Yeah. Nowadays I use pi-hole which is dnsmasq underneath and use it with unbound.
Works great. Minimal fuss, efficient setup, little maintenance, I don't have to understand the guts. Everything on my local network is addressable.
Ad blocking at the router is also something you don't want live without once you've gone there but pi-hole is a great solution even if you don't want that.
I use Pihole as well (even tried to synchronize two for HA but I gave up). It is fantastic.
What worries me with dnsmasq is that it is a personal project maintained on a personal git (by a great person!). Sure, one can fork and whatnot but without several people participating it can fade out pretty quickly.
Yeah, fair point. And I don't think I've seen a router for sale that wasn't using dnsmasq as a dhcp server for 20 odd years. Must be some, I guess, but haven't encountered them.
I don't know about unbound's blocklists and stats or indeed much about unbound at all.
This: https://docs.pi-hole.net/guides/dns/unbound/ was stupidly simple, pi-hole has a gui that I was already used to and it all works great. So I think about and study other things that need fixing/improving in my life instead.
To flip it, why would I use unbound without pi-hole? What's the win I haven't seen (or even looked at or considered?)
> To flip it, why would I use unbound without pi-hole? What's the win I haven't seen (or even looked at or considered?)
In my experience, the fewer moving parts the better.
I run Unbound on my OPNsense router, and it uses the same blocklists as Pi-hole and the stats page (blocked domains, DNS requests, etc) are the same afaict.
But you still need something to do your dhcp, so maybe not fewer moving parts? Dunno.
I did pi-hole first, then much later decided to use unbound for dns because it looked super easy to add it. It was. Haven't thought about it much since. I hope your experience was as good or better.
dnsmasq is great. The best part is that you can assign the same IP to multiple interfaces on the same device (to multiple MAC addresses) which drives network purists crazy and is no longer supported by systemd-networkd (because they are puritans). Separated DHCP/DNS can not do this. I will look into kea and whether they can do this.
The use case is `ssh shortname` or `ssh shortname.lan` to a laptop on the same local network regardless whether the wired or wireless interface of the laptop is active.
An overlay like Tailscale MagicDNS might solve this but is complex.
Assigning the same name to 2 IP's (round robin DNS) will mean having to retry the ssh connection if the IP of the inactive interface is returned.
Failover bonding (mode 1) of the wireless and wired interfaces with MAC address spoofing so that the bonded interface maintains a consistent MAC address is reportedly not always supported by WiFi hardware and standards. Bonding may require manual reconfiguration when the laptop moves from the local network where "shortname" is used to an arbitrary WiFi network like airport or coffee shop.
Are there any solutions that satisfy single IP and reliable WiFi at the same time?
Linux used to be able to move the same IP between 2 interfaces depending on which was active. But it looks like advancements in Linux networking have killed this simple solution.
I used to (when I did that more) set up a bond of my wireless and ethernet devices, so when ethernet was plugged in it was preferred, otherwise it would use wireless. It was pretty seamless, and provided the same MAC on both networks.
I used to do that too. Nowadays I just run a WireGuard VPN and treat my WiFi network as "untrusted" (which is a good idea anyway) and it's more seamless if IP addresses change, or even if I leave the house and go somewhere else - I can expect most connections to stay up.
There's places where integration makes sense (home network/small business with tens of clients/devices) and places where dedicated engines make sense (ISPs, large enterprise VPNs, the Internet).
dnsmasq is awesome if you want a one-stop shop for DHCP and DNS for sure.
DHCP and DNS go hand in hand in a network, I really struggle to understand why they are not more integrated in otherwise great solutions (such as kea)