Unbound DNS best practice for local / default domain?

Started by meyergru, April 11, 2023, 08:39:13 AM

Previous topic - Next topic
Until the latest OpnSense release, I used dnsmasq instead of unbound because of two reasons:

1. It is much faster.
2. It handles local domains better IMHO, because you can define a default domain like "ttt" and have both "host" and "host.ttt" resolve to the same name. This helps a lot for devices that cannot pick up the default domain via DHCP correctly.

With 23.1.5_4, dnsmasq seems to start too early (or whatever), at least after a reboot, it does not forward requests to upstream servers any more. Thus I started to try unbound.

Now for #2 in my list: I found that I need to define a domain for each host override, such that I do not even have an option to define both "host" and "host.ttt" - strangely enough, I can skip the domain for aliases, but then they will not work either...

So, is there a way or a best practice to map queries with hostnames without a domain to a "default" domain for unbound?
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+

I do not quite get what you mean by resolving "host". Appending the default domain to unqualified host names is the job of the resolver library and not the recursive DNS server's.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

That is what I mean - sometimes, the domain name is not taken over to the DNS resolver via DHCP as expected. I have several such clients, for example a QNAP NAS. When I specify the SMTP gateway as "host", it does not ask for "host.ttt", even when ttt is the DNS domain that DHCP is telling it.

On the other hand, its DNS is cascaded via dnsmasq, so it is not as easy as modifying /etc/resolv.conf (matter-of-fact, it is created on the fly).

Mostly today this is the case also with Ubuntu where systemd-resolved acts as a local intermediate (I had problems with that as well).

dnsmasq seems to honor the "search ttt" line in /etc/resolv.conf in that both requests for "host" and "host.ttt" are resolved. unbound does not do that, which could be healed if names with domain could be defined.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+

I get it. Host resolution seems to be impossible https://forum.openwrt.org/t/unbound-shortname-lookups-non-authoritative-answer/59722/1. All despite there's a special line for each record in host_entries.conf.


Some clients are not able to connect anywhere as each OS is using different approach. Windows adds domain even if query contains it, Android doesn't add anything. Tons of messy outcomes. The "." hack also doesn't work. Who wants to type domain on LAN? Certainly not me.

Introducing dnsmasq, the resolver for home/lab.

Switching from unbound to dnsmasq gets you proper resolution without NXDOMAIN horror:
* host 👍
* host. 👍
* host.domain 👍

plus protects against known cases:
* host not resolvable
* host.domain leaking upstream
* unknownhost.domain specifically going to upstream
* host.domain.domain chaining

plus can resolve overrides properly (Unbound won't make it possible to avoid recursion for a subdomain which is already part of the override - you do need this if you have a WAN & LAN domain and a subdomain that always needs to be WAN because e.g. VPN connection).

Sadly 👎 the custom options were removed from GUI so need to slap them to /usr/local/etc/dnsmasq.conf.d/mydnsmasq.conf. Especially address tag as GUI can't do wildcards and slaps everything to hosts incorrectly.

You can make a chain of happiness: Adguard -> dnsmasq -> Unbound or Adguard -> Unbound -> dnsmasq if you need
a) the nice chart in the Reporting\Unbound section
b) TLS upstream
however in my case Unbound didn't provide a single niche over dnsmasq, and was outright impossible to set up any query situation that would actually reach it, so i removed it.