OpenBSD - Updated and simplified instructions

Author: ztheory

docs/en/Setup_Guides/Linux_and_BSD/FreeBSD_(Encrypted).md

@@ -73,8 +73,6 @@ Original /etc/resolv.conf saved as /var/backups/resolv.conf.20220625.200835
 ```
 ## Instructions
 
-* Configuring local_unbound for DNS over TLS to Quad9
-
 This command will back up the default configuration files, download the modified config files from the attachment of this article, and restart the local_unbound service.
 
 ```

docs/en/Setup_Guides/Linux_and_BSD/OpenBSD_(Encrypted).md

@@ -2,7 +2,7 @@
 
 This article describes how to configure and use Unbound on OpenBSD in order to send encrypted DNS via DNS over TLS to Quad9.
 
-This was tested using OpenBSD 7.1.
+This was tested using OpenBSD 7.7.
 
 !!! warning "Firefox, VPNs"
     * **Firefox** is set to use Cloudflare DNS by default in some regions. If you're using Firefox, check that [this is disabled](https://support.mozilla.org/en-US/kb/dns-over-https#w_configure-doh-protection-settings).
@@ -42,47 +42,38 @@ forward-addr: 2620:fe::fe@853#dns.quad9.net
 forward-addr: 2620:fe::9@853#dns.quad9.net
 ```
 
-* Set Unbound to start on system startup, and enable the service (run these commands one at a time):
+* Set Unbound to start on system startup, and start the service:
 
 ```
-rcctl enable unbound
-```
-```
-rcctl start unbound
+rcctl enable unbound && rcctl start unbound
 ```
 
-## Verify Configuration
+* Disable resolvd to prevent automatically overriding the `/etc/resolv.conf` file:
 
-Open a separate/second Terminal session to the OpenBSD system as the root user and start a packet capture, filtering for port 853 (DNS over TLS port):
-tcpdump -n 'port 853'
-
-* On your first Terminal session, make sure Unbound can answer DNS queries:
-dig +short quad9.net @127.0.0.1
+```
+rcctl disable resolvd && rcctl stop resolvd
+```
 
-The result should be: 216.21.3.77
+* Set your system to start using Unbound for DNS by backing up the existing resolv.conf file and set 127.0.0.1 as the DNS server for the system:
 
-On your second Terminal session, tcpdump should show output like this, which confirms that the DNS query was sent to Quad9 with DNS over TLS:
 ```
-tcpdump: listening on em0, link-type EN10MB
-00:29:08.307240 192.168.1.194.42064 > 149.112.112.112.853: S 3620809840:3620809840(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 495425124 0> (DF)
-00:29:08.313467 149.112.112.112.853 > 192.168.1.194.42064: S 1684627303:1684627303(0) ack 3620809841 win 28960 <mss 1460,nop,nop,timestamp 3541989193 495425124,nop,wscale 8> (DF)
-00:29:08.313559 192.168.1.194.42064 > 149.112.112.112.853: . ack 1 win 256 <nop,nop,timestamp 495425124 3541989193> (DF)
-00:29:08.313895 192.168.1.194.42064 > 149.112.112.112.853: P 1:310(309) ack 1 win 256 <nop,nop,timestamp 495425124 3541989193> (DF)
-00:29:08.319973 149.112.112.112.853 > 192.168.1.194.42064: . ack 310 win 118 <nop,nop,timestamp 3541989200 495425124> (DF)
-00:29:08.320719 149.112.112.112.853 > 192.168.1.194.42064: . 1:1449(1448) ack 310 win 118 
+mv /etc/resolv.conf /etc/resolv.BAK && echo "nameserver 127.0.0.1" > /etc/resolv.conf
 ```
 
-Set your system to start using Unbound for DNS by backing up the existing resolv.conf file and set 127.0.0.1 as the DNS server for the system:
+## Verify Configuration
+
+Using the [Quad9 Protocol test](https://docs.quad9.net/FAQs/#protocol-test-confirm-on-which-protocol-quad9-received-your-query), the result should be `dot.`, which indicates your queries are being sent to Quad9 and are encrypted with DNS over TLS:
+
 ```
-cp /etc/resolv.conf /etc/resolv.BAK && echo "nameserver 127.0.0.1" > /etc/resolv.conf
+dig +short txt proto.on.quad9.net.
 ```
 
 ## Undo
 
-If you want to stop using Unbound as the DNS server, simply restore the backed-up resolv.conf file:
+If you want to stop using Unbound as the DNS server and revert these changes, simply re-enable/start resolvd:
 
 ```
-mv /etc/resolv.BAK /etc/resolv.conf
+rcctl enable resolvd && rcctl start resolvd
 ```
 
 Questions? Issues? Didn't work? Contact us!