Messages

[s]

With that option, you can but set one domain to be handled as local. Note the plural s in:

One problem could be DNSmasq still asking the upstream servers for local names for lack of having configured the "local" flag for your internal domains.

And you do not have to use DHCP for all of those zones - I use local domains for sites I reach via VPN and only have the DNS part configured for those.

The problem is that any domain that is not declared to be local one way or another and that is within your local DNS search list will be appended even to internet names by Windows and thus lead to DNS leaks and parallel queries.

Ah yes, I understand. Thanks. I was only talking about the one domain Unbound forwards to Dnsmasq, but of course there can be more situations.

[...]

One problem could be DNSmasq still asking the upstream servers for local names for lack of having configured the "local" flag for your internal domains.

[...]

If you checked "DHCP fqdn" under Dsnsmasq DNS & DHCP-General, checking "Local" on each and every host in "Hosts" should not be necessary accourding to the 3rd note here: https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

DHCP fqdn will do two things:

    Make sure all devices are registered in DNS with the configured domain name appended, e.g. smartphone.lan.internal. This ensures that smartphone can exist in both lan.internal and guest.internal.

    Register the DHCP domain name as local, which will make Dnsmasq authoritative for this domain, ensuring NXDOMAIN is returned for devices querying unknown hostnames within this local domain.

This is how I understood this. Correct me if I'm wrong.

Yes! Use both. Unbound as main DNS server and Dnsmasq for DHCP and internal DNS. Unbound asks Dnsmasq (which is running on a different port) for local domains in this scenario, works with a real domain too, have the same setup. Guide here: https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

Note1: To make local dns resolution work for static IP's even when a client hasn't had contact with the DHCP server: you have to fill in both a Host and a Domain under Dnsmasq DNS & DHCP-Hosts

Note2: Do not forget to Check Do not forward to system defined DNS servers under Dnsmasq DNS & DHCP-General (it's in the guide too).

Hmm, I thought FQDN would resolve all of the IPs but it looks like it doesn't pick up IPv6 auto-generated addresses, at least in my current setup with Kea+Unbound.

MAC aliases seem reliable, though.

It works with MAC in aliases. Then it will track IPv6 too.

I have setup Unbound with forwarding for my local domain to Dnsmasq per the docs: https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
I have DNSSEC enabled in Unbound.

I noticed there is also a DNSSEC switch in the settings of Dnsmasq. If I switch this on, everything works the same as switched off. Is there any advantage or disadvantage switching this on in Dnsmasq? It seems useless to me, since it is for local lookups only... does it even do anything in this scenario?

Yes, thank you, all clear now. The ISC part will be removed from the docs, see this PR, already merged: https://github.com/opnsense/docs/pull/744

[opnsenseyay.org]

I haven't found an answer to my (edge-)case yet. I have a real domain on my IPv4/IPv6 address, resolvable from outside, let's say opnsenseyay.org. This points to port 80/443 points to a server in my network via firewall rules. I want my internal clients, if they ask for something.opnsenseyay.org to get a response from Dnsmasq only (via forwarding rule Unbound per the docs). If I do this, it resolves but it takes a long time. I found out that Unbound tries both: so it queries for outside (via 1.1.1.1 in my case) AND forwards to Dnsmasq. The queries from 1.1.1.1 return NXDOMAIN (because it doesn't exist) and from Dnsmasq there is a valid response via DHCP mappings. Both are technically not wrong. How to avoid Unbound from ever asking 1.1.1.1 for this domain "opnsenseyay.org". Apparently "Query Forwarding" doesn't work as I expect. Probably my bad, but how do I solve this?

EDIT: I think maybe my issue is this https://github.com/opnsense/core/issues/8708 and should be resolved in the next release?

Is the setting "Register DHCP Static Mappings" in Unbound not longer needed if internal queries are forwarded to Dnsmasq and you don't use ISC DHCP? It is my understanding that this setting refers to static mappings in ISC DHCP (seems logical), but I did not find a definite answer and I can't test it because I haven't set this up yet. If so, maybe add this to the help-description of this setting in Unbound.

EDIT: In the docs it's stated as "Register ISC DHCP Static Mappings": https://docs.opnsense.org/manual/unbound.html
That answers my question, but it's not the same text as in the Unbound Settings.

EDIT2: See this commit: https://github.com/opnsense/core/commit/139a3add4bb4360e2dda8f3251283e0173b0f980
Will be deleted as it's for Kea too.

What if I want only stateful DHCPv6 without SLAAC, which corresponds to the "Managed" mode under Services > Router Advertisements?  None of the DNSmasq RA modes seem to do this.  Possible using DNSmasq?

RA Mode set to "Default" will be same as "Managed" mode I believe. ?

I ended up using Services-Router Advertisements in Assisted mode again because I couldn't make it to work in dnsmasq... I did not try to set it to default and I'm too lazy to try it now, now thay it's working like I want.

I think it's nice to put this in the docs: https://docs.opnsense.org/manual/dnsmasq.html

Thanks.

Thanks!

[instead of]

Check out the note we added here:

https://docs.opnsense.org/manual/dnsmasq.html#dhcp-settings

Thanks, I've read that: and I saw I can combine them. That's why I asked the question, because in the statement quoted in my first post it says:

[...]set slaac instead.

That confuses me, because I read that as: Use slaac instead of ra-stateless.
In my old setup I had "Assisted" as an option under Services-Router Advertisements. I want the same behavior.

[and]

I'm moving to dnsmasq from ISC DHCP4/6. I will use Router Advertisements offered by dnsmasq and disable the other one in Services (seems more logical to me). In the dnsmasq docs under dhcpv6 and router advertisements found here it is stated:

! Attention
With ra-stateless, clients will only generate a SLAAC address. If clients should additionally receive a DHCPv6 address, set slaac instead.

I wonder if this is correct (or maybe I do not understand this correctly).

I want clients to be able to use SLAAC and DHCPv6.

Per above statement I should set RA mode to slaac only (at least that's how I read this), while it seems to me that setting slaac and ra-stateless achieves this. Am I right, or is the statement right?

Same issue with me, even with default theme.
Running bare metal on a Protectli VP2420.

To add: Manually rebooting does only work the second time in 24.7.5
Crowdsec seems to be the issue here. Disabling it and rebooting works as normal.

Same. No reboot with crowdsec installed. Had to reboot manually.