Home user here with a nearly default install of OPNsense.
Simple home network of one WAN, one LAN, one Wireless AP.
My ISP does not provide IPv6 and I don't have any IPv6 or DHCPv6 configuration anywhere that I am aware of.
Unbound is disabled.
Four DNS servers in System->Settings->General. NO boxes marked under Networking.
Dnsmasq has been working well for some time. I could stay with it, but I want delete lease support, so in another post it was suggested I consider using KEA as delete lease is/will be supported there.
The KEA DHCPv4 setup is simple: LAN, changed default lease to 3600 (for testing), one subnet 192.168.1.1/24 (OPNsense LAN is 192.168.1.1), one DHCP pool range (192.168.1.230-192.168.1.250), UNmark match client ID so I can use MAC address, and added all devices with reserved IPs. They're all lower than that pool range and the same as in Dnsmasq. I tried with and without marking the box for Auto Collect Option Data, no difference. It looks correct, populated to 192.168.1.1 for Routers (gateway), DNS, and NTP.
I disable Dnsmasq and enable KEA. All clients immediately cease to find any sites by DNS name. Internet access is still good. I can ping, tracert, etc. any site by IPv4 address, just not by DNS names.
I disable KEA and enable Dnsmasq and all sites are immediately found by DNS name again.
At first I thought perhaps DNS wasn't being served because KEA hadn't yet picked up any leases. So I released and renewed my windows laptop lease (which is reserved) and KEA showed the lease correctly to the same IP. But the laptop still couldn't reach any sites by DNS name. After enabling Dnsmasq again, the laptop could find all sites by DNS without me having to do anything further.
(I have tried different browsers on the laptop, and also different PCs, both wireless and wired. It is the same, DNS names working immediately with Dnsmasq, stop working immediately with KEA.)
Other than INFO messages, only these two WARNING messages in KEA logs are repeating every half hour:
DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.
Firewall live log looks the same whether Dnsmasq or KEA is enabled. It shows DNS queries to port 53 as pass on both LAN (Default allow LAN to any rule) and WAN (let out anything from firewall host itself (force gw)). For LAN the DNS server is 192.168.1.1 (OPNsense) and WAN is one of the four in my system settings list.
It almost seems like all is working except the DNS "answer" is somehow not getting back to the client when KEA is enabled?
I've been searching the 'net and the only issues I've been able to find with KEA and DNS have been solved and connected to AdGuardHome, Unbound, PiHole, IPv6... and I'm not using any of those.
Thank you for help.
Quote from: pseudonym3k on April 12, 2026, 01:56:43 AMUnbound is disabled.
Quote from: pseudonym3k on April 12, 2026, 01:56:43 AMAt first I thought perhaps DNS wasn't being served because KEA hadn't yet picked up any leases.
DNS is not being served when you disable Dnsmasq because there is no DNS built into Kea.
Dsnmasq is a combined DHCP+DNS solution, but Kea is strictly DHCP. You need to bring your own DNS (same as with the old ISC) and this is where Unbound comes in.
A Kea user might be able to confirm this (I don't know if these only work with ISC) but I think you'll need to enable at least one setting in Unbound:
- Register ISC DHCP4 Leases
- Register DHCP Static Mappings (optional)
https://docs.opnsense.org/manual/unbound.html
Or, you can enter the static ones manually in Unbound as 'Overrides.'
By "DNS name", do you mean local hostname? And you are using ping to test? Running "ipconfig /all", have you confirmed the client is using the local ip of the router for DNS?
I use Unbound and Kea only. To guarantee local hostname resolution (IPv4 and 6), I add a reservation for only the machines I need to resolve. Then, I just restart the Unbound service once and it works.
"Register ISC DHCP4 Leases" is disabled, as well as the ISC service. Attached are the Unbound settings.
Quote from: OPNenthu on April 12, 2026, 04:02:38 AMDNS is not being served when you disable Dnsmasq because there is no DNS built into Kea.
That's a deal breaker for me then, for unknown reason Unbound isn't stable in my config and that's why it's disabled. (Have whole thread here about it.) I'll stay with Dnsmasq. Thank you, had no idea.
I didn't realize what it was for until now, but it looks like Kea recently got DDNS support: https://docs.opnsense.org/manual/kea.html#ddns-agent
In case you ever want to retry with Unbound, it looks like the gap between Kea and the old ISC is starting to close.
Quote from: pseudonym3k on April 12, 2026, 03:37:04 PMThat's a deal breaker for me then, for unknown reason Unbound isn't stable in my config and that's why it's disabled. (Have whole thread here about it.)
Just fix this bug :
QuoteUnbound, PiHole... and I'm not using any of those.
By using this : https://docs.pi-hole.net/guides/dns/unbound/
;)
A life without Pi-Hole combined with Unbound on my network is not worth living at all !!! :P
QuoteThank you, had no idea.
It's all a matter of reading https://docs.opnsense.org/manual/dhcp.html before making any huge changes to your OPNsense.
Quote from: nero355 on April 12, 2026, 07:54:23 PMIt's all a matter of reading
Your comment is not nice and not necessary in a helpful context. Please be kind.
FWIW I do read the docs, and I absolutely don't understand everything there. There's a lot that doesn't apply to me, and it's possible I won't understand there's something there that does. I thought this forum exists to provide help when needed and so I asked and got my answer.
I found videos for setting up KEA with one LAN and one subnet, a few minutes and simple. And while some of them also showed how to set up Unbound to work with KEA, none that I watched stated it (or another DNS solution) was a requirement with KEA.
You need a DHCP (well, most of the time) server and a DNS server for your network to work. Essentially these are two separate services that at first have nothing in common.
DHCP tells client systems about their network environment. How to number themselves, how to reach the Internet, what DNS servers to use.
DNS tells a client an IP address for a name. At least that's the primary use.
- DHCP can be run locally or not at all (configure everything manually).
- If run locally you can use Kea, ISC (deprecated, but still working) or DNSmasq for that job.
- DNS can be run locally or not at all.
- If not at all you can point your clients to e.g. 8.8.8.8 or 1.1.1.1 via DHCP and "Internet" will work without any problems.
- If run locally you can use Unbound, DNSmasq or BIND (plugin) for that job.
- DNSmasq for both DHCP and DNS is tightly integrated but some (including me) don't like the architecture and still prefer Kea for DHCP.
- If you use Kea for DHCP you can go with no local DNS at all (8.8.8.8) or use Unbound or ... use DNSmasq for DNS only while using Kea for DHCP.
- Or use BIND. Or use ADGuard Home while forwarding to an upstream DoT service, which some (few) users here on the forum seem to do.
- Or ...
Admittedly us network professionals sometimes take that knowledge for granted but making sense out of that puzzle is still up to you. Bring a separate DNS filtering solution like PiHole (on a separate device) or AdGuard Home (on OPNsense) into the mix and complexity again increases.
So familiarise yourself with the fundamental protocols ("jobs") and subsystems on OPNsense and try to pick the best solution.
Canonical well established alternatives are:
- Kea & Unbound
- DNSmasq for both
Start from one of those, then consider a filtering plugin, upstream encryption or not, etc. But only after you have the fundamentals well understood and working.
HTH,
Patrick
Thanks. At a high level I understand the practical functions of each- as they apply to my practical use of the internet.
I do realize I grabbed OPNsense, an appliance meant for large enterprises, as my choice for a small no make that tiny home network. I did that because I'm disgusted with the direction consumer routers have gone and taking all control of what comes in and goes out. I ran DD-WRT for years (and Dnsmasq) and quite comfortable with how it functions for me, without knowing specific components or what does what. (Including a delete lease option which I'm aware can't be ported to OPNsense which prompted the entire suggestion for me to consider KEA.)
I had trouble with Unbound and disabled it, moved my DNS servers into System Settings, and voila it's all good. I thought that was enough no matter what I used for DHCP. Quite honestly, at almost 85 years old, I'm not likely to get much more knowledgable nor am I really interested. If it's no longer allowed to post here for help because of that, then I'll find something else.
Please, I was honestly trying to help.
So if you run Kea, and do not run Unbound, and do not have any DNS settings, then probably ...
- your OPNsense gets DNS servers from your ISP
- Kea is handing out those to clients
Which is fine. Internet will work. Much in the same way like with a consumer router. Only local DNS resolution of client names and IP addresses won't, because obviously (I hope) your ISP DNS server does not know about their customers' internal clients.
So your decision is if you can live with that situation or if you absolutely need local name resolution. Local service discovery can be achieved by mDNS which many devices support out of the box, anyway. Like finding your printer from your desktop/laptop machine etc.
If you need local resolution, reconsider adding Unbound but do not use block lists in Unbound. Large block lists are a frequent cause of Unbound hangs/crashes and there are better suited dedicated filtering solutions for that. If you just enable Unbound according to the docs and distribute your OPNsense IP address as a DNS server to clients via Kea, everything should definitely "just work". I use this setup in multiple corporate locations, there is nothing inherently unstable about Unbound. The odd name is geek humor: "Unbound" is a replacement for the "BIND" nameserver. "BIND" again is an acryonym: "Berkeley Internet Name Domain" server.
BTW: I am turning 58 in May. Still a young man from your point of view but definitely not a twenty-something with high testosterone levely and quick fingers at the keyboard. We are really all trying to help. Sometimes we might call for a quick reality check. No bad intentions.
I *do* have my DNS servers in System->Settings->General. See 5th line of my OP. And it didn't work. It appears all DNS queries are headed out through OPNsense as they had been, but nothing was grabbing the reply. At least, that's how it appears from my observation. I have no way of knowing what is actually happening.
I appreciate the help, but honestly I asked a question, I got the (I presume) right answer. Not sure why the bashing is continuing. Because I was honest and said "I had no idea" I guess.
Quote from: pseudonym3k on April 12, 2026, 09:59:45 PMI *do* have my DNS servers in System->Settings->General. See 5th line of my OP.
Kea by default gives clients the OPNsense IP address in the respective network as their DNS server. If you do not run a DNS service, you need to instead send the same servers you configured in "General" to your clients.
Open the subnet configuration in Kea, activate the advanced settings, set DNS servers.
There used to be a lot of "magic" defaults in OPNsense which frequently worked and sometimes backfired. So IIRC with ISC the DHCP server would have given the clients the addresses from "General" if nothing more specific was explicitly configured.
Professionals like myself frequently complained about intransparent "magic" scattered over different parts of the UI. The development team seems to agree so with the more modern successors to ISC there is less of that.
HTH,
Patrick
Quote from: Patrick M. Hausen on April 12, 2026, 10:10:18 PMKea by default gives clients the OPNsense IP address in the respective network as their DNS server. If you do not run a DNS service, you need to instead send the same servers you configured in "General" to your clients. Open the subnet configuration in Kea, activate the advanced settings, set DNS servers.
I have OPNsense handling all DNS (and NTP, FWIW) for all of my clients. I do want them to get 192.168.1.1 for DNS server and not do their own thing.
It's really not necessary for me to move to KEA. It was a suggestion in another thread so I could have the supported delete lease button. I have a script to do that in Dnsmasq. Yes it's not the recommended approach but so far I haven't seen any side effects in my little house. It's just a bit more effort to SSH in and run the script compared to having a nice delete button that does it the correct way.
Quote from: pseudonym3k on April 12, 2026, 10:28:28 PMI have OPNsense handling all DNS (and NTP, FWIW) for all of my clients. I do want them to get 192.168.1.1 for DNS server and not do their own thing.
In that case if you want to run Kea for DHCP you really should combine it with Unbound for DNS. Or stick to DNSmasq for DHCP and DNS.
Quote from: pseudonym3k on April 12, 2026, 09:24:40 PMQuote from: nero355 on April 12, 2026, 07:54:23 PMIt's all a matter of reading
Your comment is not nice and not necessary in a helpful context. Please be kind.
When you cut it off like that then yes, but the whole sentence is simply to steer you to the right place with the right information, because this :
QuoteI found videos for setting up KEA with one LAN and one subnet, a few minutes and simple. And while some of them also showed how to set up Unbound to work with KEA, none that I watched stated it (or another DNS solution) was a requirement with KEA.
Is the whole problem these days : YouTubers who think they know everything telling people half the story because they also don't understand what they are doing exactly!
And when something goes wrong no one turns to them : They turn to the forums!
And when they do turn to them then they often get no reply at all...
But the main reason I posted that is because it's simply the truth :
Read.
Read a lot.
Read multiple times even if you have to!
Before I did my first FreeBSD install somewhere in 2004/2005/2006 the FreeBSD Handbook became my best friend after reading all of it three times and then certain sections again after installing FreeBSD :)
Quote from: Patrick M. Hausen on April 12, 2026, 09:39:20 PM- If run locally you can use Kea, ISC (deprecated, but still working) or DNSmasq for that job.
I would mention those three in a different order :
Quote- If run locally you can use ISC (deprecated, but still working) or KEA or DNSmasq for that job.
To avoid people thinking KEA is deprecated too like someone did a while ago here on the forum :)
QuoteSo familiarise yourself with the fundamental protocols ("jobs") and subsystems on OPNsense and try to pick the best solution.
That's the most important part IMHO for anyone starting out with any kind of software :)
Quote from: nero355 on April 12, 2026, 11:37:38 PMIs the whole problem these days : YouTubers who think they know everything telling people half the story because they also don't understand what they are doing exactly!
And when something goes wrong no one turns to them : They turn to the forums!
And when they do turn to them then they often get no reply at all...
Absolutely. So you followed some YT dude. And it doesn't work.
Go ask that YT dude for crying out loud!
I am not going to watch a video produced by that YT dude to find where it might be wrong or incomplete.
If you describe your problem on this forum by writing what you did (i.e. what exactly you configured), what you expected to happen, in which way the system behaved differently, ... well, I am more than willing to help.
That's exactly the problem with YT these days. Why do people refer to YT at all instead of consulting the official documentation, first?
Whenever I have to deal with a new product, I check its documentation first. If the documentation sucks for arbitrary reasons or is simply nonexistent, that rules out the product. Simple, ey?
And @pseudonym3k - this is not specifically directed at you. You have provided all information you were asked for in this thread. It's addressed at the general public :-)
Kind regards,
Patrick
Quote from: Patrick M. Hausen on April 12, 2026, 10:37:00 PMIn that case if you want to run Kea for DHCP y
I *don't* want to run KEA. I'm not sure why that's not clear. In any event, it doesn't matter. I wish I could delete everything here but my post and the one comment that helped.
Then stick to DNSmasq for DHCP and DNS. But then, what is the problem at hand?
Quote from: Patrick M. Hausen on April 13, 2026, 12:00:14 AMThen stick to DNSmasq for DHCP and DNS. But then, what is the problem at hand?
There is no problem here except everyone bashing me for not reading everything and understanding it all, when they didn't take the time to understand what I have been writing.
Nobody's bashing you. I certainly am not. You switched from DNSmasq to Kea and encountered problems, then turned to the forum for help.
I cannot read your mind. I do not know that switching to Kea is entirely disposable for you. I tried to help with the switch to Kea, nothing more, nothing less.
With the same intention my more general "lectures", which I tend to write if the occasion arises, were to give you the necessary information without demanding you "simply read the docs".
Take it or leave it. It's free advice. I'd hate to see you (anyone, really) leave this forum with the feeling they are lectured instead of helped but I have (repeating myself) for decades of networking in my back and I am doing my very best to be helpful. I am still wondering what I could have written differently.
Kind regards,
Patrick
Quote from: Patrick M. Hausen on April 13, 2026, 12:12:05 AMI cannot read your mind. I do not know that switching to Kea is entirely disposable for you
But I said it multiple times - even in reply to you.
To sum everything I've already written here:
1. I use Dnsmasq, which isn't getting a delete lease button for good reasons. The old implementations had it and I miss having it. I have a script that works well enough for my purposes. It's just not as convenient as a button.
2. Someone suggested if I wanted a delete lease button, to try KEA, it has one that is and will be supported.
3. I attempted to swap KEA for Dnsmasq in my configuration and ran into trouble. I searched the 'net, read the documentation, looked at more videos, and eventually posted here to find out what I overlooked.
4. The answer is at no time did I understand it isn't a 1-for-1 swap, not even from the official documentation.
5. I simply don't need it, I was just following a suggestion. It isn't designed to work as I wanted. So I said I will stay with Dnsmasq in my very first reply, yet we've gone to two pages and counting. *mind boggled*
6. End-of-line.
So if the "delete lease" button is important to you, switch to Kea and Unbound - there is no way to run Kea only and not also run a dedicated DNS server.
If you can live without stick to DNSmasq.
Which of the two is your choice only.
I only joined in late to bring in some context and explain why the choices in OPNsense are what they are.
Kind regards,
Patrick
Quote from: Patrick M. Hausen on April 13, 2026, 12:31:13 AMI only joined in late
And help would be appreciated, if it were needed. But it wasn't. My question was already answered with the first comment and I was done. Now I've spent all my time counteracting misunderstandings when none of it was necessary. I wonder if the mods can just delete this entire thread.
I think there is much valuable information for other/new users in this thread that should not be deleted.
All the best,
Patrick
Quote from: Patrick M. Hausen on April 13, 2026, 12:39:38 AMthink there is much valuable information for other/new users in this thread that should not be deleted.
If all the noise could be deleted, I'd agree. But it's a mess of misunderstandings.
I hope this does not add more confusion, but I do not think this is a completely simple issue as I think pseudonym3k has shown many valid points. It is a little complex. I do not understand every aspect of DNS, in relation to Kea, Unbound and DNSmasq, but trying to learn. But I do understand DNS, especially from a ms perspective. There is yet a fourth variable of "System: Settings: General: DNS servers". And there is the complexity of disabling ISC correctly. So you are dealing with at least 4 variables, and one must decide on the strategy to use.
Personally, I started down the road of migrating from ISC to DNSmasq. But very quickly decided I did not like the combination of DHCP and DNS (not recursive) within DNSmasq. I do like that Kea = DHCP and Unbound (recursive) = DNS. In my mind, very simple and effective. [BTW, "System: Settings: General: DNS servers" is blank. I use Cloudflare DoT, within Unbound, NOT my ISP DNS].
I guess I can only describe how my setup has met my requirements, and then see if it matches another user.
"Services: Dynamic DNS" = dynamic wan ip resolution, if the ISP changes my wan ip.
"Services: Unbound DNS: DNS over TLS" = security (without pi-hole, ad-guard, etc.)
"Services: Kea DHCP: Kea DHCPv4 AND v6" = Add static reservation for local hostname resolution does work (AFTER a restart of Unbound)
But there is this issue of MY statement of "AFTER a restart of Unbound" is in conflict with pseudonym3k comment "all sites are immediately found by DNS name again".
When I went through this exercise, one had to be very precise in terms of what was disabled or enabled and what service was restarted, and when. For example, if I did not restart Unbound at the right moment, local hostname resolution would fail. If I had to go through a fresh install again, I think I could do it, but no guarantees I could get it right on the first try.
So again, if you take actually 7 variables into account, and decide on a plan, although complex, the end result is rewarding.
ISC - disabled? correctly?
"Services: Dynamic DNS"
"System: Settings: General: DNS servers" - blank?
Kea versus DNSmasq (one or the other, not both) (If DNSmasq, is port forward set correctly to 5353?)
Unbound - all settings.
"Services: Router Advertisements" (IPv6)
(someone may argue the order of this list, which would be welcome)
I think pseudonym3k brought up a real world experience. Again, hope this helps and does not add more confusion.
One afterthought. Please do not use a common address of 192.168.1.0/24 for your LAN. Needs to be more unique, in my opinion. Not implying this has anything to do with the topic, just a suggestion.