Unlike systemd-based Linux distributions, FreeBSD does not come with a switch to automatically turn on DNS-over-TLS (DoT) for the system resolver, and requires a bit of work to use an encrypted channel for domain resolution. In this post, we’ll look at how to set up DoT for FreeBSD using unbound(8), enable some hardening, and block all non-encrypted DNS traffic over port-53.
