Can Unbound DNSSEC be used with forwarding a private domain to Dnsmasq?

Started by LemurTech, Today at 04:25:18 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 04:25:18 AM
I'm running OPNsense 26.1.1 with:
  • Unbound as the main DNS resolver (full recursion)
  • Dnsmasq for DHCP for two VLANs (1 and 12); DNS listening on port 53053
  • Windows AD domain: sarangan.lan (VLAN 1, AD DNS forwards to Unbound

Internal DNS domains
  • sarangan.lan - Windows domain, VLAN 1
  • iot.lan - IoT devices, VLAS 12 - pointed to Unbound
  • infra.lan - APs, switches in both VLANs - pointed to Unbound

Architecture
  • VLAN 1 domain clients use AD DNS
  • DCs forward all non-AD queries to Unbound (192.168.2.1)
  • Unbound does full recursion for public domains
  • Domain Override in Unbound: iot.lan -> 127.0.0.1:53053 so Unbound forwards iot.lan to Dnsmasq
  • Dnsmasq has DHCP reservations with hostnames under iot.lan

Behavior
With DNSSEC disabled in Unbound, everything works:
  • somedevice.iot.lan resolves (from VLAN 1 or from OPNsense)
  • DCs forward iot.lan queries properly
  • Unbound forwards to Dnsmasq correctly

If I enable DNSSEC, resolution for iot.lan starts failing within 30 seconds:
  • Queries return NXDOMAIN
  • Disabling DNSSEC immediately fixes it

Example (works, then stops working):

Code Select
root@fw01:~ # nslookup emporia.iot.lan 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   emporia.iot.lan
Address: 192.168.12.86

root@fw01:~ # nslookup emporia.iot.lan 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find emporia.iot.lan: NXDOMAIN

I've tried:

  • Adding iot.lan, infra.lan, and sarangan.lan to Insecure Domains (these seem to be added automatically in the config when forwarding to Dnsmasq is configured, but I added them anyways).
  • Disabling Strict QNAME Minimisation
  • Disabling DNSSEC hardening
  • Clearing caches
  • Restarting services

The issue persists as long as DNSSEC is enabled.

I have been all over the interwebs and have had long discussions with the AI oracles. Is it expected behavior that Unbound DNSSEC validation conflicts with forwarding a private, non-delegated TLD like .lan to Dnsmasq?
Print
Go Up Pages1
User actions