Unbound / Dnsmasq advices


I would like some advices about the "better" solution between Ubound and Dnsmasq with the following goals:

I'm using:

  • Bind as an Authoritative DNS for local domains over dedicated IP.
  • ISC DHCPDv6 as DHCP v4 + v6 Server
  • Dynamic DNS DHCPd <-> BIND

I would like to be able to use a DNS resolver which could be a "relay" between clients and router:

  • Forward and answer queries for internal domains name to BIND
  • May support a sort of "multi instance" different internal domain names based on interfaces because DHCPd assign different domain names depending on the interface.
  • Support adding fqdn to unqualified domain name queries
  • Support DNSSEC for internal and external domains
  • Forward and answer queries for external domain names without BIND
  • Support AdBlock and alike domain blacklist

I actually have dnsmasq (only DNS) to perform some of these tasks but it seems that even using a domain=/#/xxx.xxx.xxx.xxx and domain=//internal.lan/xxx.xxx.xxx.xxx dnsmasq is forwarding some, many internal queries outside.

I have read readme file of the Unbound package and unbound seems really a better solution.

I don't know which one would be better in performance and flexibility.

Thank you in advance for your advices.

Kind Regard

Unbound will do what you want best. Unbound can even be used as an authoritative buffer or proxy (see auth-zone: clause), so the authoritative server never touches the unwashed masses. UCI/LuCI in OpenWrt 19.07 or master will allow you to prototype this behavior fairly quickly. However to get interface independent "views" you may need to disable UCI/LuCI and implement interface access tagging and view profiles in the raw unbound.conf. Depending on how complicated you make it, you may be able to implement views and UCI/LuCI in parallel using unbound_srv.conf and unbound_ext.conf UCI appendix files.