Unbound to forward .home domain

Started by tuxlemmi, January 06, 2026, 06:06:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 06, 2026, 06:06:36 PM
Hey guys,

unbound doesn't forward *.home-domains since last update to 25.7.10.
It worked before for quite a couple years.

Anybody knows why?



January 06, 2026, 06:48:27 PM #1
Not sure what changed w.r.t Unbound, but it seems that .home is best avoided in any case as it's neither here nor there (not a valid gTLD, not successfully ratified as a private one either), due to collision concerns.

https://icannwiki.org/.home
https://www.icann.org/en/board-activities-and-meetings/materials/approved-board-resolutions-regular-meeting-of-the-icann-board-04-02-2018-en#2.c

QuoteWhereas, in 2015, individuals in the IETF's DNS Operations working group wrote an Internet Draft, the first step in developing an RFC that reserved the CORP, HOME, and MAIL labels from delegation into the top level of the DNS, but the working group and the authors of that draft were unable to reach consensus on the criteria by which labels would be reserved and the effort to create an RFC on the topic was abandoned.

.home.arpa is fit for purpose, but now we have .internal as well (used in OPNsense documentation e.g. Dnsmasq examples).
January 07, 2026, 12:14:04 AM #2
Quote from: OPNenthu on January 06, 2026, 06:48:27 PMbut now we have .internal as well (used in OPNsense documentation e.g. Dnsmasq examples).
I believe it was introduced as a solution for all those people using .local while they shouldn't because of mDNS conflicts and breaking a lot of stuff...

So far I have not seen any conflicts or weird issues when using thuis.lan so if your German for example you could use zuhause.lan or something like that : It's basically home.lan but since the home part is tricky I would maybe use athome.lan if you are English/American :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
January 07, 2026, 12:19:12 AM #3
.lan was proposed as a generic internal TLD in an RFC draft which never made it into an RFC. So works for now, but no guarantees.

The best solution is: own one single domain. They are cheap.

Then use "mylocation.mydomain.com" or "internal.mydomain.com" for your LAN - no conflicts will ever occur as long as the current domain and DNS system exists.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 07, 2026, 12:25:15 AM #4
Quote from: Patrick M. Hausen on January 07, 2026, 12:19:12 AMSo works for now, but no guarantees.
I just really dislike .internal and have been using .lan for many years before they finally decided to agree on .internal ;)

QuoteThe best solution is: own one single domain. They are cheap.
Getting more expensive each year for a while now so no guarantees there either...

QuoteThen use "mylocation.mydomain.com" or "internal.mydomain.com" for your LAN - no conflicts will ever occur as long as the current domain and DNS system exists.
IMHO more a thing for companies and not for home users :)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
January 07, 2026, 12:38:19 AM #5 Last Edit: January 07, 2026, 12:39:57 AM by OPNenthu
I can't argue with Patrick on technical correctness, but the concern I have as a home user with no external facing services (not yet, anyway) is I don't need unnecessary attention from bots/scrapers/whoever knocking at my firewall's front door just because I advertised my network's existence in DNS.

Maybe it's a non-issue.  They are constantly knocking anyway.  The "Default deny" rule is very deserving of a pay raise :)

(Then again, I do use DDNS for Wireguard since I don't have static IPs, so... blah)
January 07, 2026, 12:44:30 AM #6
@OPNenthu if you register "mydomain.com" with some domain registrar and do not put any public IP address of your home infrastructure into that zone, you will not be any worse off than with the bots scanning the legacy (IPv4) Internet 24x7, anyway.

I am not publishing my "mylocation.mydomain.com" in the public DNS. While all you regulars on this forum can probably guess at least my ".com" domain from my name I always use e.g. "mydomain.com" in my posts so it won't be scraped by bots, AI, etc.

For anyone specifically targeting me it's trivial to find.

But anyway, you need not pick your real last name as your domain name and the point of such a setup is *not* to publish that internal subdomain.

Hope that clarifies it a bit. A domain registration is just reserving a name. There is no need to connect any IP address with it.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 07, 2026, 01:09:27 AM #7
I did not know that.  Does the registrar automatically park the domain at one of their IPs in that case, or it just resolves to NXDOMAIN?  (not that it matters, just curious)
January 07, 2026, 06:46:45 AM #8
There will be an SOA and a couple of NS records but nothing else. Why would the domain registrar put any A or AAAA record in the zone if you don't tell them to?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 07, 2026, 01:24:03 PM #9
I imagined it like a phone book publisher.  Some people may have private numbers which are unlisted in the book, but you would not see names listed with a blank number as it would be nonsensical.

Although "book" is the operative word here (I'm just old enough to remember public pay phones and phone books), because I guess in a digital registry space is cheap and you could keep all kinds of records.
January 07, 2026, 02:22:03 PM #10
use .home.arpa. This is a local zone by default in Unbound.

If you want to use .internal, you may add it manually to local zones via config file in /usr/local/etc/unbound.opnsense.d

Code Select
server:
  local-zone: "internal." static
Print
Go Up Pages1
User actions