Prevent unbound from being local dns server

Pulling my hair out on this one. I've been searching for hours but cannot find an answer to what should be a simple thing.

I have unbound installed on one of my routers but only want to use it as a dns server.
The unbound service is putting in the resolve files but I don't want to use unbound for the router dns, I want to use the upstream dhcp dns servers being given.

How can I prevent unbound from doing this?

the 127.0.01 is there by default, in openwrt, along with ::1.

Correct but I want to disable Unbound from considering itself as a local DNS resolver and to use the dns servers being given by the dhcp upstream.

In other words, I also don't want to use unbound as a dns forwarder but as a simple recursive dns server on the router for emergencies. Outside of that function, I just want the local services to use the dhcp servers being given by the upstream dhcp server.

If you want to live on the edge, you can comment out line 1596 below from /usr/lib/unbound/ (at your own risk, of course).

1 Like

I don't want to live on the edge :).
I know there is an option, it's a simple directive, maybe two that I used to apply a long time ago but cannot find my notes. I think it was applied in the /etc/config/dhcp file.

The directives said to use the upstream dhcp server dns being provided and not local.

localuse in dhcp influences the /etc/resolv.conf content, but Unbound doesn’t respect that setting.

1 Like

I don't have dnsmasq installed so I have no such option.
The device is not actually being used as a router, just a little sdr antenna and I wanted to have a dns server on it as well for some redundancy.

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option domain 'lan'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config odhcpd 'odhcpd'
        option maindhcp '1'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Then I would just comment out the line I mentioned.

Before doing that, which is a hack, I know there is a simple directive or two that can be used.
I usually use image builder to keep a copy of my original firmware and tend to make the changes in the files/ directory otherwise I lose track of hacks which is why I don't tend to use hacks.

you could try echo "nameserver" > /etc/resolv.conf (or whatever DNS IP you'd like to use) to your local start up script.
you can run the command from cli, to see if it works, 1st.

1 Like

I think it was called rebind or something like that.

Yes but all those suggestions are hacks. That would hard code when I need to use the upstream dhcp dns servers being provided.

there's a check box somewhere about upstream DNSes, but if unbound actually adds the entry to resolv.conf, you need to play dirty too.

disable unbound, reboot, see if resolv.conf differs.

1 Like

I don't use any gui, command line only.
Yes, disabling unbound uses the dhcp provided dns servers.
I thought it might be this option, enabled or not but that didn't work.

config zone 'fwd_isp'
        # forward ISP account management to DHCP announced DNS servers
        option enabled '0'
        option fallback '1'
        option resolv_conf '1'
        option zone_type 'forward_zone'
        list zone_name ''
        list zone_name ''

I'm almost sure it was a directive in the dhcp file.

If dnsmasq isn’t active, it’s not going to process the dhcp config file for this particular purpose. Unbound overwrites the resolv.conf because that function I mentioned earlier tells it to.


There's no specific UCI option, and you have only 2 ways to skip overwriting the resolver config, i.e. change the default Unbound port, or enable and start Dnsmasq as the default resolver:


Just breaking in on this conversation with my 2c:
I've been using unbound for a while now, and what I've noticed is that for DNS requests it is simply a cached DNS resolver. It uses upstream servers to forward any request not in the cache. If you remove the default zones and replace it with a zone with the servers of your choice, you should be set.
To protect against upstream responses you can turn on the "Filter localhost rebind" and and there are also options for filtering private rebinds. I'm sorry I am mainly a LUCI user, so I can't tell you the CLI commands...hope this helps tho


I wonder if maybe I used to have dnsmasq installed after all? I definitely recall all I needed was one or two directives in a config file. I'll give that a try right now.

What is a good command to test which dns server is being used when testing?