What DNS resolver do you recommend for my use case?

[cami09]

Hi, I have two basic requirements in my home-lab:

1. conditional forwarding of DNS requests to different servers, depending on client IP
2. firewall rule with whitelist of IPs, whose domains were resolved by my DNS server       

Specific clients should be forwarded to different DNS servers, e.g. the one from VPN (might also be called source IP-based forwarding of DNS requests).                         
The firewall rule is usually done via ipsets/nftsets (I've read the implementation on FreeBSD are pf tables).             

Some thoughts on possible solutions:             
- Unbound can act as recursive resolver, but neither supports ipset nor source-based IP forwarding
- dnsmasq supports ipset, but no source-based IP routing; also only DNS forwarder
- BIND to my knowledge supports conditional forwarding of source IPs via views, but no ipset support; also only plugin and not part of core OPNsense

So, what I am doing now is using dnsmasq together with Unbound:       
Client -> dnsmasq (forwarder) -> Unbound (rec. res.) -> nameservers (Inet)

I am missing conditional forwarding here. On first sight, we could use BIND:       
Client -> dnsmasq (forwarder) -> BIND -> Unbound (rec. res.) -> nameservers (Inet)

But that probably doesn't make so much sense, as BIND gets the source IP from downstream dnsmasq, not the original client IP.

That leaves one remaining solution: spawn an additional dnsmasq instance for conditional forwarding (given two groups of clients).
Having explored OPNsense web GUI, it seems I can only have one instance of dnsmasq though.
 
Hence, not sure, what is the best solution here. Any thoughts?

[bartjsmit]

If you want to centrally set different name servers for a subnet, use DHCP(IPv4) or RADVD(IPv6). If you have untrusted clients, use firewall rules for their VLAN to restrict them to a specific DNS server.

If you are looking for DNS with more features, run an external server dedicated to the service. https://arstechnica.com/information-technology/2024/02/doing-dns-and-dhcp-for-your-lan-the-old-way-the-way-that-works/ or even Windows Server if you can afford the licences.

Bart...

[cami09]

Thanks for yours suggestions.

*Regarding DHCP/VLAN:*
I forgot to add one thing - conditional forwarding should be done for specific clients *and* domains.
Hence DNS server assigned over DHCP or enforced DNAT of all requests to a DNS server is not suitable here.

*Regarding external server:*
OPNsense is my main router and a firewall rule is created based on ipsets (using alias with type "External").
So, DNS resolver needs to reside within same machine to fill this corresponding BSD `pf` (Packet Filter) table for ipsets.

---

In dnsmasq you can do:
```
server=/example.com/1.1.1.1         # forward domain example.com to 1.1.1.1 DNS
ipset=/example.com/my_whitelist_alias         # whitelisting IPs with firewall rule
```
But this misses forwarding decisions based on client IP - and dnsmasq can't do that to my knowledge.
After more research: dnsmasq at least seems to be able to forward the original client IP via `--add-subnet=32,128`, which is ECS (https://en.wikipedia.org/wiki/EDNS_Client_Subnet). So it might delegate this job to another resolver like BIND.

1. Is os-bind (BIND) plugin mature enough and safe to use? I'd like to not resort to external plugins, where possible - but if that's the way, I am OK with it.
2. Can BIND plugin configure a view based on this original IP delivered over ECS?
3. Alternatively: any experience with starting a second dnsmasq instance manually? Does OPNsense UI provide a way to configure CLI startup/boot scripts?