Unbound+DNS Firewall via IPSET DNS.. is this possible?

Hello again,

It seems i've been asking a lot in the forums lately ahahaha :rofl:

i'm currently using dnsmasq-full with the ipset-dns (based on this setup: DNS-based firewall with IP sets)

Now I tried experimenting moving to a Unbound based DNS setup, but I can't seem to make the DNS IPSET work.

I've tried looking for wiki's or documents that may be related to this but can't find any.

Can anybody point me to the right direction?

It looks like DNS IPSET depends on dnsmasq so, to get DNS IPSET to work with unbound, I reckon you'll probably have to configure dnsmasq to use unbound as its upstream resolver.

I use Pi-hole (based on dnsmasq) and unbound together on the same device. I used https://docs.pi-hole.net/guides/dns/unbound/ to help me configure it. While that guide is intended for Pi-hole, remember that Pi-hole is just a fancy front end to dnsmasq.

In a nutshell, unbound is the upstream resolver for Pi-hole/dnsmasq. Following that configuration guide, it listens on port 5335 which means dnsmasq has to talk to for upstream resolution. By default unbound listens on port 53 which would conflict with dnsmasq, hence the need to configure unbound to use a different port.

1 Like

Ok.. so totally moving to a full unbound for DNS won't work? I was thinking of just using dnsmasq for the dhcp :smile:

thanks.. i guess i'll stay with dnsmasq for a while longer :laughing: unless there is a way to make DNS IPSET work with unbound directly :slight_smile:

It seems that Unbound provides built-in IP set support.
But it is missing in 19.07 and enabled only in 21.02/master.

Another option is to set up Unbound forward zone to the ipset-dns resolver:


I just found an Issue on GitHub which suggests that this is intentional: https://github.com/openwrt/packages/issues/13810


i've tried this route but I wasn't sure if I was doing it correctly since I can't find any documentation related to ipsets (although it was mentioned on the options, which was mentioned only once and nothing more)

Hmmm.. i think i've found the possible solution

in the IPSet DNS documentation, this is how the domains to be filtered are configured

# Configure domains to filter
uci add_list dhcp.@dnsmasq[0].server="/example.com/"
uci add_list dhcp.@dnsmasq[0].server="/example.net/"
uci commit dhcp
/etc/init.d/dnsmasq restart

And according the the README of unbound, you can define a similar setup like this:

  # this alternate server is fully specified inline
  list server ''

So combining the two, might work??

uci add_list unbound.forward.server=''
uci add_list unbound.forward.server=''
uci commit unbound
/etc/init.d/unbound restart

I haven't tried it yet.. probably in the next few days i'll get a chance to test it out.

1 Like

Good luck!

1 Like

Just an update.. i can't make UNBOUND work with IPSET-DNS directly ahahahahaha.. back to the drawing board then :rofl: :rofl: :rofl:

1 Like