Using dnsmasq and unbound at the same time

This isn't a new topic, a lot of people does it already. You can Google and see for yourself, but I'm doing something else

I run a local domain at home ( , and also I run a local domain in my laptop (example.lap), for vm/containers/lxc.

The problem with unbound is that it will fail to validate example.lap and, and when I use my laptop at someone's else home it will fail to that local domain too.

The solution for this is to Whitelist the domain example.lap all the time, and parse the local domain on the network am I and Whitelist it too (this domain will change on every network)

I configure dnsmasq to publish DNS on the port 5353 and answer DHCP requests on br0



configuring unbound to listen on my br0 interface


        interface: ::1
        access-control: allow
        access-control: ::1 allow
        access-control: allow

I configure unbound to trust example.lap and forward its queries to dnsmasq


        do-not-query-localhost: no
        private-domain: "example.lap."
        domain-insecure: "example.lap."
        private-domain: ""
        domain-insecure: ""
        local-zone: "" transparent

                name: "example.lap."

                name: ""

Here I configure isc-dhcp-client to setup the forwarding for the local domain in unbound and disable DNSSEC for it


case $reason in
    unbound-control forward_add +i $new_domain_name $new_domain_name_servers
    unbound-control forward_remove +i $old_domain_name

The last piece is the cherry of the cake and the weakest link in the chain

I'm parsing untrusted data, and feeding it to my local resolver

Someone could pass .com as local domain and I'd be effectively disabling DNSSEC for all .com domains :-O

I tried to use psl to know what domains cannot be registered, then allow only those domains. But any domain I can think of can be registered now

$ psl .corp
.corp: 1
$ psl .casa
.casa: 1
$ psl .local
.local: 1 **WTF**

I need to be careful after connecting to unstrusted networks :(

A simple

# service unbound restart

Will clean the forward zones

There is a command, unbound-control forward_remove.... but I already forgot it

This wont work on IPv6 only networks

I'm using DHCP IPv4 events (BOUND,RELEASE), so the DNS servers exposed and the domain names configured over IPv6 only won't get configured,

I think can live with that :), I don't think I'll live long enough to see local IPv6 only networks, I'm not even sure they make sense (I may be wrong on that point, but I think I'm right)

This is a start, I can ditch systemd-networkd/systemd-resolved :)