DNSmasq and Unbound Peacefully Co-Existing?

Started by spetrillo, December 22, 2025, 05:10:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 22, 2025, 05:10:43 PM
Hello all,

I made the move to DNSmasq for local DNS and DHCP services, with Unbound as my authoritative server that looks at Quad9 on the Internet. Attached is my Dnsmasq config and Unbound config. Am I missing anything in the configs? Lastly I am using the DNSSEC services from Quad9. When I try to hit their URL for this I get back an unable to parse request message. Does this mean I do not have DNSSEC configured correctly?

Thanks,
Steve
December 22, 2025, 06:20:19 PM #1 Last Edit: December 22, 2025, 06:23:50 PM by DEC670airp414user
screen shot 3.  i would turn off DNS within dnsmasq. change listen port to 0.      you also do not need dnssec enabled if using quad 9

i use unbound and it works 100% reliable.

i setup dns over tls for quad 9 or similar products though. 
December 23, 2025, 04:03:18 PM #2
So this brings up an interesting question. If unbound is by nature recursive do I need to forward to another nameserver on the Internet? Is that just an extra step that gets me nothing but log entries of my activity?
December 23, 2025, 04:47:55 PM #3
its personal preference. 

unbound set to not forward should never go down/ have any issues.   it also does not use dns over tls which i prefer to use myself:

if forwarding you are at the mercy of the servers you choose to forward to for privacy and reliability

December 23, 2025, 06:41:28 PM #4
If you use DoT do you just configure the nameservers in that Unbound section and you are good to go? For example the Quad9 DNSSEC IPs?
December 23, 2025, 06:54:55 PM #5
December 23, 2025, 09:06:23 PM #6
OK so I turned off DNSSEC on both dnsmasq and Unbound. I configured gthe DoT stuff in Unbound and tested successfully from the OPNsense CLI.

Thank you!
Today at 10:40:57 AM #7
Quote from: DEC670airp414user on December 22, 2025, 06:20:19 PMscreen shot 3.  i would turn off DNS within dnsmasq. change listen port to 0.      you also do not need dnssec enabled if using quad 9

i use unbound and it works 100% reliable.

i setup dns over tls for quad 9 or similar products though. 
Important caveat: You will NOT get name resolution for local DHCP clients if the dnsmasq DNS server is turned off, as Unbound will not read the dnsmasq DHCP client list automatically.
Today at 04:32:56 PM #8
@DEC670airp414user. Is there a downside to DNSSEC? From google:
"DNSSEC as securing the message content (authenticity)"
"DoT as securing the envelope (privacy/confidentiality)."
Both of these seem like it would be a benefit.

@Stormscape. I do not think your answer is accurate. I use kea for DHCP and unbound.
IPv4 LAN does get local name resolution.
IPv6 LAN gets resolution when a reservation is added after a restart of the unbound service.
Print
Go Up Pages1
User actions