Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Unbound DNS best practice for local / default domain?
« previous
next »
Print
Pages: [
1
]
Author
Topic: Unbound DNS best practice for local / default domain? (Read 6644 times)
meyergru
Hero Member
Posts: 1706
Karma: 167
IT Aficionado
Unbound DNS best practice for local / default domain?
«
on:
April 11, 2023, 08:39:13 am »
Until the latest OpnSense release, I used dnsmasq instead of unbound because of two reasons:
1. It is much faster.
2. It handles local domains better IMHO, because you can define a default domain like "ttt" and have both "host" and "host.ttt" resolve to the same name. This helps a lot for devices that cannot pick up the default domain via DHCP correctly.
With 23.1.5_4, dnsmasq seems to start too early (or whatever), at least after a reboot, it does not forward requests to upstream servers any more. Thus I started to try unbound.
Now for #2 in my list: I found that I need to define a domain for each host override, such that I do not even have an option to define both "host" and "host.ttt" - strangely enough, I can skip the domain for aliases, but then they will not work either...
So, is there a way or a best practice to map queries with hostnames without a domain to a "default" domain for unbound?
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Patrick M. Hausen
Hero Member
Posts: 6844
Karma: 575
Re: Unbound DNS best practice for local / default domain?
«
Reply #1 on:
April 11, 2023, 08:41:13 am »
I do not quite get what you mean by resolving "host". Appending the default domain to unqualified host names is the job of the resolver library and not the recursive DNS server's.
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
meyergru
Hero Member
Posts: 1706
Karma: 167
IT Aficionado
Re: Unbound DNS best practice for local / default domain?
«
Reply #2 on:
April 11, 2023, 09:39:44 am »
That is what I mean - sometimes, the domain name is not taken over to the DNS resolver via DHCP as expected. I have several such clients, for example a QNAP NAS. When I specify the SMTP gateway as "host", it does not ask for "host.ttt", even when ttt is the DNS domain that DHCP is telling it.
On the other hand, its DNS is cascaded via dnsmasq, so it is not as easy as modifying /etc/resolv.conf (matter-of-fact, it is created on the fly).
Mostly today this is the case also with Ubuntu where systemd-resolved acts as a local intermediate (I had problems with that as well).
dnsmasq seems to honor the "search ttt" line in /etc/resolv.conf in that both requests for "host" and "host.ttt" are resolved. unbound does not do that, which could be healed if names with domain could be defined.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
36thchamber
Jr. Member
Posts: 57
Karma: 2
Re: Unbound DNS best practice for local / default domain?
«
Reply #3 on:
October 16, 2023, 10:24:39 pm »
I get it. Host resolution seems to be impossible
https://forum.openwrt.org/t/unbound-shortname-lookups-non-authoritative-answer/59722/1
. All despite there's a special line for each record in host_entries.conf.
Some clients are not able to connect anywhere as each OS is using different approach. Windows adds domain even if query contains it, Android doesn't add anything. Tons of messy outcomes. The "." hack also doesn't work. Who wants to type domain on LAN? Certainly not me.
Introducing dnsmasq, the resolver for home/lab.
Switching from unbound to dnsmasq gets you proper resolution without NXDOMAIN horror:
* host 👍
* host. 👍
* host.domain 👍
plus protects against known cases:
* host not resolvable
* host.domain leaking upstream
* unknownhost.domain specifically going to upstream
* host.domain.domain chaining
plus can resolve overrides properly (Unbound won't make it possible to avoid recursion for a subdomain which is already part of the override - you do need this if you have a WAN & LAN domain and a subdomain that always needs to be WAN because e.g. VPN connection).
Sadly 👎 the custom options were removed from GUI so need to slap them to /usr/local/etc/dnsmasq.conf.d/mydnsmasq.conf. Especially
address
tag as GUI can't do wildcards and slaps everything to hosts incorrectly.
You can make a chain of happiness:
Adguard -> dnsmasq -> Unbound
or
Adguard -> Unbound -> dnsmasq
if you need
a) the nice chart in the Reporting\Unbound section
b) TLS upstream
however in my case Unbound didn't provide a single niche over dnsmasq, and was outright impossible to set up any query situation that would actually reach it, so i removed it.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
Unbound DNS best practice for local / default domain?