Using Unbound as recursive DNS server: serial or parallel

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,
I want to use Unbound as recursive DNS server.
Based on available documentation it can be either serial dnsmasq or parallel dnsmasq. (Unbound and odhcpd is currently not an option.)

In my understanding serial dnsmasq is comparable to setup Pihole with unbound as recursive DNS server that is documented here.

OpenWrt documentation is talking about several disadvantages of serial dnsmasq and it makes sense.
However I wonder why Pihole is advising to setup serial dnsmasq.

What are your thoughts on this?

In my understanding parallel dnsmasq is using dnsmasq's DHCP functionality only, but DNS functionality is not disabled but set to a port that's typically not used for DNS requests. Is this correct?

Another question is related to root.hints file.
In my understanding this file is key to use Unbound as recursive DNS server.
Why is OpenWrt unbound documentation not talking about this ?
Is there any opkg package providing this root.hints file?
Or must I download it manually?

THX

2

I would use parallel to reduce the number of “hops” for a DNS lookup from the LAN. If you’re going to do ad-blocking, do it in Unbound.

Pi-Hole only works with their version of dnsmasq, and you still need an upstream resolver, so there isn’t much choice besides serial in that scenario.

Unbound has built-in root.hints if no other file is passed in the configuration.

1 Like
3

I found statements in the internet that says: root.hint file should be updated every quarter or half year.
Assuming this is true, how does the update work with OpenWrt's unbound package?
Will the package be upgraded once a new root.hint file is released?

4

After setting parallel dnsmasq I verified the available services:

root@rb760igs:~# netstat -tulpn | grep unbound
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      18837/unbound
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      18837/unbound
tcp        0      0 ::1:8953                :::*                    LISTEN      18837/unbound
tcp        0      0 :::53                   :::*                    LISTEN      18837/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                           18837/unbound
udp        0      0 :::53                   :::*                                18837/unbound

Why is unbound running as local service 127.0.0.1:8953?

5

For unbound-control usage.

1 Like
6

The last change was 8 months ago to the B server. Before that, the previous change was 8 years ago.

You can always setup a cron job to download https://www.internic.net/domain/named.cache to the root hint path every month or so.

7

I scheduled cronjob that executes 3 steps:

  1. Download root.hint file
  2. Change ownership to unbound
  3. service unbound restart

I have verified that unbound configuration is pointing to this root.hint file.

8

My favorite setup is parallel dnsmasq; in the relevant documentation there's this statement:
"In this case, Unbound serves your local network directly for all purposes. It will look over to dnsmasq for DHCP-DNS resolution. Unbound is generally accessible on port 53, and dnsmasq is only accessed at 127.0.0.1#1053 by Unbound."

Here's my question:
How does Unbound know to communicate with 127.0.0.1#1053?

I cannot find any relevant configuration in /etc/config/unbound pointing to this port.

9

The dhcp_link option in unbound runs an extra script to read the dnsmasq config and find the required port.

1 Like
10

OK.
Does this work if I use any other port for dnsmasq, e.g. 127.0.0.1#5335?
Or is the port hardcoded?

11

You can set your preferred port. The Unbound package dnsmasq.sh script will read the port number from the dhcp config file.

1 Like
12

Next I want to add some Unbound options that are not available in UCI, e.g.

# Increase incoming and outgoing query buffer size to cover traffic peaks.
so-rcvbuf: 4m
so-sndbuf: 4m

Is it correct to write other options in file /var/lib/unbound/unbound_srv.conf?
If yes, what syntax must be used?

13

You would modify /etc/unbound/unbound_srv.conf. The init script will copy it to the /var directory during startup.

14

Or replace dnsmasq completely for odhcpd + Unbound or continue with dnsmasq and all its problems, but NEVER try to use both, because that's WRONG.

Unbound parallel dnsmasq :nauseated_face::face_vomiting:

15

Isn’t unbound setup by default with a fallback in case the root.hint entry fails?

unbound-zones
unbound-zones1328Ă—830 97.2 KB

16

Actually this is the first time I read a negative statement about unbound parallel dnsmasq.
Could you please share some technical details?

17

Been using unbound / dnsmasq parallel configuration for years now, have seen zero issues.

1 Like
18

One can organize mostly untouched unbound to connect to dnsmasq on alternative port as a forwarder for local and reverse local zones.