OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: JohnDoe17 on August 02, 2017, 10:43:58 pm

Title: Unbound vs. Dnsmasq
Post by: JohnDoe17 on August 02, 2017, 10:43:58 pm
I noticed in the 17.7 release notes there is mention that Unbound is the new default DNS service.

I don't know enough about DNS or Unbound vs. Dnsmasq to understand the significance of that announcement.

Is Dnsmasq not as secure as Unbound?  Is it not as fully featured?  Does Unbound perform better?  Is Dnsmasq deprecated or scheduled for removal in the future?

If I'm using Dnsmasq now, should I switch?  Does the 17.1 -> 17.7 upgrade package do the switching for me?  Will it transfer my Dnsmasq configuration to Unbound?


Thanks for the help!
Title: Re: Unbound vs. Dnsmasq
Post by: franco on August 03, 2017, 07:35:53 am
Hi there,

Very good questions. The main discussion and decision to switch the default was made in a German thread, link just for reference:


Unbound, like Bind is a full DNS resolver which can talk directly to the DNS root servers.

Dnsmasq is only a forwarder, it will ask your nearest DNS (mostly the ISP's servers or Google).

Thus, a forwarders answers are an implicit trust in the DNS server chain that you are using. It's in that sense less secure that it may not return what the root servers would return. In the worst case that is an attack or unwanted advertising. ;)

Furthermore, a resolver can use hardening / cryptography techniques to avoid plaintext and verify communication through e.g. DNSSEC. Also better than its forwarder counterpart.

The "default" switch will not matter for upgraders from version 17.1, Dnsmasq will stay configured. New installs of 17.7 will have the new default. This is because connectivity could be severely disrupted by making this change depending on how Dnsmasq was configured for each individual case (overrides, interface bindings, etc.).

Switching manually from Dnsmasq to Unbound is pretty easy, disable Dnsmasq, copy your override settings, then switch on Unbound and check connectivity to websites. For clients nothing should change through this.