Local unbound with external DNS instead of local recursion
I only recently discovered, that cloudron uses a local unbound installation as DNS recursor and ignores DNS servers that were in /etc/resolv.conf before installing cloudron. Using unbound to include the local cloudron network, seems a good idea, but I am wondering whether using root DNS servers is necessary. (This is at least what happens on my machine, when resolving external hostnames: unbound queries its way down from the root DNS servers)
As an alternative to the root DNS servers I added a new config /etc/unbound/unbound.conf.d/forward.conf:
forward-zone: name: "." forward-addr: 126.96.36.199 forward-addr: 188.8.131.52
(Cloudflare and Google DNS servers just as an illustration, I used the ones from my VPS hoster)
Two questions/points for discussion on this:
Do you see any problems how this could interact with the local name resolution in an unintended way?
Would it be a good idea to generate such a config file as an optional step during the web-based Cloudron-setup?
As for the motivation, we use unbound because the mail server needs to do DNSBL queries. Most of the DNSBL servers like Zen SpamHaus will not respond if the queries originate from Google/Cloudflare DNS. This forces us to run our own DNS server.
The other motivation was also to log DNS lookups by apps to identify any malicious use but we never got around to this (this was initially designed for a setup where we expected all app packages to be done by 3rd party).
Finally, the unbound server should not be used much at all because most of the apps should not be querying anything external.