Messages

Thanks so much!
Today a bugfix v0.28.1 version was released, sorry for pinging too early!

Updated...

I'm still only receiving v0.28.0 via OPNsense, no update to be found.
Thanks so much for keeping the packages updated.

Worked fine on mine installation .... Try uninstalling & reinstalling again.

Just be sure to disable Blocky first, enable some other DNS server, ensure your internet is working - then delete plugin and reinstall again and see if that helps...

Thanks so much!
Today a bugfix v0.28.1 version was released, sorry for pinging too early!

Updated...

[That will be awesome]

FYI Unbound supports the full source selection with blicklists soon, its on our roadmap and already merged into master.

@ Monviech (Cedrik)

That will be awesome; have been waiting for this feature for a while now....

If I have understood it correctly, the Unbound plugin will now allow certain clients DNS queries to be filtered using Blocklists and certainclients to just just pass through..

Yep thats correct.

https://github.com/opnsense/core/pull/9301

@ Monviech (Cedrik)
Thanks for the confirmation.

Just another quick question. I presume the source selection will support clients with static IPv4, IPv6 (as well as IPv6 addresses where the IPv6 prefix is dynamic).

e.g. 192.168.1.1/24, 192.168.100.100/32, 10.10.0.4, ::1234, ::00dd

My current dnsmasq hosts are defined as dual-stack with both IPv4 and (prefix style) IPv6 addresses.

[v0.28 was released earlier today !]

Hi @gspannu
still loving and using Blocky on OPNsense, do you plan to further update it?
Version 0.28 was recently released. Thanks and best regards!

Oh!

I had updated the plugin for Blocky v0.27 just yesterday; it seems v0.28 was released earlier today !.

Will update in next day or so.
Thanks for the heads up 🙏🏼

Updated to v0.28 now....

[That will be awesome]

FYI Unbound supports the full source selection with blicklists soon, its on our roadmap and already merged into master.

@ Monviech (Cedrik)

That will be awesome; have been waiting for this feature for a while now....

If I have understood it correctly, the Unbound plugin will now allow certain clients DNS queries to be filtered using Blocklists and certainclients to just just pass through..

[v0.28 was released earlier today !]

Hi @gspannu
still loving and using Blocky on OPNsense, do you plan to further update it?
Version 0.28 was recently released. Thanks and best regards!

Oh!

I had updated the plugin for Blocky v0.27 just yesterday; it seems v0.28 was released earlier today !.

Will update in next day or so.
Thanks for the heads up 🙏🏼

Hi gspannu, any plans to update Blocky to the latest version?
Thanks so much for providing the packages, OPNsense and Blocky are a perfect match!

Oh... I did not realise that Blocky has been updated. I am on holiday until 04 June, will update it over the next available weekend.

Thanks for the ping...

Ok, I find myself confused about this, again.
If I have no VLANs and I am simply using the OPNsense default ".localdomain" for my LAN, would you recommend I be using .localdomain or lan.internal?

You can use either of the two... both will work.

Mind you that there can be a minor downside to using "localdomain". If you want to run your own local CA - on OPNsense or anywhere else - and you also want to use a wildcard certificate for a variety of devices that for some reason cannot use a real FQDN and Letsencrypt, then ...

- *.home.arpa will work while
- *.localdomain will not work

with current browsers. There have to be at least two dots in there.

I prefer - at work just like at home - to use a subdomain of a real domain I own.

So if I own e.g. company.com, then for the internal network I use internal.company.com. I know this will never conflict with anybody else, I do not publish this domain anywhere outside on the Internet, therefore I will not have leaks of any kind ... perfect solution but for the slightly longer FQDNs.

Also *.internal.company.com works with certificates as well as with MS Active Directory. Using your official Internet domain company.com with AD leads to all sorts of unexpected constraints.

HTH,
Patrick

Thanks for the great tip about browsers possibly having an issue with .localdomain 👍

[I do realize I don't really belong here]

Thank you meyergru and gspannu for the straightforward answers, they help immensely for my style of connecting the dots.
And, thank you for your patience; I do realize I don't really belong here and I appreciate your kind assistance.
Although I can gather facts and knowledge, I freely admit that I lack the level of intelligence for a deep insight into networking.
Trying not to be a help vampire.

Anyone who uses OPNsense belongs here... let no one make you think otherwise !

Ok, I find myself confused about this, again.
If I have no VLANs and I am simply using the OPNsense default ".localdomain" for my LAN, would you recommend I be using .localdomain or lan.internal?

You can use either of the two... both will work.

Constructive criticism or suggestions for improvements are not bad at all. I do this all the time and also did it on this topic, because I think that the DHCP options could be made more user-friendly. The amount of comments about DNSmasq seems logical to me, because there are some areas that could be improved, as the Github issues section also shows.

It is more the constant whining about how bad this and generally showing an egoistic attitude (I want to have it right now) won't help.

I think some people should start by understanding how things like Proxmox and OpnSense work: If you want great software for free, you have to put in some effort, like accepting to use the less proven und in some respects "immature" community version.

If you want to have it another way, get ready to pay for the business version and then you may start complaining, preferably directly to the manufacturer.

And as mentioned: With this specific topic, there is even less reason to complain, because DNS and DHCP still works with ISC DHCP and Unbound.

👍

After upgrade 25.1.5_5 -> 25.1.6_4 we noticed that Dnsmasq now tries to load /usr/local/etc/dnsmasq.conf.d/* while previously it loaded only *.conf

If there are files it cannot parse in this folder, Dnsmasq service fails to start.

I am not sure if it is an intentional change as /usr/local/etc/dnsmasq.conf.d/README still talks about .conf files:

Code Select Expand

# Dnsmasq plugin directory:
# Add your *.conf files here, read in alphabetical order


Yes, this is a bug and did not exist prior to 25.1.6 release.

Best is to raise this on Github... so that it can hopefully be fixed in next iteration

At this time, ISC DHCP plus Unbound is still viable, so if anyone deems other (new) combinations of services to be too unstable as of yet: stay with something that still works fine. If you used the business version, which is more matured and lags behind the community version, you would automatically be at this point, anyway. So, if you expect production-ready quality - please buy it!

Other than than, who would really use DNSmasq DHCP, but expect Unbound DNS to be supported registering DNSmasq leases, when DNSmasq supports this out-of-the-box?

As I noted, DNSmasq alone can handle DHCP, (local) DNS and RA, and also non-recursive DNS. If you really need recursive DNS or want DoH on top, you are free to choose Unbound (as is the current recommendation) or, if you do not like that (as myself), go along with something like DNSCrypt-Proxy. I just tried that and it also works just fine.

Like @Monviech said: It is just anybody's choice on what to use, IDK why there seems so much undeserved fuzz made about it.

I, at least, appreciate the effort to have those services integrated more closely - but I do not expect it to be perfect from the get-go.

Very well said, @meyergru

I too do not understand what the fuss is all about at the moment. There are choices available; and the best part is if one does not change anything and just upgrades - everything works anyway and the existing setups remain as they were.

Do not understand the amount of comments being made about dnsmasq. It is just being improved without any detriment to either ISC/Kea at the moment.

[What could be better? Everyone has a choice !]

> Unclear and contradictory ideas in the management of DHCP in Opnsense by the developers.

That's unfair and untrue.  ISC discontinued DHCPD and left everyone with Kea, but it's not as good as DHCPD still is.  Period.


Cheers,
Franco

100% agree with Franco.

The comment "Unclear and contradictory ideas in the management of DHCP in Opnsense by the developers" is not justified and rude to the development team.

The dev team tries very hard to support both personal users & large users - and each has different requirements.

ISC discontinued DHCPD; and a good choice at that time was Kea.
However, Kea is not very well suited for smaller users; and neither did Kea really develop into a full fledged dnsmasq alternative.

What we have today is a plethora of choices:
- ISC (as is)
- dnsmasq (with dhcpd now!)
- Kea (with IPv6 now!)

Unbound continues to work as is.

What could be better? Everyone has a choice ! Use whatever you fancy and whatever works best for your use case/ environment.

The fact that dnsmasq will be the default in 25.7 is really a non-issue. Everything that existed is still being supported.

Thank you @franco, @monviech(cedrik), @patrick and all contributors for this wonderful software and your hard work.

Wait for 25.1.6 next week or use the development version which is very easy to install.


Cheers,
Franco

Awesome... thanks for the update.