From the reddit discussion


  • Unbound does DNSSEC authentication.

  • Between the two, Pi-hole and unbound, is it better to leave DNSSEC enabled in unbound and leave the pihole's disabled?

  • Unbound is doing the DNSSEC function, so you don't need to enable this in Pi-hole unless you want to see the dnssec status in the query log. That's all the Pi-hole setting toggles in this case.

is this correct? I assumed both unbound and dnsmasq would perform DNSSEC checks, if both are enabled.

Yes. The argument is likely that it doesn't matter if Pi-hole does the verification a second time because if unbound found it SECURE, Pi-hole would only find the same conclusion. Same if the status is BOGUS because unbound (in it's default configuration) will not even reply with a resource record, effectively preventing anyone down the line from being able to access this domain.

If DNSSEC is disabled, we don't know why unbound responded with SERVFAIL as it doesn't send anything we could use to determine that it rejected the query because of its DNSSEC status. That's why you get the status only when you enabled DNSSEC in Pi-hole as well so it does its own checking.

Do you mind if we convert this to a public topic so others can read this as well?

feel free...

don't know the current reliability of the DNSSEC evaluation by dnsmasq, have been using the unbound solution for a long time, however, I seem to remember, read here, it isn't supporting all algorithms and wasn't very reliable in the past.

I'm using it all the time and it seems very reliable to me. The last fixes were added to dnsmasq quite some time ago. The current test result for Pi-hole only (no validation in unbound):

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.