I keep trying out dnsmasq with little success. I have a real domain, not .internal, and decided to try out dnsmasq in front of unbound.
Per https://docs.opnsense.org/manual/dnsmasq.html#dnsmasq-as-primary-dns-resolver
Seemed to be working, but I am mostly IPv6 network and noticed my Ubuntu servers 24.04 LTS were having dns issues. Couldn't resolve the packages etc. these are IPv6 only, no ipv4. It is almost like that dnsmasq does not respond on IPv6 only. The dual stack clients were ok.
Try with "dig" using the IPv6 address you imagine dnsmasq to listen on and verify if the Opnsense firewall blocks something.
Use "sockstat -l" on Opnsense to verify if it listens on ipv4 and ipv6 port 53.
on the opnsense itself I get for sockstat -l
unbound unbound 99237 5 udp6 *:53 *:*
unbound unbound 99237 6 tcp6 *:53 *:*
unbound unbound 99237 7 udp4 *:53 *:*
unbound unbound 99237 8 tcp4 *:53 *:*
unbound unbound 99237 9 udp6 *:53 *:*
unbound unbound 99237 10 tcp6 *:53 *:*
unbound unbound 99237 11 udp4 *:53 *:*
unbound unbound 99237 12 tcp4 *:53 *:*
unbound unbound 99237 13 udp6 *:53 *:*
unbound unbound 99237 14 tcp6 *:53 *:*
unbound unbound 99237 15 udp4 *:53 *:*
unbound unbound 99237 16 tcp4 *:53 *:*
unbound unbound 99237 17 udp6 *:53 *:*
unbound unbound 99237 18 tcp6 *:53 *:*
unbound unbound 99237 19 udp4 *:53 *:*
unbound unbound 99237 20 tcp4 *:53 *:*
unbound unbound 99237 21 tcp4 127.0.0.1:953 *:*
nobody dnsmasq 47107 4 udp4 *:67 *:*
nobody dnsmasq 47107 8 udp6 *:547 *:*
nobody dnsmasq 47107 10 udp4 *:53053 *:*
nobody dnsmasq 47107 11 tcp4 *:53053 *:*
nobody dnsmasq 47107 12 udp6 *:53053 *:*
nobody dnsmasq 47107 13 tcp6 *:53053 *:*
Well this means unbound is your primary resolver and it is responsible right now for the ipv6 traffic on port 53.
I am hiding actual domain/ipv6 addresses, but this is using my router address on vlan 30:
root@OPNsense:~ # dig @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a
; <<>> DiG 9.20.11 <<>> @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2429
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
; bedroom.mydomain.com. IN A
;; ANSWER SECTION:
bedroom.mydomain.com. 300 IN A 10.23.20.102
;; Query time: 0 msec
;; SERVER: 2603:aaaa:bbbb:fb30::cccc#53053(2603:aaaa:bbbb:fb30::cccc) (UDP)
;; WHEN: Thu Sep 04 09:56:31 PDT 2025
;; MSG SIZE rcvd: 64
I get the same results using any router interface. All is good from the router itself.
Now doing the same thing but from a ubuntu 24.04 server located on vlan 20 querying the router address also vlan 20
root@test2:~# dig @2603:aaaa:bbbb:fbizn20::cccc -p 53053 bedroom.mydomain.com a
; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> @2603:aaaa:bbbb:fb20::cccc -p 53053 bedroom.mydomain.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31094
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;bedroom.mydomain.com. IN A
;; ANSWER SECTION:
bedroom.mydomain.com. 300 IN A 10.23.20.102
;; Query time: 0 msec
;; SERVER: 2603:aaaa:bbbb:fb20::cccc#53053(2603:8001:2a00:fb20::faf3) (UDP)
;; WHEN: Thu Sep 04 10:01:35 PDT 2025
;; MSG SIZE rcvd: 64
So it is still all good.
However if I change to a different vlan address I get this:
root@test2:~# dig @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a
;; communications error to 2603:aaaa:bbbb:fb30::cccc#53053: timed out
;; communications error to 2603:aaaa:bbbb:fb30::cccc#53053: timed out
;; communications error to 2603:aaaa:bbbb:fb30::cccc#53053: timed out
; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> @2603:aaaa:bbbb:fb30::cccc -p 53053 bedroom.mydomain.com a
; (1 server found)
;; global options: +cmd
;; no servers could be reached
my testing shows that basically for any interface it will respond to the router address of the interface, but communications error to any other interface router address.
I should note I do have fw rule allowing 53053 and logging. I see in logs that the firewall is passing the query.
I also get the same results on a Mac:
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
but it works on the same interface.
Quote from: Monviech (Cedrik) on September 04, 2025, 06:54:27 PMWell this means unbound is your primary resolver and it is responsible right now for the ipv6 traffic on port 53.
yes, right now I had to switch it back to unbound so everything will still work, but I can still dig to the Dnsmasq via 53053.
I tried the same series of test using ipv4 and did not see what I am seeing with ipv6. I could query any of the ipv4 router addresses and get a good response
I dont understand, isnt it good that it only responds via the GUA of the interface of the VLAN?
If you send a dns option via RA from DNSmasq it will automatically send the correct GUA to the clients via RRDNS.
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements
Whats the issue? Is there some kind of usecase you have that needs special configuration? Just use the above and it will just work TM.
Quote from: Monviech (Cedrik) on September 04, 2025, 07:22:39 PMI dont understand, isnt it good that it only responds via the GUA of the interface of the VLAN?
If you send a dns option via RA from DNSmasq it will automatically send the correct GUA to the clients via RRDNS.
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements
Whats the issue? Is there some kind of usecase you have that needs special configuration? Just use the above and it will just work TM.
No its not good, because proxmox overrides dns resolver of containers, and replaces it with the address that proxmox knows about which in my is on vlan10. So each container ends up using the router address of vlan10 regardless of what dhcp/RA tells it to use.
This was never issue before, because unbound works no matter which interface I point to as long as my firewall rules pass DNS to "This Firewal" vs "VLAN30 Address"
Also dnsmasq works as expected for ipv4, and proxmox does the same in ipv4 too. It's just that dnsmasq as configured acts differently with ipv6.
I don't know about why it acts differently for IPv6, you could search through the dnsmasq mailing list if anybody has the same problem.
You can also look at the dnsmasq man page if there are constraints we did not consider.
Last resort would checking the source code.
If you find anything out let me know.