Unbound to DNSMasq

Started by spetrillo, May 12, 2025, 05:09:09 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
June 15, 2025, 07:50:18 PM #30
Quote from: Monviech (Cedrik) on May 30, 2025, 02:52:05 PMDnsmasq uses the DNS servers defined in "System - Settings - General" as upstream.

Otherwise, you need this patch:

Code Select
opnsense-patch https://github.com/opnsense/core/commit/220dbc7931e11c71587734ed9c1731abdf9eaff8

With it you can set "Do not forward to system defined DNS servers" in dnsmasq and provide your own ones in the "Domain" tab. Just use an asterisk (*) to specify any domain, and then define an IP address (e.g. 1.1.1.1) or Unbound if it runs on a different port (127.0.0.1, Port 53053).

Since updating to 25.1.8_1, I can no longer use an asterisk (*) to specify any domain.  Are there any workarounds?
June 15, 2025, 08:20:18 PM #31
Code Select
opnsense-patch https://github.com/opnsense/core/commit/e7441283055dcb33a389f02d4e0f502767c8ecd1
Hardware:
DEC740
June 15, 2025, 08:32:40 PM #32
Quote from: Monviech (Cedrik) on June 15, 2025, 08:20:18 PM
Code Select
opnsense-patch https://github.com/opnsense/core/commit/e7441283055dcb33a389f02d4e0f502767c8ecd1

Patch works - thanks!!
June 16, 2025, 01:04:57 AM #33
Quote from: Monviech (Cedrik) on June 15, 2025, 08:20:18 PM
Code Select
opnsense-patch https://github.com/opnsense/core/commit/e7441283055dcb33a389f02d4e0f502767c8ecd1

Exactly what I was looking for, after migrating from KEA+Unbound to my favorite: dnsmasq. :)

I had solved temporarily using a custom .conf file with a 1 line (server=xx.xx.xx.xx).

Since it seemed weird I couldn't configure a default forwarder, and had to rely on a custom .conf file, I was about to raise an issue on GH because * wasn't working in domains, but I checked the forum first, and (very luckily) I found this thread.

Thank you for the patch Cedrik, just one question: is strict-order option enabled by default? is there an UI checkbox to configure it?

Great work on dnsmasq, I much prefer it over KEA+Unbound for my homelab's use case.
June 16, 2025, 06:51:46 AM #34
There is a checkbox in the general settings, maybe in advanced mode called "Query DNS Servers sequentially" or something.
Hardware:
DEC740
June 16, 2025, 02:40:22 PM #35
Quote from: Monviech (Cedrik) on June 16, 2025, 06:51:46 AMThere is a checkbox in the general settings, maybe in advanced mode called "Query DNS Servers sequentially" or something.
Found it, from the description I thought it was only applicable to System resolvers.



I would also suggest to invert the DHCP Interface setting logic to "Enable DHCP on these interfaces:". The [no dhcp] helps, but it's confusing.

June 16, 2025, 03:06:29 PM #36
The upstream documentation suggests that it only works for resolv.conf, but empirical testing revealed it also works for server directives for some reason.

I dont think we can easily change the no dhcp interfaces anymore without some migration so lets leave it for now.
Hardware:
DEC740
June 22, 2025, 12:15:50 PM #37 Last Edit: June 22, 2025, 12:17:35 PM by DEC670airp414user
I migrated to Kea probably a year ago on business edition. but now I am reading : but without Dnsmasq DHCP support
and the recent captive portal backend switch.

https://forum.opnsense.org/index.php?topic=47329.0

will DNSMasq eventually be added to the business edition?   

no dns over DOT?    yikes.    kea and unbound sound better and better to me all around
June 22, 2025, 12:45:58 PM #38
Yeah it will be added eventually once it matured, thats what the business edition is for.

Dnsmasq is just a forwarder in terms of DNS. This is the kind of setup we recommend:

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

Just use KEA and Unbound if it currently works for you. I dont understand the "yikes". Each component has their own advantages and disadvantages.
Hardware:
DEC740
June 29, 2025, 05:47:50 AM #39
Thank you all.
Whats wrong with KEA?  Is it not possible to be used?
June 29, 2025, 06:01:55 PM #40
KEA, ISC and DNSMasq can all be used. Pick the one the that works best for your requirements.
November 13, 2025, 09:15:20 PM #41
Since I started this I will ask another question...is there a guide to go from Unbound to DNSmasq? And why would I need a recursive DNS?
November 13, 2025, 09:21:14 PM #42
All client/host systems need a recursive DNS server at one point in the chain to resolve names to IP addresses. You can use your ISP's, 1.1.1.1/8.8.8.8/etc. or simply run your own.

IMHO the last option is the most privacy conservative available even without encryption.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
November 14, 2025, 01:52:44 AM #43
Quote from: Patrick M. Hausen on November 13, 2025, 09:21:14 PMAll client/host systems need a recursive DNS server at one point in the chain to resolve names to IP addresses. You can use your ISP's, 1.1.1.1/8.8.8.8/etc. or simply run your own.

IMHO the last option is the most privacy conservative available even without encryption.

So I have configured Quad9 as my DNS under System/Settings/General. They are recursive correct?

If that is the case then why do I need a local recursive DNS? Is Unbound setup to be recursive out of the box?
November 14, 2025, 02:23:03 AM #44
Unbound is recursive out of the box. That's what it's for.

I don't want to give all my DNS requests to Quad9 or any other external entitiy. That's why I don't use any of them but only Unbound.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages 1 2 3 4
User actions