Pi-Hole + Unbound --> DNSMASQ & cache enabled or disabled?


I’m using Pi-hole with unbouwd as recursive resolver, all working fine.
However I would like to have advice concerning disabling DNSMASQ & cache in Pihole.
Some guides say it so others don’t…

Can we plz have a statement from the developers?


NOT a developer…
I’m running pihole-FTL + unbound (compiled) + redis with dnsmasq cache-size=0 for almost a month, NO performance degradation.
The dsnmasq cache is still used (even with size 0) for all reverse lookup queries.

The recommendation is to leave the cache alone in Pi-Hole (do not disable it), but disable DNSSEC in Pi -Hole.

Unbound is performing the DNSSEC function and there are some dnsmasq bugs regarding DNSSEC.

Pi-Hole cache enable
Pihole DNSSEC disable

The discussion, to modify pihole’s dnsmasq cache-size began when somebody was investigating the setting proxy-dnssec. Setting the cache-size to 0 solved some, but not all problems with dnssec being handled by unbound.

The request was for the developers recommendation. That is cache ON, DNSSEC OFF in Pi-Hole.

Yes. It turned out that the proxy-dnssec never worked in dnsmasq and probably never will. So ad flag is not cacheable.
This means:

  • If one wants to use proxy-dnssec, that is passing an ad flag from upstream server to the clients, he needs to disable the cache.
  • If one wants pi-hole to cache, the proxy-dnssec is not working thus he should use the dnssec validation in pi-hole/dnsmasq.