Pi-Hole + Unbound --> DNSMASQ & cache enabled or disabled?


I'm using Pi-hole with unbouwd as recursive resolver, all working fine.
However I would like to have advice concerning disabling DNSMASQ & cache in Pihole.
Some guides say it so others don't...

Can we plz have a statement from the developers?


NOT a developer...
I'm running pihole-FTL + unbound (compiled) + redis with dnsmasq cache-size=0 for almost a month, NO performance degradation.
The dsnmasq cache is still used (even with size 0) for all reverse lookup queries.

The recommendation is to leave the cache alone in Pi-Hole (do not disable it), but disable DNSSEC in Pi -Hole.

Unbound is performing the DNSSEC function and there are some dnsmasq bugs regarding DNSSEC.

Pi-Hole cache enable
Pihole DNSSEC disable

The discussion, to modify pihole's dnsmasq cache-size began when somebody was investigating the setting proxy-dnssec. Setting the cache-size to 0 solved some, but not all problems with dnssec being handled by unbound.

The request was for the developers recommendation. That is cache ON, DNSSEC OFF in Pi-Hole.

1 Like

Yes. It turned out that the proxy-dnssec never worked in dnsmasq and probably never will. So ad flag is not cacheable.
This means:

  • If one wants to use proxy-dnssec, that is passing an ad flag from upstream server to the clients, he needs to disable the cache.
  • If one wants pi-hole to cache, the proxy-dnssec is not working thus he should use the dnssec validation in pi-hole/dnsmasq.

If I understood correctly, DNSSEC setting in Pi-Hole only adds the DNSSEC info in the log?
Why is it recommended to disable?
(very willing to disable if there are benefits to it, if not, I'd rather keep the extra info in 1 view within the Pi-Hole interface...)

This was recommended when we were running an older version of dnsmasq that had some DNSSEC bugs. The version currently shipping with Pi-hole is 2.8.2 and does not have this problem. I think the bug was fixed in either 2.8.0 or 2.8.1.

dig chaos txt version.bind +short @


You can safely enable DNSSEC if you want to see your DNSSEC status in the query log.

1 Like