Hey guys,
unbound doesn't forward *.home-domains since last update to 25.7.10.
It worked before for quite a couple years.
Anybody knows why?
Not sure what changed w.r.t Unbound, but it seems that .home is best avoided in any case as it's neither here nor there (not a valid gTLD, not successfully ratified as a private one either), due to collision concerns.
https://icannwiki.org/.home
https://www.icann.org/en/board-activities-and-meetings/materials/approved-board-resolutions-regular-meeting-of-the-icann-board-04-02-2018-en#2.c
QuoteWhereas, in 2015, individuals in the IETF's DNS Operations working group wrote an Internet Draft, the first step in developing an RFC that reserved the CORP, HOME, and MAIL labels from delegation into the top level of the DNS, but the working group and the authors of that draft were unable to reach consensus on the criteria by which labels would be reserved and the effort to create an RFC on the topic was abandoned.
.home.arpa is fit for purpose, but now we have .internal as well (used in OPNsense documentation e.g. Dnsmasq examples).
Quote from: OPNenthu on January 06, 2026, 06:48:27 PMbut now we have .internal as well (used in OPNsense documentation e.g. Dnsmasq examples).
I believe it was introduced as a solution for all those people using .local while they shouldn't because of mDNS conflicts and breaking a lot of stuff...
So far I have not seen any conflicts or weird issues when using thuis.lan so if your German for example you could use zuhause.lan or something like that : It's basically home.lan but since the home part is tricky I would maybe use athome.lan if you are English/American :)
.lan was proposed as a generic internal TLD in an RFC draft which never made it into an RFC. So works for now, but no guarantees.
The best solution is: own one single domain. They are cheap.
Then use "mylocation.mydomain.com" or "internal.mydomain.com" for your LAN - no conflicts will ever occur as long as the current domain and DNS system exists.
Quote from: Patrick M. Hausen on January 07, 2026, 12:19:12 AMSo works for now, but no guarantees.
I just really dislike .internal and have been using .lan for many years before they finally decided to agree on .internal ;)
QuoteThe best solution is: own one single domain. They are cheap.
Getting more expensive each year for a while now so no guarantees there either...
QuoteThen use "mylocation.mydomain.com" or "internal.mydomain.com" for your LAN - no conflicts will ever occur as long as the current domain and DNS system exists.
IMHO more a thing for companies and not for home users :)
I can't argue with Patrick on technical correctness, but the concern I have as a home user with no external facing services (not yet, anyway) is I don't need unnecessary attention from bots/scrapers/whoever knocking at my firewall's front door just because I advertised my network's existence in DNS.
Maybe it's a non-issue. They are constantly knocking anyway. The "Default deny" rule is very deserving of a pay raise :)
(Then again, I do use DDNS for Wireguard since I don't have static IPs, so... blah)
@OPNenthu if you register "mydomain.com" with some domain registrar and do not put any public IP address of your home infrastructure into that zone, you will not be any worse off than with the bots scanning the legacy (IPv4) Internet 24x7, anyway.
I am not publishing my "mylocation.mydomain.com" in the public DNS. While all you regulars on this forum can probably guess at least my ".com" domain from my name I always use e.g. "mydomain.com" in my posts so it won't be scraped by bots, AI, etc.
For anyone specifically targeting me it's trivial to find.
But anyway, you need not pick your real last name as your domain name and the point of such a setup is *not* to publish that internal subdomain.
Hope that clarifies it a bit. A domain registration is just reserving a name. There is no need to connect any IP address with it.
I did not know that. Does the registrar automatically park the domain at one of their IPs in that case, or it just resolves to NXDOMAIN? (not that it matters, just curious)
There will be an SOA and a couple of NS records but nothing else. Why would the domain registrar put any A or AAAA record in the zone if you don't tell them to?
I imagined it like a phone book publisher. Some people may have private numbers which are unlisted in the book, but you would not see names listed with a blank number as it would be nonsensical.
Although "book" is the operative word here (I'm just old enough to remember public pay phones and phone books), because I guess in a digital registry space is cheap and you could keep all kinds of records.
use .home.arpa. This is a local zone by default in Unbound.
If you want to use .internal, you may add it manually to local zones via config file in /usr/local/etc/unbound.opnsense.d
server:
local-zone: "internal." static
It was not my intention to start a fundamental discussion about the .home domain.
A customer has such a domain which wasn't a problem for the last 5 years as unbound forwarded the domain correctly to the customers dns-server (Win).
But since the last update it doesn't.