ECS and DNSSEC Setup

Started by spetrillo, December 21, 2025, 05:21:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 21, 2025, 05:21:41 PM
Hello all,

I am using Quad9's Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled DNS service. How do I configure Unbound to handle this? Do I need to worry about dnsmasq DNS services also?

Thanks,
Steve
Today at 08:10:10 AM #1 Last Edit: Today at 08:30:28 AM by OPNenthu
ECS or not makes no difference in how you configure Quad9 for Unbound.  It's just a forwarding address with a different IP than the non-ECS version:  9.9.9.11 vs. 9.9.9.9.  Unbound doesn't care :)

Quad9's TLS forwarding guide for OPNsense: https://docs.quad9.net/Setup_Guides/Open-Source_Routers/OPNsense_%28Encrypted%29/

Curious- why do you prefer the ECS version?  Do you get an appreciable performance boost from CDNs?

If Unbound is doing your DNS resolution then Dnsmasq should not be reached by your clients.  You need to configure it as per the examples in https://docs.opnsense.org/manual/dnsmasq.html#configuration-examples and make sure Unbound is forwarding to Dnsmasq for your internal domains.  Dnsmasq doesn't need to know anything about Quad9 in this case.  It should never be answering queries for any domain except those configured on your network.
Print
Go Up Pages1
User actions