Overriding Unbound DNS using DNSMasq

Started by routelots, August 24, 2025, 03:22:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 24, 2025, 03:22:44 PM Last Edit: August 24, 2025, 07:35:43 PM by routelots
I'm attempting to migrate my setup away from ISC DHCP on to DNSMasq but I'm not confident in one aspect of my setup.

The simplified overview of my current setup is:

Interfaces:
- Interface 1-5: Various VLANs that use my normal gateway and quad 9 DNS
- Interface 6: VPN VLAN that uses VPN gateway and VPN DNS

DHCP:
- All interfaces being served by ISC DHCPv4

DNS:
- Interface 1-5: Bound to Unbound DNS
- Interface 6: DNS overwritten by OPNSense (Via ISC DHCPv4 > Interface 6 > DNS Servers)

Firewall:
- Interface 1-5: Have regular rules
- Interface 6: Tags and forced all traffic through VPN gateway, and for RFC1918 it allows access to the regular gateway.


I'm attempting to set this up with Unbound DNS and DNSMasq, and I want to make sure I won't have any issues. My understanding is for overwriting the DNS for interface 6 I can just do the following:
- Keep DNSMasq DNS option disabled (Port set to 0)
- Tag the DHCP for Interface 6 with something like "VPN"
- Under DHCP Options: "Set" DNS servers for all "VPN" tagged DHCP to my VPN's DNS server.

Is that it? Am I over thinking it or is there a reason that I'm not understanding to have both Unbound and DNSMasq running with forwarding enabled for my setup?



August 24, 2025, 04:42:39 PM #1
If you dont need automatic hostname registration you dont have to forward DNS from Unbound to DNSmasq.

Otherwise follow this guide:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
Hardware:
DEC740
August 24, 2025, 07:35:29 PM #2
Quote from: Monviech (Cedrik) on August 24, 2025, 04:42:39 PMIf you dont need automatic hostname registration you dont have to forward DNS from Unbound to DNSmasq.

Otherwise follow this guide:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

I assume you're referring to the hostnames for Interface 6 (VPN Devices) only right? If I don't care about those devices then does my method of using DHCP options for the DNS the "correct" way to do things?
August 24, 2025, 08:33:14 PM #3
Every device that gets a DHCP lease from dnsmasq gets its hostname registered.

E.g a device named "smartphone" that gets the lease 192.168.1.1 can be queried via "nslookup smartphone" and dnsmasq answers with the IP.

If you dont need that then by all means disable DNS in dnsmasq via port 0.
Hardware:
DEC740
Print
Go Up Pages1
User actions