OPNsense Forum

I'm starting the migration from ISC to Dnsmasq w/ Unbound upstream on OPN 25.1.6_4 and I've quickly hit a bind error:

2025-05-18T11:28:54-04:00 Critical dnsmasq FAILED to start up
2025-05-18T11:28:54-04:00 Critical dnsmasq failed to bind DHCP server socket: Address already in use

Checking sockstat I see that service 'dhcpd' is listening on *:67.  I believe this is used by ISC?

root@firewall:~ # sockstat -4 -l
USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
_flowd   flowd      68062 3   udp4   127.0.0.1:2056        *:*
root     mdns-repea 66175 5   udp4   *:5353                *:*
root     mdns-repea 66175 6   udp4   192.168.20.1:5353     *:*
root     mdns-repea 66175 8   udp4   192.168.30.1:5353     *:*
root     mdns-repea 66175 9   udp4   192.168.40.1:5353     *:*
nobody   samplicate 24413 5   udp4   127.0.0.1:2055        *:*
nobody   samplicate 24413 6   udp4   *:5269                *:*
root     ntpd       26908 21  udp4   *:123                 *:*
root     ntpd       26908 23  udp4   xx.xxx.xxx.xxx:123    *:*   *(public IP - redacted)
root     ntpd       26908 27  udp4   127.0.0.1:123         *:*
root     ntpd       26908 29  udp4   10.2.2.1:123          *:*
root     ntpd       26908 32  udp4   192.168.1.1:123       *:*
root     ntpd       26908 36  udp4   192.168.20.1:123      *:*
root     ntpd       26908 39  udp4   192.168.30.1:123      *:*
root     ntpd       26908 43  udp4   192.168.40.1:123      *:*
root     ntpd       26908 46  udp4   192.168.50.1:123      *:*
root     ntpd       26908 49  udp4   192.168.60.1:123      *:*
unbound  unbound     6410 7   udp4   *:53                  *:*
unbound  unbound     6410 8   tcp4   *:53                  *:*
unbound  unbound     6410 11  udp4   *:53                  *:*
unbound  unbound     6410 12  tcp4   *:53                  *:*
unbound  unbound     6410 15  udp4   *:53                  *:*
unbound  unbound     6410 16  tcp4   *:53                  *:*
unbound  unbound     6410 19  udp4   *:53                  *:*
unbound  unbound     6410 20  tcp4   *:53                  *:*
unbound  unbound     6410 21  tcp4   127.0.0.1:953         *:*
dhcpd    dhcpd      82937 14  udp4   *:67                  *:*
root     lighttpd   71873 7   tcp4   *:443                 *:*
root     sshd       47538 7   tcp4   *:22                  *:*
?        ?          ?     ?   udp4   *:51820               *:*

I have Dnsmasq set to listen only on the specific interface that I'm migrating and its DNS service is on 53053.  Unbound is on port 53 (All interfaces).  I get the same error both with and without the "Strict Interface Binding" option under advanced settings.  I also tried restarting all services from the console with Option 11.

Is it possible to migrate a live system one interface at a time?  I was expecting that if I disable an interface from Services->ISC DHCPv4, then there wouldn't be any conflicts.

Thanks!

If you search for migration from ISC to Kea, you will find multiple threads about how ISC takes over the binding, regardless of whether an interface is not being "used" by ISC.

Appreciate the hint- I'll look for those.

Without doing the homework, I am guessing this will involve setting a static IP on my PC for some time and killing off dhcpd.  Hopefully someone found something more elegant.

I do not get what you try to achieve? If you want DNSmasq only for DNS, then you can totally do that by disabling all interfaces for DHCP in the advanced settings and still have ISC DHCP running. If you want DNSmasq's DHCP, then you you need to disable ISC completely.

What you cannot to is use both ISC and DNSmasq DHCP at the same time, because ISC cannot select the interfaces it runs on (DNSmasq can!).
 

Quote from: meyergru on May 18, 2025, 09:07:23 PMWhat you cannot to is use both ISC and DNSmasq DHCP at the same time, because ISC cannot select the interfaces it runs on (DNSmasq can!).

I wasn't aware.  I followed the example in the guide which enables Dnsmasq on port 53053 as a first step before adding configurations to it, so I assumed that the migration entails having both DHCP servers active for some time.

As I understand it now I will have to completely disable ISC first.  But, won't that disrupt the network?  (Anyway I can do it while the family is offline)

EDIT:  I guess another option is to fully configure the DHCP ranges in Dnsmasq first and then enable / cut over to it in one shot.

Nevermind on adding the DHCP ranges while Dnsmasq is disabled.  I don't know if it's by design or a bug, but it's not possible to add DHCP ranges while the service is disabled.  The interfaces aren't listed there, even if they are selected in General.

So maybe it will be necessary to fully disable DHCP services during the configuration.

EDIT: Geeez, I'm a fool.  My web session was timed out but I didn't know it until I navigated to a different section of the UI and then only got the login prompt.

Interfaces are showing in DHCP ranges tab now.

Quote from: OPNenthu on Today at 02:20:30 AMEDIT:  I guess another option is to fully configure the DHCP ranges in Dnsmasq first and then enable / cut over to it in one shot.

Yup, and if you have lots of DNS entries and DHCP reservations, like me: https://github.com/meyergru/iscdhcp_to_dnsmasq