Help understanding some dnsmasq options when using it with Unbound

robbins · February 5, 2026, 5:13pm

I want to use Unbound as recursive DNS resolver, and dnsmasq just for DHCP and for generating DNS entries for hostnames.

I’m following this section of the Unbound docs https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md#parallel-dnsmasq and everything seems to be working, but I’m having some trouble understanding what some of the options I’m setting mean and how the setup actually works.

I understand that Unbound is exposed on port 53, and dnsmasq is on port 1053 and will only handle LAN domains:

> , dig @10.17.0.1 -p 53 +short fast.com
184.25.66.202
> , dig @10.17.0.1 -p 53 +short hostname.home.arpa
10.17.0.152
> , dig @10.17.0.1 -p 1053 +short hostname.home.arpa
10.17.0.152
> , dig @10.17.0.1 -p 1053 +short fast.com

but how does Unbound know to forward my local DNS names to dnsmasq? Where is that configured?

Secondly, what does the following do?

  option noresolv '1'
  option resolvfile '/tmp/resolv.conf.auto'

I understand I want noresolv so it doesn’t configure any upstream servers (/etc/resolv.conf is linked to linked to resolvfile and contains localhost which would be Unbound, so that’s fine), but then why do we set resolvfile? And do I need to have localuse=1 set? I seem to be able to ping local domains on the router with that set to 0 or 1.

Finally, why do we specify address as 0.0.0.0 here?

`config dhcp 'lan'

dnsmasq may not issue DNS option if not std. configuration

list dhcp_option 'option:dns-server,0.0.0.0'`

Is this the same as setting it to my LAN IP? Clients do get my router LAN IP as a DNS server via DHCP. Thanks

brada4 · February 5, 2026, 5:28pm

Check ps and examine unbounds generated conf file?

robbins · February 5, 2026, 5:32pm

Hm, ok, thanks, I see this which I guess answers the first part of my question:

forward-zone:
  name: home.arpa
  forward-first: no
  forward-addr: 127.0.0.1@1053

But still not sure of the rest.

dave14305 · February 5, 2026, 5:33pm

The dhcp_link option invokes an extra script that configures Unbound to forward your LAN domain to 127.0.0.1 on port 1053.

github.com/openwrt/packages

net/unbound/files/dnsmasq.sh

025c0c58b


      
            # This is derived from dnsmasq local domain and dhcp service subnets
            echo "forward-zone:"
            echo "  name: $fwd_domain"
            echo "  forward-first: no"
            for port in $DM_LIST_FWD_PORTS ; do
              echo "  forward-addr: 127.0.0.1@$port"
            done
            echo
          } >> $UB_EXTMASQ_CONF

I have no idea yet why this is set to a non-existing file.

In dnsmasq, that address means "the IP of the server where dnsmasq is running". It's generic enough to work in most situations. You could override it, but not usually worth it.

robbins · February 5, 2026, 5:35pm

/tmp/resolv.conf.d/resolv.conf.auto does exist, so maybe the path just moved, but it contains my WAN ISP DNS servers, which I obviously don’t want to use. So I still don’t see the intent behind setting that and I guess I can leave it out since the file doesn’t exist.

Ah, I see, so more convenient if I ever change the LAN IP. Awesome, thanks for the help