Hello all,
I made the move to DNSmasq for local DNS and DHCP services, with Unbound as my authoritative server that looks at Quad9 on the Internet. Attached is my Dnsmasq config and Unbound config. Am I missing anything in the configs? Lastly I am using the DNSSEC services from Quad9. When I try to hit their URL for this I get back an unable to parse request message. Does this mean I do not have DNSSEC configured correctly?
Thanks,
Steve
screen shot 3. i would turn off DNS within dnsmasq. change listen port to 0. you also do not need dnssec enabled if using quad 9
i use unbound and it works 100% reliable.
i setup dns over tls for quad 9 or similar products though.
So this brings up an interesting question. If unbound is by nature recursive do I need to forward to another nameserver on the Internet? Is that just an extra step that gets me nothing but log entries of my activity?
its personal preference.
unbound set to not forward should never go down/ have any issues. it also does not use dns over tls which i prefer to use myself:
if forwarding you are at the mercy of the servers you choose to forward to for privacy and reliability
If you use DoT do you just configure the nameservers in that Unbound section and you are good to go? For example the Quad9 DNSSEC IPs?
i turn off dnssec: https://docs.quad9.net/Setup_Guides/Open-Source_Routers/OPNsense_%28Encrypted%29/
OK so I turned off DNSSEC on both dnsmasq and Unbound. I configured gthe DoT stuff in Unbound and tested successfully from the OPNsense CLI.
Thank you!
Quote from: DEC670airp414user on December 22, 2025, 06:20:19 PMscreen shot 3. i would turn off DNS within dnsmasq. change listen port to 0. you also do not need dnssec enabled if using quad 9
i use unbound and it works 100% reliable.
i setup dns over tls for quad 9 or similar products though.
Important caveat: You will NOT get name resolution for local DHCP clients if the dnsmasq DNS server is turned off, as Unbound will not read the dnsmasq DHCP client list automatically.
@DEC670airp414user. Is there a downside to DNSSEC? From google:
"DNSSEC as securing the message content (authenticity)"
"DoT as securing the envelope (privacy/confidentiality)."
Both of these seem like it would be a benefit.
@Stormscape. I do not think your answer is accurate. I use kea for DHCP and unbound.
IPv4 LAN does get local name resolution.
IPv6 LAN gets resolution when a reservation is added after a restart of the unbound service.
when using servers that use dnssec. you don't need it enabled on the router within unbound.
that is my understanding
Quote from: vimage22 on December 24, 2025, 04:32:56 PM@DEC670airp414user. Is there a downside to DNSSEC? From google:
"DNSSEC as securing the message content (authenticity)"
"DoT as securing the envelope (privacy/confidentiality)."
Both of these seem like it would be a benefit.
@Stormscape. I do not think your answer is accurate. I use kea for DHCP and unbound.
IPv4 LAN does get local name resolution.
IPv6 LAN gets resolution when a reservation is added after a restart of the unbound service.
Well Kea isn't dnsmasq, now is it?
"Well Kea isn't dnsmasq, now is it?"
Yes, you are correct.
Quote from: Stormscape on December 25, 2025, 10:10:12 AMQuote@DEC670airp414user. Is there a downside to DNSSEC? From google:
"DNSSEC as securing the message content (authenticity)"
"DoT as securing the envelope (privacy/confidentiality)."
Both of these seem like it would be a benefit.
@Stormscape. I do not think your answer is accurate. I use kea for DHCP and unbound.
IPv4 LAN does get local name resolution.
IPv6 LAN gets resolution when a reservation is added after a restart of the unbound service. Clear separation of authenticity vs privacy here actually reminds me of good web design practices — structure, security and clarity matter a lot, which is why I usually rely on professional WordPress web design instead of quick DIY solutions: https://codelibry.com/services/wordpress-web-design/
Well Kea isn't dnsmasq, now is it?
Exactly — Kea isn't dnsmasq. The DHCP behavior differs, and Unbound will need some extra configuration for IPv6 to fully integrate reservations. It's not a bug, just a difference in implementation.
Quote from: Stormscape on December 24, 2025, 10:40:57 AMQuote from: DEC670airp414user on December 22, 2025, 06:20:19 PMscreen shot 3. i would turn off DNS within dnsmasq. change listen port to 0. you also do not need dnssec enabled if using quad 9
i use unbound and it works 100% reliable.
i setup dns over tls for quad 9 or similar products though.
Important caveat: You will NOT get name resolution for local DHCP clients if the dnsmasq DNS server is turned off, as Unbound will not read the dnsmasq DHCP client list automatically.
I am using dnsmasq for local resolution and Unbound is for resolving on the Internet.
Great. And you needed to add a forward from unbound to dnsmasq, right? As for DNSEC, I have been reading up on this:
https://blog.cloudflare.com/dns-encryption-explained/
https://www.cloudflare.com/learning/dns/dns-security/
https://security.stackexchange.com/questions/239698/does-cloudflares-dns-over-tls-dot-implement-dnssec-too
I think DSNSEC should be enabled. It is a client/server situation.
"DNSSEC allows clients to verify the integrity of the returned DNS answer"
It seems like a provider, like cloudflare, will use DNSSEC flags and the client, like OPNsense, will process them. If you turn off DNSSEC, then you can no longer trust the answer you get was from your provider.
In summary:
DoT: Encrypts your DNS query.
DNSSEC: cryptographically verifies DNSSEC-signed records. (only within unbound)
Therefore, these are two different functions that work together to increase DNS security. Quite fascinating.
Quote from: vimage22 on December 27, 2025, 04:56:24 PMGreat. And you needed to add a forward from unbound to dnsmasq, right? As for DNSEC, I have been reading up on this:
https://blog.cloudflare.com/dns-encryption-explained/
https://www.cloudflare.com/learning/dns/dns-security/
https://security.stackexchange.com/questions/239698/does-cloudflares-dns-over-tls-dot-implement-dnssec-too
I think DSNSEC should be enabled. It is a client/server situation.
"DNSSEC allows clients to verify the integrity of the returned DNS answer"
It seems like a provider, like cloudflare, will use DNSSEC flags and the client, like OPNsense, will process them. If you turn off DNSSEC, then you can no longer trust the answer you get was from your provider.
In summary:
DoT: Encrypts your DNS query.
DNSSEC: cryptographically verifies DNSSEC-signed records. (only within unbound)
Therefore, these are two different functions that work together to increase DNS security. Quite fascinating.
DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures.
DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures.
QuoteDNSSEC is already enforced by Quad9
Maybe, but you are not addressing the technical details of my response. Without DSNSEC, you have no guarantee the the DNS answer is from Quad9.
BTW, I am running a performance test against DSNSEC fully
enabled or disabled. Granted, using cloudflare, as opposed to Quad9. I want to look at a 24 hr period looking at:
Services: Unbound DNS: Statistics:
It will show:
Recursion time (average):
Recursion time (median):
Hoping this will show any performance issue.
I have been testing with DNSSEC off, but DoT is still on. I am starting to agree with DEC740airp414user on this, even though information found seems to lead in another direction.
In particular, this option appears to affect performance:
"Harden DNSSEC Data"