DNSmasq - Unbound interfacing for local DNS resolution

Started by cinergi, May 09, 2025, 09:23:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 09, 2025, 09:23:17 PM
Hello,

Since DNSmasq is planned to be the default DHCP server in OPNsense going forward, I have a question regarding migration from the ISC DHCP server as it affects local DHCP hostname resolution.  I want to continue using Unbound for DNS.

ISC DHCP server interfaces directly with the Unbound DNS resolver to add local DHCP hostnames to Unbound.  Does DNSmasq also interface directly with Unbound in the same manner?  Or will I have to run DNSmasq on port 53 as the primary DNS resolver in order to get local hostname resolution, and forward all external queries to Unbound running on another port (e.g. 5353)?  The latter is, in my opinion, a more clunky solution than running Unbound directly on port 53.

Thanks!
May 09, 2025, 09:41:02 PM #1
No, Unbound only supports ISC for "direct" lookups at the moment. You can either have queries go to dnsmasq first and then unbound, or the other way around, which is less clunky. You set query forwarding in Unbound pointed at 127.0.0.1:port_dnsmasq_listens_on for only your local domain. This way, all queries go to unbound first, and don't go anywhere else unless they are for a local hostname lookup, which are then sent to dnsmasq for resolution.

However, IME, dnsmasq is pretty buggy and will regularly fail to properly lookup hostnames. I've been trying for over 2 days to get dnsmasq working properly and have reverted to ISC, and written off dnsmasq as "testing stage" level implementation. I have no real interest in being a beta tester, I need my network to JustWorkTM
May 09, 2025, 10:55:17 PM #2
I actually just tested it, you cannot do dnsmasq -> unbound anyhow. Since dnsmasq needs to be on port 53 in that scenario, and unbound on some other port such as 53053, this completely breaks DNS lookups. For whatever reason, dnsmasq is hard coded to use the system name servers set in Settings -> General, which means you create a DNS loop - dnsmasq -> system name server -> dnsmasq -> system name server etc. There's no way around it since you cannot specify a port (e.g. unbound's listening port) in Settings -> General.

dnsmasq's implementation is overall baffling and feels somewhat like the team is trying to fit a square peg into a triangular hole.
May 09, 2025, 10:58:41 PM #3
Unbound on port 53, DNSmasq on port 53053, and set up the Unbound query forwarding in accordance with OPNSense docs:
https://docs.opnsense.org/manual/dnsmasq.html

I followed the examples at that link for my configuration, and it's running flawlessly for me across 5 different interfaces. Unlike the first person who responded to you, I feel like this was a pretty rock solid initial release for a lighter and more efficient DHCP. From what I've gathered between here and Reddit, the majority of the people having issues decided to wing it with their setup and didn't read the guides first.
May 09, 2025, 11:10:17 PM #4 Last Edit: May 09, 2025, 11:53:48 PM by Unspec
Quote from: irrenarzt on May 09, 2025, 10:58:41 PMUnbound on port 53, DNSmasq on port 53053, and set up the Unbound query forwarding in accordance with OPNSense docs:
https://docs.opnsense.org/manual/dnsmasq.html

I followed the examples at that link for my configuration, and it's running flawlessly for me across 5 different interfaces. Unlike the first person who responded to you, I feel like this was a pretty rock solid initial release for a lighter and more efficient DHCP. From what I've gathered between here and Reddit, the majority of the people having issues decided to wing it with their setup and didn't read the guides first.

Oh, I followed that guide explicitly. It's absolutely busted for people who have anything beyond a extremely simplistic network.

See https://github.com/opnsense/core/issues/8623, https://github.com/opnsense/core/issues/8612, https://github.com/opnsense/core/issues/8611

Here's the fun part: you'd expect overrides in Unbound to be queried first by Unbound, right? e.g. if it's in Unbound's overrides, it doesn't even need to query an upstream (e.g. dnsmasq). Wrong. If you followed that guide and setup query forwarding for your local domain to dnsmasq, it'll query dnsmasq first, fail (since it's a non-existent DNS entry since it's, well, an override), and THEN fallback to its own overrides.

Like I said, busted.

Edit: Don't get me wrong - it works fine for regular internet usage. All my clients have internet connectivity. It's just absolutely busted for those who self host lots of services and so rely on hostname resolution, since the main problem right now is that hostname resolution is VERY rough around the edges compared to ISC
May 14, 2025, 10:46:51 PM #5
If you run the Adguard Home plugin on the OPNsense box, I guess it would get even more complicated.  In that case, you'd need to have Adguard on port 53 forwarding to Unbound on another port, say 5353, and then Unbound forwarding local domain queries to DNSmasq on yet another port, like 53053.  So local lookups would need to follow the path: Adguard (53) --> Unbound (5353) --> DNSmasq (53053).  Oof...
May 14, 2025, 11:17:39 PM #6 Last Edit: May 15, 2025, 12:29:24 AM by julsssark
QuoteSo local lookups would need to follow the path: Adguard (53) --> Unbound (5353) --> DNSmasq (53053).  Oof...

This is my setup and it is working flawlessly. I am using a different port for Unbound because 5353 is used by mDNS. I believe Adguard and Unbound both have DNS caches so not every request is going to result in 2 upstream requests.
May 15, 2025, 01:09:15 PM #7
Iam using Blocky (53) and mapping.

That means:
Internal Domains + Arpa —> dnsmasq
Everything else -> unbound

Works fine here :) instead of blocky it could be adguard or whatever
May 15, 2025, 03:27:09 PM #8
Quote from: irrenarzt on May 09, 2025, 10:58:41 PMUnbound on port 53, DNSmasq on port 53053, and set up the Unbound query forwarding in accordance with OPNSense docs:
https://docs.opnsense.org/manual/dnsmasq.html

I followed the examples at that link for my configuration, and it's running flawlessly for me across 5 different interfaces. Unlike the first person who responded to you, I feel like this was a pretty rock solid initial release for a lighter and more efficient DHCP. From what I've gathered between here and Reddit, the majority of the people having issues decided to wing it with their setup and didn't read the guides first.

I followed this guide and it mostly works, however I am having a problem with nslookup for the host overrides (reservations).  I get unable to communicate with DNS error messages when doing nslookup on the hosts that have reserved addresses.  nslookup works fine for the dynamically assigned hosts.  My setup is slightly different in that I am using two pihole DNS servers with unbound on OPNsense as the upstream DNS server.
Print
Go Up Pages1
User actions