Messages

Same here. I just upgraded to 26.1 and migrated DHCP from ISC to dnsmasq. While migrating my static host entries I added some alias and cname records. However they don't resolve. They also don't show up in /usr/local/etc/dnsmasq.conf
Not sure if this worked in 25.10 as I've not used dnsmasq before for DHCP.

I was able to resolve my issues and learned a great deal about DHCP, mDNS and DNS on Windows:

If Windows does not know your domain suffix (e.g. 'mydomain.home') because you don't use DHCP but use a statically configured IP address and you are not adding the domain suffix in your network adapter DNS settings, then Windows tries to resolve DNS lookups that don't have a domain component over mDMS, e.g. 'ping webserver1' (it will add the .local suffix). This will only resolve names of machines that are seen by mDNS. It will not resolve any CNAME's configured in DNS, e.g. 'ping www' will complain that the name cannot be resolved. However if you run 'nslookup www', this will resolve, because nslookup is querying DNS. If you resolve names with a domain suffix (e.g. 'ping www.mydomain.home') then DNS will be used instead of mDNS and it will resolve.

If you use DHCP or add your domain suffix to the Windows DNS settings then all lookups are resolved over DNS.

Same here. I just upgraded to 26.1 and migrated DHCP from ISC to dnsmasq. While migrating my static host entries I added some alias and cname records. However they don't resolve. They also don't show up in /usr/local/etc/dnsmasq.conf
Not sure if this worked in 25.10 as I've not used dnsmasq before for DHCP.

kea 2.6.3 supports DHCP lease affinity, but the configuration options haven't yet been exposed in OPNsense GUI

https://forum.opnsense.org/index.php?topic=48462.0

https://github.com/opnsense/core/issues/9094

In current OPNsense 25.7.1_1 release, manually editing the kea config file to add the options, are overwritten / removed when kea service is re-started ( from either OPNsense GUI or cli)...

Thanks for posting this. https://github.com/opnsense/core/issues/9094 is exactly what we would need to address the issue.

Not sure about the scale of your issue and the number of  machines affected, but why don't you just reserve an IP for this client based on its MAC address (under 'reservations' tab in the KEA service configuration)? Make sure the assigned IP is outside of the range dynamically assigned by KEA but still in the same subnet. Your client will get the exact same IP each time it request one through DHCP.

Yes, this fixed it. Thank you.

If you are forwarding the DNS queries to Google DNS servers (8.8.8.8) that might be causing the issue. Can you try another DNS provider such as Cloudflare (1.1.1.1) to see if that solves the issue?

I'll try that when I'm home. I'm using my providers DNS resolvers, which work fine when queried from OPNsense or directly from clients on my LAN. Maybe the new version of dnsmasq in 26.1.6 suddenly has an issue with their response.

perhaps https://forum.opnsense.org/index.php?topic=47135.0

I have no issues with DHCP (I'm using ISC kea). Just that dnsmasq is failing to resolve external hosts/domains.

Hi all

After the upgrade to 26.1.6, dnsmasq is no longer able to resolve queries to the external DNS from clients on the LAN. Queries for internal hosts work though. In the log I can see that dnsmasq tries to forward the queries to the configured resolvers (from general settings) but then immediately sends error REFUSED to the client. Resolving external hosts in the OPNsense shell works though. Also, if I assign the external resolver as DNS server in DHCP, clients on the LAN can resolve external hosts.

I can't figure out what is wrong. Any ideas?

Regards
Sven

That was quick! Both changes have been included in 25.1.6. I guess this was planned even before my post.

Hi all

I have configured IKEv2 with EAP-TLS to connect from my iOS device to my home network. I've configured a split tunnel that just routes my home subnet over IPsec.

Everything worked perfectly except DNS. However, I found that I can make it work if I manually add attribute 25 to my charon configuration (adding the name of my internal DNS domain):

        attr {
            25 = domain.home
            subnet = 192.168.34.0/24
            split-include = 192.168.34.0/24
            dns = 192.168.34.1
   }

Attribute 25 stands for INTERNAL_DNS_DOMAIN according to https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-21

It would be nice if support for this attribute could be added to the GUI.

Somewhat unrelated I would also appreciate if support for proposal 'aes256-sha256-modp1024' could be added to the phase 1 proposal list as this is the only algorithm I found to make my Azure VPN gateway (cheapest type 'basic' with only limited algorithm support) connect to my OPNsense box.

Kind Regards
Sven