Unbound and Microsoft DNS

  • Hi all,

    Some info first:

    Its DNS Server: (this is important for later)
    Unbound enabled, Forwarding mode is off.

    I've got a domain that I own:


    And on the inside of my network I have an Active Directory set on home.foobar.com

    That server is hosted on, and ALSO includes the DNS server (from Microsoft) for the Active Directory.

    I would like to use this DNS server for my whole network.

    So steps I've taken:

    1. the DHCP on the LAN to server as the DNS server (which should then ask for addresses).
    2. I've tested on pfSense the following:
      home.foobar.com points correctly to
      However on any client that receives dhcp responses from pfSense home.foobar.com resolves to the catch-all on *.foobar.com

    I know I can fix this by adding a Domain Override in Unbound, 'home.foobar.com' ->, but it doesn't feel like the correct solution here, since Unbound is supposed to query my own DNS server, but it seems that there's a conflict there between how Unbound asks: 'who is home.foobar.com' and pfSense itself using the DNS.

    The Microsoft DNS server is configured to forward requests that it doesn't know to the Google DNS servers.

  • LAYER 8 Global Moderator

    unbound is resolver not forwarder it does not forward anything it walks down from roots until it talks to the authoritative server for the record your trying to query.

    Normally when running AD, all your boxes should use your AD for dhcp and dns.. So why do you not just do that?  Then you can either have your MS dns forward to whatever you want, or just have it forward to pfsense to have it resolve what your looking for and get dnssec support, etc.  And could even use the pfblocker feature of blocking ads, etc.

    This is the simple solution if you ask me.

  • johnpoz, thanks for the swift reply,

    The thing is, I have the checkbox 'Enable Forwarding Mode' disabled.

    Can I achieve what I want with Unbound WITHOUT adding a domain override?

  • LAYER 8 Global Moderator

    Again what I would suggest you do is not point your clients to pfsense, use your AD for dns, and even use it for dhcp.  I don't see any reason to run dhcp and dns services off your pfsense box when you have AD setup.

Log in to reply