Hello all,
I need some clarity. In reading the notes from 25.1.6 update it seems to give me the impression that DNSmasq is beginning to take over from Unbound. I run Unbound as my DNS server, and use ISC DHCP for DHCP purposes. If the move is to Kea DHCP does that mean I need to move from Unbound to DNSMasq for DNS purposes? Like I said I am trying to gain some clarity here.
Thanks,
Steve
I would rather say that DNSmasq is taking over from ISC DHCP. @Monviech wrote that with ISC DHCP phasing out and with Kea DHCP not being up to par yet, there needed to be an alternative.
While DNQmasq can do all three of DNS, DHCP and router advertisements in one tool, it cannot do recursive DNS or DoT/DoH - it needs an upstream DNS resolver. So the proposed approach is to have Unbound for that, if you need it. I do not, so I started to use it now for all it supports.
I have even used some scripts to facilitate the migration from local Unbound DNS aliases and ISC DHCP reservations.
The goal for 25.7 default installation we're moving to:
Unbound as DNS (same as before)
Dnsmasq as DHCPv4 (away from ISC and ignoring Kea)
ISC for DHCPv6 (same as before)
Router Advertisements "radvd" as RA (same as before)
As you can se we're changing one variable here for 25.7. DNS isn't a concern either. It's all DHCP/RA that is going to change further as ISC moves to plugins in 26.1.
Cheers,
Franco
Still no support for registering DHCP leases from anything other than ISC DHCP? At least the verbiage in Unbound and dnsmasq settings both suggest that they will only register leases from ISC.
Quote from: milkywaygoodfellas on May 12, 2025, 07:02:19 PMStill no support for registering DHCP leases from anything other than ISC DHCP?
Dnsmasq can handle hostname registration. Unbound is the primary resolver and forwards internal zone requests to Dnsmasq. This is covered in the documentation (https://docs.opnsense.org/manual/dnsmasq.html#considerations-before-deployment) and walks you through the setup. I recommend someone create a sticky with a link to this doc since there are a lot of questions and discussions right now.
Quote from: allan on May 12, 2025, 08:37:42 PMQuote from: milkywaygoodfellas on May 12, 2025, 07:02:19 PMStill no support for registering DHCP leases from anything other than ISC DHCP?
Dnsmasq can handle hostname registration. Unbound is the primary resolver and forwards internal zone requests to Dnsmasq. This is covered in the documentation (https://docs.opnsense.org/manual/dnsmasq.html#considerations-before-deployment) and walks you through the setup. I recommend someone create a sticky with a link to this doc since there are a lot of questions and discussions right now.
I'm not going to run two DNS services just to be able to resolve internal host names. This whole deprecation of ISC has been a mess. ISC+Unbound is exceedingly simple and functional, Kea and dnsmasq are both half-baked.
Man kann das Pferd zur Tränke führen, man kann es nicht zum trinken zwingen.
Quote from: Monviech (Cedrik) on May 12, 2025, 09:00:11 PMMan kann das Pferd zur Tränke führen, man kann es nicht zum trinken zwingen.
Really? The official response is telling people to just use two DNSs and deal with the bugs and performance issues that people are reporting with the Unbound/dnsmasq setup?
Sheesh, you guys are losing it.
You can simply use whatever works for your personal setup, even Unbound + ISC as long as it works.
Its not my responsibility to tell you what to do, I can only tell you which possibilities exist.
Quote from: Monviech (Cedrik) on May 12, 2025, 09:08:41 PMYou can simply use whatever works for your personal setup, even Unbound + ISC as long as it works.
Its not my responsibility to tell you what to do, I can only tell you which possibilities exist.
Didn't ask and don't care about your responsibility, I only asked about support for registering hostnames from Kea or dnsmasq DHCP in Unbound.
At least the members here try to be helpful, even if the official staff chooses to cop a holier-than-thou attitude.
Quote from: milkywaygoodfellas on May 12, 2025, 08:51:17 PMI'm not going to run two DNS services just to be able to resolve internal host names. This whole deprecation of ISC has been a mess. ISC+Unbound is exceedingly simple and functional, Kea and dnsmasq are both half-baked.
The devs are caught in the middle with the ISC deprecation. Running EOL software is not an option in certain environments and Kea does not offer the same options. This gives users two paths with supported options depending on what their priority is. ISC is still there if EOL is fine. These additional choices bring extra support complexity so I think the devs would prefer not adding dnsmasq. Personally, I would prefer not running 2 DNS servers as well but hostname registration is important to me.
The state with KEA dynamic hostname registrations is some effort from the community which shows the complexity of the issue.
https://github.com/opnsense/core/issues/7475
At this time, ISC DHCP plus Unbound is still viable, so if anyone deems other (new) combinations of services to be too unstable as of yet: stay with something that still works fine. If you used the business version, which is more matured and lags behind the community version, you would automatically be at this point, anyway. So, if you expect production-ready quality - please buy it!
Other than than, who would really use DNSmasq DHCP, but expect Unbound DNS to be supported registering DNSmasq leases, when DNSmasq supports this out-of-the-box?
As I noted, DNSmasq alone can handle DHCP, (local) DNS and RA, and also non-recursive DNS. If you really need recursive DNS or want DoH on top, you are free to choose Unbound (as is the current recommendation) or, if you do not like that (as myself), go along with something like DNSCrypt-Proxy. I just tried that and it also works just fine.
Like @Monviech said: It is just anybody's choice on what to use, IDK why there seems so much undeserved fuzz made about it.
I, at least, appreciate the effort to have those services integrated more closely - but I do not expect it to be perfect from the get-go.
Quote from: meyergru on May 12, 2025, 09:46:02 PMAt this time, ISC DHCP plus Unbound is still viable, so if anyone deems other (new) combinations of services to be too unstable as of yet: stay with something that still works fine. If you used the business version, which is more matured and lags behind the community version, you would automatically be at this point, anyway. So, if you expect production-ready quality - please buy it!
Other than than, who would really use DNSmasq DHCP, but expect Unbound DNS to be supported registering DNSmasq leases, when DNSmasq supports this out-of-the-box?
As I noted, DNSmasq alone can handle DHCP, (local) DNS and RA, and also non-recursive DNS. If you really need recursive DNS or want DoH on top, you are free to choose Unbound (as is the current recommendation) or, if you do not like that (as myself), go along with something like DNSCrypt-Proxy. I just tried that and it also works just fine.
Like @Monviech said: It is just anybody's choice on what to use, IDK why there seems so much undeserved fuzz made about it.
I, at least, appreciate the effort to have those services integrated more closely - but I do not expect it to be perfect from the get-go.
Very well said, @meyergru
I too do not understand what the fuss is all about at the moment. There are choices available; and the best part is if one does not change anything and just upgrades - everything works anyway and the existing setups remain as they were.
Do not understand the amount of comments being made about dnsmasq. It is just being improved without any detriment to either ISC/Kea at the moment.
Constructive criticism or suggestions for improvements are not bad at all. I do this all the time and also did it on this topic, because I think that the DHCP options could be made more user-friendly (https://github.com/opnsense/core/issues/8620). The amount of comments about DNSmasq seems logical to me, because there are some areas that could be improved, as the Github issues section also shows.
It is more the constant whining about how bad this and generally showing an egoistic attitude (I want to have it right now) won't help.
I think some people should start by understanding how things like Proxmox and OpnSense work: If you want great software for free, you have to put in some effort, like accepting to use the less proven und in some respects "immature" community version.
If you want to have it another way, get ready to pay for the business version and then you may start complaining, preferably directly to the manufacturer.
And as mentioned: With this specific topic, there is even less reason to complain, because DNS and DHCP still works with ISC DHCP and Unbound.
Quote from: meyergru on May 13, 2025, 08:56:52 AMConstructive criticism or suggestions for improvements are not bad at all. I do this all the time and also did it on this topic, because I think that the DHCP options could be made more user-friendly (https://github.com/opnsense/core/issues/8620). The amount of comments about DNSmasq seems logical to me, because there are some areas that could be improved, as the Github issues section also shows.
It is more the constant whining about how bad this and generally showing an egoistic attitude (I want to have it right now) won't help.
I think some people should start by understanding how things like Proxmox and OpnSense work: If you want great software for free, you have to put in some effort, like accepting to use the less proven und in some respects "immature" community version.
If you want to have it another way, get ready to pay for the business version and then you may start complaining, preferably directly to the manufacturer.
And as mentioned: With this specific topic, there is even less reason to complain, because DNS and DHCP still works with ISC DHCP and Unbound.
👍
Quote from: milkywaygoodfellas on May 12, 2025, 08:51:17 PMI'm not going to run two DNS services just to be able to resolve internal host names. This whole deprecation of ISC has been a mess. ISC+Unbound is exceedingly simple and functional, Kea and dnsmasq are both half-baked.
I felt the same until I read through the updated docs. DNSmasq is primarily being introduced for dhcpd. Using it also for local name resolution (via an unbound forwarding) means no unbound restarts on updated leases. You retain a recursive resolver and still only have two daemons running in order to provide DNS/DHCP. If it all works as described in the docs, I will be more than happy to switch since I was fond of dnsmasq from previous experience.
Quote from: keeka on May 13, 2025, 05:36:48 PMQuote from: milkywaygoodfellas on May 12, 2025, 08:51:17 PMI'm not going to run two DNS services just to be able to resolve internal host names. This whole deprecation of ISC has been a mess. ISC+Unbound is exceedingly simple and functional, Kea and dnsmasq are both half-baked.
I felt the same until I read through the updated docs. DNSmasq is primarily being introduced for dhcpd. Using it also for local name resolution (via an unbound forwarding) means no unbound restarts on updated leases. You retain a recursive resolver and still only have two daemons running in order to provide DNS/DHCP. If it all works as described in the docs, I will be more than happy to switch since I was fond of dnsmasq from previous experience.
In theory it looks ok, but unfortunately in practice it is not stable currently. As reported in the other thread (https://forum.opnsense.org/index.php?topic=47126.msg237206#msg237206).
I just switched over from Kea v4 to DNSmasq for DHCP. Unbound is pointed to DNSmasq for internal lookups and it is working fine in my configuration (some vlans, ip v4 only and AdGuard->Unbound for DNS.
How do I configure Unbound and Dnsmasq to play along nicely? I don't see option for upstream (forwarding) servers in Dnsmasq? I'm on version 25.1.7_4-amd64.
This option (to set forwarding servers in Dnsmasq) seems to be described in online user manual but does not exist on the above mentioned firmware version.
Basically I'd like to have Dnsmasq for DHCP and DNS for local LANs. Then point Dnsmasq to Unbound for DNS resolutions and DNS blocking.
And I need local unqualified hostnames to be inserted into DNS.
Just follow the docs (https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration).
On my home network I have a simple setup using ISC (IPv4 only) and unbound with a few DNS overrides for reverse proxied services and DNS over TLS. It works perfectly.
Looking through the threads, I know that do not have to change anything but I want to help the devs / community test the new approach (dnsmasq + unbound)
I have around 40 static mappings and I'd like to mitrgrate/transfer them to dnsmasq.
Is there a easy way to migrate/transfer static mapping? A tool (button) in the GUI would be a big help I think or a script to extract ISC static mappings from the config file into the format to import to dnsmasq?
Yes, here (https://github.com/meyergru/iscdhcp_to_dnsmasq), but it takes into account the patches that will be in the next release...
Also "easy" is relative.
Quote from: meyergru on May 29, 2025, 11:46:32 PMJust follow the docs (https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration).
Thanks for that. That's a one way of doing it and I'll give it a go.
But it would allow for much more flexibility if Dnsmasq hand a configurable option to set upstream (forwarding) DNS servers.
That would allow much cleaner setup: client -> DHCP/DNS Dnsmasq -> DNS Unbound -> upstream ISP/Internet
Dnsmasq uses the DNS servers defined in "System - Settings - General" as upstream.
Otherwise, you need this patch:
opnsense-patch https://github.com/opnsense/core/commit/220dbc7931e11c71587734ed9c1731abdf9eaff8
With it you can set "Do not forward to system defined DNS servers" in dnsmasq and provide your own ones in the "Domain" tab. Just use an asterisk (*) to specify any domain, and then define an IP address (e.g. 1.1.1.1) or Unbound if it runs on a different port (127.0.0.1, Port 53053).
Quote from: Monviech (Cedrik) on May 30, 2025, 02:52:05 PMJust use an asterisk (*) to specify any domain
Ahh, thank you! This was the missing point. I saw the section but didn't realize asterisk can be used. This solves it then. :)
I just need to wait for the patch to be released.
You can already apply it. Connect via SSH, choose 8, and input the opnsense-patch command just as written above, no need to change it.
https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-patch
Quote from: franco on May 12, 2025, 06:55:26 PMThe goal for 25.7 default installation we're moving to:
Unbound as DNS (same as before)
Dnsmasq as DHCPv4 (away from ISC and ignoring Kea)
ISC for DHCPv6 (same as before)
Router Advertisements "radvd" as RA (same as before)
As you can se we're changing one variable here for 25.7. DNS isn't a concern either. It's all DHCP/RA that is going to change further as ISC moves to plugins in 26.1.
Cheers,
Franco
I'm curious. Why ISC for DHCP6 versus either Kea or DNSMASQ--or just DNSMASQ if ignoring Kea?
Quote from: Monviech (Cedrik) on May 30, 2025, 02:52:05 PMDnsmasq uses the DNS servers defined in "System - Settings - General" as upstream.
Otherwise, you need this patch:
opnsense-patch https://github.com/opnsense/core/commit/220dbc7931e11c71587734ed9c1731abdf9eaff8
With it you can set "Do not forward to system defined DNS servers" in dnsmasq and provide your own ones in the "Domain" tab. Just use an asterisk (*) to specify any domain, and then define an IP address (e.g. 1.1.1.1) or Unbound if it runs on a different port (127.0.0.1, Port 53053).
Just finished doing this with thanks from your help. Everything working great, apart from my Blocklist now just gets ignored. Any way around this?
Quote from: jbhorner on May 30, 2025, 10:03:21 PMQuote from: franco on May 12, 2025, 06:55:26 PMThe goal for 25.7 default installation we're moving to:
Unbound as DNS (same as before)
Dnsmasq as DHCPv4 (away from ISC and ignoring Kea)
ISC for DHCPv6 (same as before)
Router Advertisements "radvd" as RA (same as before)
As you can se we're changing one variable here for 25.7. DNS isn't a concern either. It's all DHCP/RA that is going to change further as ISC moves to plugins in 26.1.
Cheers,
Franco
I'm curious. Why ISC for DHCP6 versus either Kea or DNSMASQ--or just DNSMASQ if ignoring Kea?
Yes, I am curious too.
Quote from: Monviech (Cedrik) on May 30, 2025, 02:52:05 PMDnsmasq uses the DNS servers defined in "System - Settings - General" as upstream.
Otherwise, you need this patch:
opnsense-patch https://github.com/opnsense/core/commit/220dbc7931e11c71587734ed9c1731abdf9eaff8
With it you can set "Do not forward to system defined DNS servers" in dnsmasq and provide your own ones in the "Domain" tab. Just use an asterisk (*) to specify any domain, and then define an IP address (e.g. 1.1.1.1) or Unbound if it runs on a different port (127.0.0.1, Port 53053).
Since updating to 25.1.8_1, I can no longer use an asterisk (*) to specify any domain. Are there any workarounds?
opnsense-patch https://github.com/opnsense/core/commit/e7441283055dcb33a389f02d4e0f502767c8ecd1
Quote from: Monviech (Cedrik) on June 15, 2025, 08:20:18 PMopnsense-patch https://github.com/opnsense/core/commit/e7441283055dcb33a389f02d4e0f502767c8ecd1
Patch works - thanks!!
Quote from: Monviech (Cedrik) on June 15, 2025, 08:20:18 PMopnsense-patch https://github.com/opnsense/core/commit/e7441283055dcb33a389f02d4e0f502767c8ecd1
Exactly what I was looking for, after migrating from KEA+Unbound to my favorite: dnsmasq. :)
I had solved temporarily using a custom .conf file with a 1 line (server=xx.xx.xx.xx).
Since it seemed weird I couldn't configure a
default forwarder, and had to rely on a custom .conf file,
I was about to raise an issue on GH because * wasn't working in domains, but I checked the forum first, and (very luckily) I found this thread.
Thank you for the patch Cedrik, just one question: is
strict-order option enabled by default? is there an UI checkbox to configure it?
Great work on dnsmasq, I much prefer it over KEA+Unbound for my homelab's use case.
There is a checkbox in the general settings, maybe in advanced mode called "Query DNS Servers sequentially" or something.
Quote from: Monviech (Cedrik) on June 16, 2025, 06:51:46 AMThere is a checkbox in the general settings, maybe in advanced mode called "Query DNS Servers sequentially" or something.
Found it, from the description I thought it was only applicable to System resolvers.
(about:invalid)
I would also suggest to invert the DHCP Interface setting logic to "Enable DHCP on these interfaces:". The [no dhcp] helps, but it's confusing.
(about:invalid)
The upstream documentation suggests that it only works for resolv.conf, but empirical testing revealed it also works for server directives for some reason.
I dont think we can easily change the no dhcp interfaces anymore without some migration so lets leave it for now.
I migrated to Kea probably a year ago on business edition. but now I am reading : but without Dnsmasq DHCP support
and the recent captive portal backend switch.
https://forum.opnsense.org/index.php?topic=47329.0
will DNSMasq eventually be added to the business edition?
no dns over DOT? yikes. kea and unbound sound better and better to me all around
Yeah it will be added eventually once it matured, thats what the business edition is for.
Dnsmasq is just a forwarder in terms of DNS. This is the kind of setup we recommend:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
Just use KEA and Unbound if it currently works for you. I dont understand the "yikes". Each component has their own advantages and disadvantages.
Thank you all.
Whats wrong with KEA? Is it not possible to be used?
KEA, ISC and DNSMasq can all be used. Pick the one the that works best for your requirements.