Running unbound with dnsmasq

hadmut · September 12, 2025, 6:15pm

Hi,

I just installed a today’s snapshot + luci + unbound + unbound-luci-app

In the unbound luci configuration, there is a Unbound → DHCP submenu with an option “DHCP Link”, allowing to choose the connection to the DHCP server, choices are (none), dnsmasq, and odhcpd.

But what exactly does it do? I did not find differences in the generated unbound.conf after changing the option (and “Save & Apply”) .

How does unbound connect to dnsmasq?

The usual way is to put dnsmasq to any port other than 53, thus allowing unbound to sit on port 53, and then configure to query the lan domain from dnsmasq on its new port. Unbound doesn’t “know” about dnsmasq then, it just sees some other dns server authoritative for that domain without caring what sort of.

But once selecting dnsmasq as the link, there is no option to enter a port. It just offers the choice of the local domain and extra DNS.

How does unbound know where to find the dnsmasq without configuring dnsmasq’s new port number? Does it read from dnsmasq’s configuration? What does that selector actually do?

Currently, I do have dnsmasq unchanged on port 53, and unbound on 3053, and the connection doesn’t work. I’d love to debug, but actually I haven’t found yet what to debug.

regards

brada4 · September 12, 2025, 6:19pm

Generally unbound needs a selective forwarding of local and reverse ip4 ip6 zones to dnsmasq instance running on different port.

agarg · October 23, 2025, 11:34pm

I have tried unbound with dnsmasq many times before uninstalling as I would end up having unstable internet. Finally, I was able to get to work by installing unbound on a dumb AP (TP Link Onhub) and leaving DHCP Link to none as that was causing problems due to some misconfiguration(I am sure). So now dnsmasq is what my network knows. and dnsmasq knows of unbound from lan dns settings.

It works as my leak test finds only my public (IP pass through of AT&T) and says DNSSEC is working. Should I also change my WAN DNS to unbound instance by tunneling my WAN (VLAN) to this AP and get unbound to service request on the firewall isolated interface (TBD). The IP address of this interface (VLAN - WAN) can be entered on the routers WAN interface advanced tab.

I initially had the 9.9.9.9 and 8.8.8.8 and 1.1.1.1 in addition to my unbound DNS address and I had ticked “all servers” as I thought unbound will usually come back faster. these stand removed now.

Question:

Tunnel VLAN to dumb AP and use that address on wan interface (dns) of the router?
UNbound on WAN is not needed?
It is better to have an isolated unbound openwrt device on the AT&T Device WAN switch port.

Any suggestions?