Feature Request: Implement Bootstrap DNS for Unbound

[CallMeR]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [*] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [*] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

First of all, thank you very much for your contributions to the OPNsense project. I am an enthusiastic user and have identified a potential feature that could improve user experience.

Currently, when adding DoT upstream servers in OPNsense's Unbound service, the Server IP parameter is mandatory.

However, I have noticed that many DoT service providers, especially large internet companies, usually have multiple IP addresses, and sometimes use Anycast technology, resulting in a single domain name possibly corresponding to multiple IPv4 and IPv6 addresses.

For example, Cloudflare's DoT servers have multiple IP addresses. In such cases, manually adding all IP addresses can become tedious and error-prone.

Cloudflare supports DNS over TLS (DoT) on 1.1.1.1, 1.0.0.1, and the corresponding IPv6 addresses (2606:4700:4700::1111 and 2606:4700:4700::1001) on port 853. If your DoT client does not support IP addresses, Cloudflare’s DoT endpoint can also be reached by hostname on one.one.one.one.

I discovered that some DNS forwarders or server software similar to Unbound support a feature called "Bootstrap DNS".

This feature allows users to only fill in the DoT server's domain name (port optional), and the system will resolve the domain name to the correct IP address through Bootstrap DNS during initialization.

Implementing this feature could offer the following benefits:

• Simplify the configuration process, reducing repetitive operations for users.
• Enhance system flexibility, automatically adapting to changes in DoT server IPs.
• Improve reliability, automatically switching to other available addresses when a particular IP is not usable.

Describe the solution you like

Introduce Bootstrap DNS functionality in Unbound, whereby the Server IP field becomes optional when adding DoT servers.

If a user provides a Server IP, Unbound should use this specified IP exclusively.

If no IP is provided, Unbound would automatically resolve the server's domain name to its current IP addresses at startup, through the Bootstrap DNS mechanism.

Describe alternatives you considered

Utilize existing DNS infrastructure to provide "Bootstrap DNS" - like functionality:

• Use the regular upstream DNS servers set in Query Forwarding (or the DNS servers in system settings) to resolve DoT server domain names.
• This approach would leverage existing configurations to provide similar functionality without introducing new components.

[AdSchellevis]

I haven't seen examples of how to do this with Unbound, but modifying the configuration with dns lookups before startup will likely be quite fragile. If there is a facility in Unbound to assist here, I won't mind taking a look.

[CallMeR]

I have also submitted the relevant issues to Unbound's upstream and received a response , but I am not entirely sure if this is helpful for this FR.

I am still in the process of deepening my understanding and trying out Unbound's configuration files. However, it seems that the forward-host feature is a good starting point. :)