Before: Client > OPNSense ISC > PiHole (mDNS) + Unbound Recursive DNS > out
Goal: Client > OPNSense (DHCP, Unbound Recursive DNS, mDNS ) > PiHole > out
How is it going:
DHCP
- KEA is being named as the replacement for ISC but it does not support Register DHCP mapping
- Dnsmasq does support Register DHCP mappings but it is under ISC/KEA DHCP section for when it is set as DNS not DHCP Server(????)
- Online and documentation points to ISC only support dynamic hostname mapping
https://docs.opnsense.org/manual/unbound.html
- Since I disabled ISC to try KEA and dnsmasq, I cannot enable it back, ISC DHCPv4 is literally empty
- I am stuck with KEA which doesn't work for what I need and neither does dnsmasq
DNS
- Surfing the internet is insane faster thanks to OPNSense running it instead of PiHoles (tiny VM)
- "Flush DNS Cache during reload" is disabled, but reloading Unbound cleans the cache and we are back to dial-up speed every single time(????)
- ping "s6.home.arpa" no longer works, I must move Unbound back to PiHole and manually set the local DNS there
- Official documentation does not mention Unbound runs as recursive DNS by default
I am in the process of setting up dual-stack so it makes more sense to move things to OPNSense.
But dynamic hostname mapping does not work, let alone manual one
ISC is gone, the only one that supports dynamic hostname mapping (I guess) can no longer be enabled on 26.1.1, it is gone.
I am stuck with IP only unless I move things back to Pi-Hole.
To get ISC back install the plugin. Kea does support registration of static mappings in Unbound. Or go DNSmasq for DHCP and DNS.
Quote from: Patrick M. Hausen on Today at 11:20:28 AMTo get ISC back install the plugin. Kea does support registration of static mappings in Unbound. Or go DNSmasq for DHCP and DNS.
I had to:
- Disable Dnsmasq
- Enable Kea
- ISC options are back
- Disable Kea
- Enable ISC back
This cannot be right at all.
OPNSense documentation mention that Kea does not support registration mapping, it does not even have the option.
Dnsmasq for DHCP + DNS does not give me Recursive DNS.
Kea does register static mappings as documented:
QuoteCurrently it is not possible to register hostnames dynamically between KEA and Unbound, only static reservations will be synchronized on an Unbound service restart.
https://docs.opnsense.org/manual/kea.html
If you must have registration of dynamic mappings, your only choice is DNSmasq. For recursion you can either
- use Unbound as the client facing recursive server and forward the local domain to DNSmasq
- use DNSmasq as the client facing not recursive server and forward to unbound as upstream for recursion
I'd say which one to pick is a matter of taste.
But since I absolutely dislike DNSmasq and never register dynamic leases, anyway, I am happy with Kea and Unbound.
YMMV
Quote from: Patrick M. Hausen on Today at 11:34:49 AMBut since I absolutely dislike DNSmasq and never register dynamic leases, anyway, I am happy with Kea and Unbound.
YMMV
Got everything working dynamically:
- ISC DHCPv4 does its thing
- Unbound does its things: Recursive and "Register ISC DHCP4 Leases" and "Register DHCP Static Mappings"
- PiHole was the missing bit: Condition Forward: true,192.168.1.0/24,192.168.1.1,home.arpa
My tablet got a dynamic 192.168.1.82, I can now "dig s6.home.arpa" and get the response back.
I can also go to the browser and hit https://firewall01.home.arpa, that goes to OPNSense as it should.
I will leave as it is until Kea supports dynamic mapping or until OPNSense completely removes ISC.
Finally, I have been fighting this since 5PM, it is 10PM now lmao
Thank you so much :)
EDIT: If anybody knows please let me know how to report bugs: Unbound does not respect: Flush DNS Cache during reload
Reloading the service is purging the cache every time.
Open an issue on Github: https://github.com/opnsense/core/issues
Quote from: Patrick M. Hausen on Today at 12:31:24 PMOpen an issue on Github: https://github.com/opnsense/core/issues
Sweet, thank you Patrick.
For future reference, this is an intended behaviour and the ticket was closed in 2021: https://github.com/opnsense/core/commit/4a1bc9f8b5e65651e85385ce0fc6969cd30b2c13
Unbound by design flushes the cache and reload the config on reload, there is an option to avoid that but.
Quote from: hakuna on Today at 12:07:08 PMEDIT: If anybody knows please let me know how to report bugs: Unbound does not respect: Flush DNS Cache during reload
Reloading the service is purging the cache every time.
Even if you remove the check mark?
I think it's working as described, but it doesn't work on reboots (by initial design).
We discussed it here https://github.com/opnsense/core/issues/9774
Cheers,
Franco
Quote from: hakuna on Today at 11:15:16 AMSurfing the internet is insane faster thanks to OPNSense running it instead of PiHoles (tiny VM)
I don't know what you are doing wrong but my setup :
- OPNsense KEA DHCP Server.
- Pi-Hole + Unbound that queries the Root DNS Servers as the DNS IP Address for the Clients.
Never let's me down! :)
When it comes to DNS Resolving speed there were multiple benchmarks that showed very little differences in the hardware used and even compared to DNS Servers that due to their larger "Client Pool" have a lot of addresses cached were not that faster than Pi-Hole + Unbound running on a simple Raspberry Pi 3B/3B+/4B at the time.
Quoteping "s6.home.arpa" no longer works, I must move Unbound back to PiHole and manually set the local DNS there.
In my case everything is setup as following :
- Static DHCP IP Mappings based on MAC Address for ALL CLIENTS.
- Local DNS Records in Pi-Hole for all of them.
Works like a charm! :)
QuoteI am in the process of setting up dual-stack so it makes more sense to move things to OPNSense.
Dual-Stack in combination with Pi-Hole should not be an issue at all : What is your main issue at the moment ?
Quote from: Patrick M. Hausen on Today at 11:34:49 AMI absolutely dislike DNSmasq
Why ?!
Especially "boosted" by the Pi-Hole Team as their FTLDNS it's really nice to work with in general :)
Quote from: nero355 on Today at 03:25:38 PMWhy ?!
It's missing a sound architecture and does too many things in a single tool. Like systemd.
DHCP, DNS and RA are three completely separate services and I like to treat them as such. Kea, Unbound, radvd.
Also it's "alien" to the FreeBSD ecosystem. Why import a Linux centred single person project when there is standard software for the task. Similarly I do not understand why "we" import radvd. rtadvd has been a part of FreeBSD ever since IPv6 was introduced. I would pick that. Kea is the successor to ISC DHCPd. By ISC. Just use it.
If I were to decide I would use BIND instead of Unbound and implement proper dynamic updates via RFC 2137. Also provide in the UI only
- DHCP
- DNS
- RA
without even mentioning the products. Choice is not good in this firewall context. Choice means waisted effort on the development side.
Quote from: nero355 on Today at 03:25:38 PMEspecially "boosted" by the Pi-Hole Team as their FTLDNS it's really nice to work with in general :)
[/quote]
Pihole is again Linux centred and you need a separate system. I run AdGuard Home on my OPNsense for filtering.
Quote from: Patrick M. Hausen on Today at 03:36:40 PMIt's missing a sound architecture and does too many things in a single tool. Like systemd.
Not a fan of SystemD either, but it is what it is and some things are even kind of cool to use so that "softens the blow" a bit...
QuoteAlso it's "alien" to the FreeBSD ecosystem.
Why import a Linux centred single person project when there is standard software for the task.
From what I have heard/read so far Simon Kelly is often supported by many other developers so it's not really a single person project.
And he is also not the "Lead Developer of OpenBSD" kind of guy if you know what I mean, so any input someone has is actually being looked at and communicated about :)
QuoteAlso provide in the UI only
- DHCP
- DNS
- RA
without even mentioning the products. Choice is not good in this firewall context. Choice means waisted effort on the development side.
And probably a lot of Support workhours too so I fully agree with you on that one!
Quote from: nero355 on Today at 03:25:38 PMPi-Hole is again Linux centred and you need a separate system. I run AdGuard Home on my OPNsense for filtering.
I feel like AdGuard is a total Pi-Hole ripoff and do not like pretty much everything about it.
Having my DNS seperated from OPNsense is not a big deal for me either.
And the guys that develop Pi-Hole are really cool to talk with too! :)
Quote from: nero355 on Today at 03:55:15 PMI feel like AdGuard is a total Pi-Hole ripoff and do not like pretty much everything about it.
I love the UI. I love that it's written in Golang. I love that there is an official FreeBSD port (because the FreeBSD ports framework has good tooling for Go applications). I love the paid (but cheap) mobile IOS app. Performance and reliability - no complaints whatsoever.
Me do me - you do you 🙂
There isnt much time spent with dnsmasq anymore it has been stable and quiet since a while now. So all efforts can go back to KEA to somehow improve it more.
Isnt that nice?
Also if you would check the dnsmasq mailing list there are freebsd developers in there all the time supplying patches and feedback for the bsd centric port.
Quote from: Patrick M. Hausen on Today at 04:01:23 PMI love that it's written in Golang.
Anything is better than Python... Really having a beef with that one the last couple of years ^_^
QuoteI love the paid (but cheap) mobile IOS app.
Don't need an app when the browser view adjusts itself accordingly :)
Also kind of expected you to be an UBPorts Ubuntu Touch or Jolla SailFish user considering your standpoints on privacy ?!
QuoteMe do me - you do you 🙂
Ofcourse! 🙂
Quote from: nero355 on Today at 04:27:08 PMAlso kind of expected you to be an UBPorts Ubuntu Touch or Jolla SailFish user considering your standpoints on privacy ?!
FreeBSD on servers, Mac OS on the desktop.
Just FYI
https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg18193.html
Stuff like this etc...
Quote from: Monviech (Cedrik) on Today at 04:20:45 PMThere isnt much time spent with dnsmasq anymore it has been stable and quiet since a while now. So all efforts can go back to KEA to somehow improve it more.
That's great! Thanks!