Hi,
Everybody seems to do it another way around. My intuition and idea would be that dnsmasq would serve as the dhcpd and also resolve internal dns queries (as internal dns). Outbound, however, would be the "upstream" dns server and would listen (in internal lan) in port 5553 and do the resolving for external addresses,
Am I missing something important? Why would this be stupid/subpar, since everyone seems to be doing it another way around?
I'm currently still running 25.1.9_2-amd64.
Thanks
No - having Unbound as the last recursive server in your local chain is perfectly reasonable. It is still up to you if you let Unbound do recursion on its own starting at the root or if you point it at one of the public DoT servers. That's balancing whom you trust more - e.g. 1.1.1.1 or your local ISP. I trust my local ISP because I am located in the EU and we have strong customer rights and privacy laws. So I run Unbound without any explicit upstream.
In my case I run AdGuard Home as the client facing service which then forwards to Unbound. Unbound also does local reverse resolution, because I run Kea and not DNSmasq.
But there is nothing wrong with your setup, really.