Understanding DNS and Unbound - Setup Help?

[theprez1980]

Hey All -

So I've installed OpnSense successfully and am getting acclimated to all the changes and features.   I was previously using Untangle so this has been a large change in terms of the GUI and various settings.

Previously, I was able to point towards whatever external DNS I'd like for queries such as Google's DNS or OpenDNS vs. my own ISP's DNS.    In doing a search, it appears this is the best practice:

https://forum.opnsense.org/index.php?topic=8505.0

However, it's dated 2018 and it appears at least one of the GUI settings has been reworded/removed/changed.  Oyxgen61 provided some very thorough steps but step 3 does not match what my GUI shows.    Specifically this item: "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall"   that option is not present at least in the latest version of OPNSense.  The closest option appears to be "Do not use the local DNS service as a nameserver for this system"  but not sure if that's really the same setting just reworded.   Any input here folks?

Lastly,  from my elementary level of understanding.. it appears this setup doesn't use typical DNS servers - it goes right to the root servers, captures what it needs and stores it locally for future use in its cache.  Is that correct?   If so, is there any cache management that needs to occur to prevent stale records or to ensure the size of the cache doesn't grow too large?

Thanks all.

[ideal2545]

Sorry to bring up an old topic but I was researching the same thing, came across Oxygen61's post, I'm wondering if theres an updated setup guide for properly configuring Unbound DNS

[Rokugar]

Agreed, especially since custom options was removed in 21.7

[chemlud]

ehm, but in oxy's how-to there is no need for the custom options field. It is simply a resolver (using root servers) with DNSSEC (solving some problems, but not all https://security.stackexchange.com/questions/11566/how-does-dnssec-work-are-there-known-limitations-or-issues). Your DNS traffic will be unencrypted, it's a perfect target for surveilance/censorship.

You could go with DNS-over-TLS (the new feature added in the GUI for unbound with 21.7). This will encrypt your DNS traffic. You will have to choose some DNS servers (basically those you trust), as this is using forwarding mode of unbound (not the root servers).

With DNS there is basically no "wrong" (as long as it works... :-D ) or right. You can even go with the DNS of your provider, if you trust him. Just kidding ... ;-)

[Rokugar]

A guide would be a lot better than Oxy's thread.  He was kind of jerk to the OP.

[chemlud]

There can be no guide, as the taste is quite different when it comes to DNS. Various setups possible. Start to read around, decide what your priorities are. Or use it out of the box. It works!

[errored out]

I'm not quite sure what the issue is exactly as I don't use unbound.  But considering you speaking of dnssec, why not use dns-crypt?  It has dnssec by default (exactly why it was written for), you have whitelisting, configure individual listening ports for each vlan (if needed).  Also has overrides, and simple to configure which servers you want to point to.

Not to mention, if you want to query servers that honor tracking, filtering, if you don't need a server to require dnssec, etc.