This isn't a new topic, many people do it already. You can google and see for yourself, but I'm doing something else

I run a local domain at home ( , and also I run a local domain in my laptop (example.lap), for vm/containers/lxc.

The problem with unbound is that it will fail to validate example.lap and, and when I use my laptop at someone's else home it will fail to that local domain too

The solution for this is to whitelist the domain example.lap all the time, and parse the local domain on the network am I and whitelist it too (this domain will change on every network)

I configure dnsmasq to publish DNS on the port 5353 and answer DHCP requests on br0



unbound is configured to listen on my br0 iface


        interface: ::1
        access-control: allow
        access-control: ::1 allow
        access-control: allow

I tell unbound to trust example.lap and forward its queries to dnsmasq


    do-not-query-localhost: no
    private-domain: "example.lap."
    domain-insecure: "example.lap."
    private-domain: ""
    domain-insecure: ""
    local-zone: "" transparent

            name: "example.lap."
            forward-addr: [email protected]

            name: ""
            forward-addr: [email protected]

Here I tell isc-dhcp-client to setup the forwarding for the local domain in unbound and disable DNSSEC for it


case $reason in
                unbound-control forward_add +i $new_domain_name $new_domain_name_servers
                unbound-control forward_remove +i $old_domain_name

The last piece is the cherry of the cake and the weakest link in the chain

I'm parsing untrusted data, and feeding it to my local resolver

Someone could pass .com as local domain and I'd be effectively disabling DNSSEC for all .com domains :o

I tried to use psl to know what domains cannot be registered, then only allow those domains. But any domain I used/can think of can be registered now

$ psl .corp
.corp: 1
$ psl .casa
.casa: 1
$ psl .local
.local: 1 **WTF**

useless, I wont use it :(

I need to be careful after connecting to unstrusted networks, anyway a simple

# service unbound restart

will clean the forward zones

There is a command, unbound-control forward_remove.... but I won't remember that command tomorrow :P

This wont work on IPv6 only networks

I'm using DHCP IPv4 events (BOUND,RELEASE), so the DNS servers exposed and the domain names configured over IPv6 only won't get configured,

I think can live with that :), I don't think I'll live long enough to see local IPv6 only networks, I'm not even sure they make sense (I may be wrong on that point, but I think I'm right)

Anyway, it is just an start, and I can finally ditch systemd-networkd/systemd-resolved :)