Messages

If you really want to, just do  "rmuser dhcpd" as root in a ssh session. It will remove the user and group. I did it, worke fine, no issues.

Hm... Strangly, after closing my browser (firefox) and starting it again the issue was resolved... Don't know what this was, strange indeed. We'll see if it happens again.

It noticed an annoying (probably cosmetic) issue in my installation after migrating to new rules, although it may have been present before the migration to the new rules. I have multiple Port Forward rules - Now called Destination NAT in 26.1. The screen with the rules is only 1.5 lines big, that is unusable. It is scrollable though. See screenshot. I also tries the light theme, but the issue is still there.

Migrated today and udpbroadcastrelay is happily starting here on my Protectli VP2420.

This is probably the bug: https://github.com/opnsense/core/issues/8838

Edit:

To tackle this:
You must Tick "Allow manual adjustment of DHCPv6 and Router Advertisements ", then Disable ISC DHCP6 for the interface. After that, you can enable Identity association.

[s]

With that option, you can but set one domain to be handled as local. Note the plural s in:

One problem could be DNSmasq still asking the upstream servers for local names for lack of having configured the "local" flag for your internal domains.

And you do not have to use DHCP for all of those zones - I use local domains for sites I reach via VPN and only have the DNS part configured for those.

The problem is that any domain that is not declared to be local one way or another and that is within your local DNS search list will be appended even to internet names by Windows and thus lead to DNS leaks and parallel queries.

Ah yes, I understand. Thanks. I was only talking about the one domain Unbound forwards to Dnsmasq, but of course there can be more situations.

[...]

One problem could be DNSmasq still asking the upstream servers for local names for lack of having configured the "local" flag for your internal domains.

[...]

If you checked "DHCP fqdn" under Dsnsmasq DNS & DHCP-General, checking "Local" on each and every host in "Hosts" should not be necessary accourding to the 3rd note here: https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

DHCP fqdn will do two things:

    Make sure all devices are registered in DNS with the configured domain name appended, e.g. smartphone.lan.internal. This ensures that smartphone can exist in both lan.internal and guest.internal.

    Register the DHCP domain name as local, which will make Dnsmasq authoritative for this domain, ensuring NXDOMAIN is returned for devices querying unknown hostnames within this local domain.

This is how I understood this. Correct me if I'm wrong.

Yes! Use both. Unbound as main DNS server and Dnsmasq for DHCP and internal DNS. Unbound asks Dnsmasq (which is running on a different port) for local domains in this scenario, works with a real domain too, have the same setup. Guide here: https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

Note1: To make local dns resolution work for static IP's even when a client hasn't had contact with the DHCP server: you have to fill in both a Host and a Domain under Dnsmasq DNS & DHCP-Hosts

Note2: Do not forget to Check Do not forward to system defined DNS servers under Dnsmasq DNS & DHCP-General (it's in the guide too).

Hmm, I thought FQDN would resolve all of the IPs but it looks like it doesn't pick up IPv6 auto-generated addresses, at least in my current setup with Kea+Unbound.

MAC aliases seem reliable, though.

It works with MAC in aliases. Then it will track IPv6 too.

I have setup Unbound with forwarding for my local domain to Dnsmasq per the docs: https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration
I have DNSSEC enabled in Unbound.

I noticed there is also a DNSSEC switch in the settings of Dnsmasq. If I switch this on, everything works the same as switched off. Is there any advantage or disadvantage switching this on in Dnsmasq? It seems useless to me, since it is for local lookups only... does it even do anything in this scenario?

Yes, thank you, all clear now. The ISC part will be removed from the docs, see this PR, already merged: https://github.com/opnsense/docs/pull/744

[opnsenseyay.org]

I haven't found an answer to my (edge-)case yet. I have a real domain on my IPv4/IPv6 address, resolvable from outside, let's say opnsenseyay.org. This points to port 80/443 points to a server in my network via firewall rules. I want my internal clients, if they ask for something.opnsenseyay.org to get a response from Dnsmasq only (via forwarding rule Unbound per the docs). If I do this, it resolves but it takes a long time. I found out that Unbound tries both: so it queries for outside (via 1.1.1.1 in my case) AND forwards to Dnsmasq. The queries from 1.1.1.1 return NXDOMAIN (because it doesn't exist) and from Dnsmasq there is a valid response via DHCP mappings. Both are technically not wrong. How to avoid Unbound from ever asking 1.1.1.1 for this domain "opnsenseyay.org". Apparently "Query Forwarding" doesn't work as I expect. Probably my bad, but how do I solve this?

EDIT: I think maybe my issue is this https://github.com/opnsense/core/issues/8708 and should be resolved in the next release?

Is the setting "Register DHCP Static Mappings" in Unbound not longer needed if internal queries are forwarded to Dnsmasq and you don't use ISC DHCP? It is my understanding that this setting refers to static mappings in ISC DHCP (seems logical), but I did not find a definite answer and I can't test it because I haven't set this up yet. If so, maybe add this to the help-description of this setting in Unbound.

EDIT: In the docs it's stated as "Register ISC DHCP Static Mappings": https://docs.opnsense.org/manual/unbound.html
That answers my question, but it's not the same text as in the Unbound Settings.

EDIT2: See this commit: https://github.com/opnsense/core/commit/139a3add4bb4360e2dda8f3251283e0173b0f980
Will be deleted as it's for Kea too.

What if I want only stateful DHCPv6 without SLAAC, which corresponds to the "Managed" mode under Services > Router Advertisements?  None of the DNSmasq RA modes seem to do this.  Possible using DNSmasq?

RA Mode set to "Default" will be same as "Managed" mode I believe. ?

I ended up using Services-Router Advertisements in Assisted mode again because I couldn't make it to work in dnsmasq... I did not try to set it to default and I'm too lazy to try it now, now thay it's working like I want.

I think it's nice to put this in the docs: https://docs.opnsense.org/manual/dnsmasq.html

Thanks.

Thanks!