D
Deleted member 62525
Guest
Background:
I have my local LAN setup with 2 isolated segments. Main LAN is on br0 and secure LAN on br100. I wrote a tutorial how I have accomplished that here . In the secure LAN I have a main computer and Synology NAS. Devices on secure LAN cannot communicate with any devices in main LAN and vice versa except certain ports I have allowed between br0 and br100 to access NAS applications.
I have been running Unbound DNS on the router (RT-AC86U) for 2+ years with extensive config for RPZ using it for adblocking and more.
New Architecture Goals.
I have decided that it will be better and more secure to run Unbound DNS in a secure LAN on my NAS in a docker container.
I have already configured and running Unbound working properly on my NAS in secure LAN.
The main reasons for this change is that
1. I can build unbound from the source myself
2. My Synology NAS has better processor and more memory for caching
3. Isolating DNS in secure LAN segment, I have better control
I want to configure my router so that all clients on main LAN (br0) will be forced to use my DNS located in secure LAN (br100). As for my the secure LAN, I will configure DNS manually. With the new architecture I am hoping to also minimize additional custom code that I had when running unbound DNS on the router.
Question:
What is the best way to configure the router for this scenario? I don’t exactly know what is happening behind the scenes and how dnsmasq is set when I configure the following
1. DNS IP under WAN only
2. LAN DNS fields
If I only use router GUI and set the WAN DNS, would dnsmasq recognize new DNS and setup appropriate iptables rules or would I need to manually add additional rules to forward the DNS queries to my unbound in secure LAN?
I have my local LAN setup with 2 isolated segments. Main LAN is on br0 and secure LAN on br100. I wrote a tutorial how I have accomplished that here . In the secure LAN I have a main computer and Synology NAS. Devices on secure LAN cannot communicate with any devices in main LAN and vice versa except certain ports I have allowed between br0 and br100 to access NAS applications.
I have been running Unbound DNS on the router (RT-AC86U) for 2+ years with extensive config for RPZ using it for adblocking and more.
New Architecture Goals.
I have decided that it will be better and more secure to run Unbound DNS in a secure LAN on my NAS in a docker container.
I have already configured and running Unbound working properly on my NAS in secure LAN.
The main reasons for this change is that
1. I can build unbound from the source myself
2. My Synology NAS has better processor and more memory for caching
3. Isolating DNS in secure LAN segment, I have better control
I want to configure my router so that all clients on main LAN (br0) will be forced to use my DNS located in secure LAN (br100). As for my the secure LAN, I will configure DNS manually. With the new architecture I am hoping to also minimize additional custom code that I had when running unbound DNS on the router.
Question:
What is the best way to configure the router for this scenario? I don’t exactly know what is happening behind the scenes and how dnsmasq is set when I configure the following
1. DNS IP under WAN only
2. LAN DNS fields
If I only use router GUI and set the WAN DNS, would dnsmasq recognize new DNS and setup appropriate iptables rules or would I need to manually add additional rules to forward the DNS queries to my unbound in secure LAN?