Dear all,
what was pretty easy with ISC, "somehow" doesn't want to fly using dnsmasq.
Using the option "forward first" in unbound appears not to work correctly.
At least, on my side, that option didn't bring any success.
Has anyone been able to implement Split Horizon DNS aka Split Brain DNS so far?
Would you mind sharing your thoughts and ideas with me?
Kind regards,
Quote from: Kornelius777 on February 10, 2026, 06:47:42 AMwhat was pretty easy with ISC
Since ISC does not do DNS I wonder what exactly it was you implemented? The recursive DNS server that went with ISC DHCP was Unbound so that part should work now just like it did back then?
Of course, it was unbound - and still is.
Nevertheless,
the whole host implementation was done with the help of ISC.
Now, it shall be realized via dnsmasq.
Unbound however appears not to play well with dnsmasq, yet.
Yet again my question:
How would you implement a Split Horizon DNS setup?
Kind regards,
I still fail to see the connection with ISC and/or DNSmasq. Is it about handing different DNS server addresses to clients in different networks? Or about DNS updates from DHCP leases? Or what else?
It's about Split Horizon DNS.
Query "host.domain.tld" from outside and get a different result if you query "host.domain.tld" from inside. Same domain name. Same hostname.
Furthermore:
If "host.domain.tld" is non-existent on the LAN but exists in the outside world:
Resolve it nevertheless - however, forward the query into the internet.
This works nicely (and is well implemented into unbound) if you use ISC.
I do not get it working if I have to use dnsmasq behind unbound (as is proposed for 26.1 onwards).
And once more my request:
How can I implement this using dnsmasq behind unbound?
What is the tweak?
Quote from: Kornelius777 on February 10, 2026, 12:15:32 PMQuery "host.domain.tld" from outside and get a different result if you query "host.domain.tld" from inside.
Yes, perfectly understood. I don't get in which way the DHCP server - ISC or DNSmasq - plays into that.
Are you using DNSmasq for DNS? That's what I did not get at first. Then the solution is simple: don't. Only use Unbound for DNS like you used to and use DNSmasq strictly for DHCP. Or switch to Kea for that.
Well.
"Don't" doesn't help me answer my question.
Maybe, somebody could explain how this CAN be implemented (as concrete as possible)
Thank you kindly.
Just use only Unbound for DNS - what is wrong with that?
Quote from: Kornelius777 on February 10, 2026, 12:15:32 PMFurthermore:
If "host.domain.tld" is non-existent on the LAN but exists in the outside world:
Resolve it nevertheless - however, forward the query into the internet.
This works nicely (and is well implemented into unbound) if you use ISC.
I do not get it working if I have to use dnsmasq behind unbound (as is proposed for 26.1 onwards).
Post your old config for the ISC setup and I am sure someone can figure out how to convert it to the new setup :)
Now it's like :
"Hey guys, I had this thing working which I am not going to tell you anything about and you guys have to guess the solution that I like to make sure it works again!"And that's not very motivating for most people...
Also I still don't get how ISC or DNSmasq can be in any way connected to split DNS.
Old config:
DNS: Unbound
DHCP: ISC
New config:
DNS: Unbound
DHCP: DNSmasq
If he introduced DNSmasq into the DNS resolver chain, I'd still recommend simply not to do that. With Unbound unchanged everything will work exactly as before, won't it?
Quote from: Patrick M. Hausen on February 10, 2026, 03:39:57 PMWith Unbound unchanged everything will work exactly as before, won't it?
Let's just say he sparked my curiosity and I want to see what the heck he is talking about ;)
IMHO the old setup should have been like this :
- ISC DHCP talking to Unbound for DNS Registration of Hostnames.
And the new setup should be like this according to OPNsense Documentation :
- DNSmasqd does the DNS Registration of Hostnames but all the Clients talk directly to Unbound so you need to tell Unbound about the existence of the DNSmasqd Hostnames DNS Registration Database/Cache.
TL;DR : The same but with a twist! :)
Registration of hostnames was nowhere mentioned. I don't use it. That's probably why I failed to understand the problem.
So - how DO you do it?
If you only use unbound (unlinked from dnsmasq), you will need overrides to resolve your hostnames internally.
For overrides, you need (static) IP addresses.
How do you produce those?
Consequence from using overrides means: Double host management. Is that really the easiest and most practical way?
Quote from: Kornelius777 on February 10, 2026, 05:13:29 PMIf you only use unbound (unlinked from dnsmasq), you will need overrides to resolve your hostnames internally.
For overrides, you need (static) IP addresses.
I am only interested in hosts I need to address, like internal services/servers. I don't need and don't want clients registered in DNS. Too much fragile technology for essentially nothing. Like reverse mapping getting stale and then I get nonsensical information back. Better no information than the wrong one. I can always browse the "Bonjour" (mDNS) domain with Discovery, look up the MAC, or use nmap to identify a system if I really need to.
I use Unbound with Kea to register static mappings.
This obviously is a different approach from mine.
My explicit question was how to realize Split Horizon DNS (https://en.wikipedia.org/wiki/Split-horizon_DNS).
Unfortunately, this whole discussion did not get me any step into that direction... ...yet...
Maybe, somebody could share some thoughts about that?
Looking forward to reading from you all!
You did split horizon with Unbound. Just keep doing it the same way. Split horizon and dynamic leases are in no way related.
I assume you have hosts registered in dnsmasq and you want to reference those using a local dns name. In this case, you would set up query forwarding in Unbound to point queries with this domain to dnsmasq. This documentation contains an example: (https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration). I've been on dnsmasq for a while now and don't remember how this was done with ISC, but it might have been automatic before.
If my assumption is false and you are trying to do something else, then I don't know.