I have so far been running dnsmasq as it comes out of the box.
To enjoy various DNS security protocols I installed unbound and the LUCI interface for unbound.
I configured it to use dnsmasq for DHCP. (The DoT resolution work like a charm - but that is not the topic here. If you are interested in the setup, you may still well ask.)
I need this because I have configured a substantial number of internal hostnames in dnsmasq. More detailed explanation further down.
I seems that unbound first asks any servers configured in unbound, and if it does not find answer there, it will ask dnsmasq. This means, if there is a hostname that exists on an external NS and also in my dnsmasq hostnames, unbound will answer with the IP resolved from the external NS.
So you ask - what the .... why is this a problem?
There is one use case that makes me depend on this:
For all mobile clients I have configured a global name for all my own services that I consume from my home LAN and also when on the road coming from WAN. However, these services are not running on OpenWRT, but in my DMZ on a dedicated server. If I just provide a DDNS IP for the service, it will be reachable from the WAN, so when I am on the road. But from my home LAN, this does not work, because the packets would need to be routed to the WAN interface and from there would need to be forwarded back to the DMZ server. OpenWRT doesn't do this, and it would also be inefficient.
To solve this, I also provided the same global names - which I registered with DDNS providers - also in my dnsmasq hostnames, but assign the internal DMZ IP addresses there - not the external IP.
So far this has worked very well, because dnsmasq was responding with the local hostnames first, before it was asking external NSes.
Since I use unbound, this order as turned around, and the IPs from the external DDNSes are returned before the internal dnsmasq is asked.
This way, I cannot reach my DMZ services using the global names any more from LAN.
Long story short - the question is:
Is there a way i can make unbound asks the local dnsmasq BEFORE it asks other NSes?
(or is this overall a stupid idea and you have a better solution how I can reach my DMZ services from LAN and from WAN using the same FQDN?)
Any help is highly appreciated!