Home user here with a nearly default install of OPNsense.
Simple home network of one WAN, one LAN, one Wireless AP.
My ISP does not provide IPv6 and I don't have any IPv6 or DHCPv6 configuration anywhere that I am aware of.
Unbound is disabled.
Four DNS servers in System->Settings->General. NO boxes marked under Networking.
Dnsmasq has been working well for some time. I could stay with it, but I want delete lease support, so in another post it was suggested I consider using KEA as delete lease is/will be supported there.
The KEA DHCPv4 setup is simple: LAN, changed default lease to 3600 (for testing), one subnet 192.168.1.1/24 (OPNsense LAN is 192.168.1.1), one DHCP pool range (192.168.1.230-192.168.1.250), UNmark match client ID so I can use MAC address, and added all devices with reserved IPs. They're all lower than that pool range and the same as in Dnsmasq. I tried with and without marking the box for Auto Collect Option Data, no difference. It looks correct, populated to 192.168.1.1 for Routers (gateway), DNS, and NTP.
I disable Dnsmasq and enable KEA. All clients immediately cease to find any sites by DNS name. Internet access is still good. I can ping, tracert, etc. any site by IPv4 address, just not by DNS names.
I disable KEA and enable Dnsmasq and all sites are immediately found by DNS name again.
At first I thought perhaps DNS wasn't being served because KEA hadn't yet picked up any leases. So I released and renewed my windows laptop lease (which is reserved) and KEA showed the lease correctly to the same IP. But the laptop still couldn't reach any sites by DNS name. After enabling Dnsmasq again, the laptop could find all sites by DNS without me having to do anything further.
(I have tried different browsers on the laptop, and also different PCs, both wireless and wired. It is the same, DNS names working immediately with Dnsmasq, stop working immediately with KEA.)
Other than INFO messages, only these two WARNING messages in KEA logs are repeating every half hour:
DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.
Firewall live log looks the same whether Dnsmasq or KEA is enabled. It shows DNS queries to port 53 as pass on both LAN (Default allow LAN to any rule) and WAN (let out anything from firewall host itself (force gw)). For LAN the DNS server is 192.168.1.1 (OPNsense) and WAN is one of the four in my system settings list.
It almost seems like all is working except the DNS "answer" is somehow not getting back to the client when KEA is enabled?
I've been searching the 'net and the only issues I've been able to find with KEA and DNS have been solved and connected to AdGuardHome, Unbound, PiHole, IPv6... and I'm not using any of those.
Thank you for help.
Quote from: pseudonym3k on Today at 01:56:43 AMUnbound is disabled.
Quote from: pseudonym3k on Today at 01:56:43 AMAt first I thought perhaps DNS wasn't being served because KEA hadn't yet picked up any leases.
DNS is not being served when you disable Dnsmasq because there is no DNS built into Kea.
Dsnmasq is a combined DHCP+DNS solution, but Kea is strictly DHCP. You need to bring your own DNS (same as with the old ISC) and this is where Unbound comes in.
A Kea user might be able to confirm this (I don't know if these only work with ISC) but I think you'll need to enable at least one setting in Unbound:
- Register ISC DHCP4 Leases
- Register DHCP Static Mappings (optional)
https://docs.opnsense.org/manual/unbound.html
Or, you can enter the static ones manually in Unbound as 'Overrides.'