Unbound as a secondary DNS resolver

Updated: 2015-11-13

If you're looking on how to implement Unbound as your primary DNS resolver, read on here.

Dnsmasq configuration

Dnsmasq requires a bit more work in this scenario.

  • First, we comment the resolvfile line, since that file will contain your ISP's DNS servers.
  • The noresolv option needs to be set to 1, so queries outside the LAN get passed on.
  • The final line defines the DNS server you pass it on to, in this case Unbound, and which will be listening on localhost and port 54.

Your configuration should look like this:

# option resolvfile     '/tmp/resolv.conf.auto'
option noresolv '1'
list server ''

Now, DNSSEC validation requires an accurate time to be set - the validation needs to occur within a certain timeframe and if your clock is off upon boot, that means DNS just won't work. The cleanest way to fix this is to have dnsmasq handle the DNS query for the NTP pool. You could add an NTP query with a server IP in /etc/rc.local, but that's yet another file to keep track of, and you're bound to forget. So we add an extra line:

list server '/pool.ntp.org/'

This line will have dnsmasq use the IP listed as the DNS server for that URL. In this case, it is an OpenDNS server; if you'd rather use something else, you can use Google's or, or have a look at the list of the OpenNIC project for a DNS server close to your location (speed is everything on the web).

Unbound configuration

Install unbound and unbound-anchor packages through opkg After that, fetch the root anchor manually:

# unbound-anchor -a "/etc/unbound/root.key"

The default configuration should be pretty much OK. All you need to change is the port Unbound listens on, so it doesn't conflict with dnsmasq's:

# vim /etc/unbound/unbound.conf
port: 54

You also might want to add prefetch: yes to get Unbound to refresh popular records before they expire.

Insecure domains

Some domains (in my case: my own dynamic DNS domain) might not resolve with Unbound as a secondary server; you then need to provide an exception in /etc/config/dhcp so the DNS query doesn't get passed to Unbound but gets handled by dnsmasq. For this blog, e.g., I added an OpenDNS server:

list server '/volatilesystems.org/'

Alternatively, you can list it as domain-insecure: volatilesystems.org in unbound.conf, so Unbound knows it does not support DNSSEC.