping and man-in-the-middle attacks over the internet. * **Pi-hole Integration**: Pi-hole filters out ads, trackers, and malware domains locally while forwarding DNS queries securely to the encrypted Unbound resolver, ensuring privacy and control over DNS resolution. * **Firewall and NAT Rules**: Enforcing clients to use Pi-hole for DNS and blocking or redirecting all other DNS traffic prevents DNS leaks or bypasses that could reveal queries unencrypted. * **Local Recursive Resolution**: Unbound can be configured as a validating, recursive resolver, which reduces reliance on third-party DNS providers, further limiting data exposure. ### Potential Additional Privacy Enhancements * Using a self-hosted, fully recursive Unbound instance on OPNsense without forwarding (making your own DNS root queries) enhances privacy but may require more maintenance and resources. * Combining DNS over HTTPS (DoH) alongside or instead of DoT could obscure DNS traffic further within HTTPS traffic, although OPNsense natively supports DoT best. * Regularly updating blocklists in Pi-hole and enabling DNSSEC validation in Unbound adds further robustness. * Using privacy-focused upstream DNS providers (e.g., Quad9, Cloudflare with privacy features) is recommended. ### Summary This setup represents a strong privacy-first DNS architecture for most users. It securely encrypts DNS, controls DNS traffic flow on the network, and filters unwanted content, all with open-source components and configurable controls.