Messages

I have dynamic ipv6 host set to the address of my device, but ddclient still updates the record with the router's IP6. Unfortunately because my domain is in porkbun I have to use the ddclient backend.
Is there a way to make dynamic ipv6 host work?

it works for me for running both Unbound and BIND on port 53 (but different IP addresses).

Yes I'd like to know as well! The GUI for unbound only lets me select interfaces which seems to take up all IPs despite the "Deny service binding" setting.

SLAAC addresses are static, too.
...
The OPNsense DynDNS client allows combining a dynamic prefix with a static interface identifier.

I see, indeed! (Turns out what I meant was stable-privacy but it's stable as well.)
I found the token option in systemd-networkd which lets SLAAC produce the simple static address I wanted.
Though I still prefer if there is a way to do this in OPNsense, so that these configurations are all in one place.

But can you query the Root DNS Servers directly or not ?!
...
_{(I think this is what you want considering your TikTok comment... Not sure... Just FYI...)}

Thanks, but it's not quite what I meant... The ISP is blocking via DNS, which I don't want.
I can reach the root servers, but some authoritative servers are blocked, and plain-text queries to them are certainly inspected & blocked. Plus recursion is too slow...

I guess this problem probably doesn't have a perfect solution. If so I just wish DNSmasq or unbound can coexist better with dnscrypt-proxy.
I could run dnscrypt-proxy on another device, but my OPNsense PC has so much spare capacity...

How to set up DNSmasq (or Kea if needed) such that some devices will have a static IPv6 address?
I want most of my devices to use SLAAC (possibly with privacy extension), but for some I want them to have stable static addresses, so that I can register them with a dynamic DNS client. It doesn't matter if they have SLAAC addresses as well.

I could achieve this via DHCP ranges ::1000 ~ ::2000, but that makes all the devices DHCPv6 (Managed).
If I use :: as range, the leases are not offer to the devices, as the M bit in Router Advertisement is 0. Even if I explicitly enable DHCPv6 solicitation in clients, the router does not respond with a reply, even though static leases are present.
Is it possible to somehow only make only those devices do DHCPv6?
Or can I not offer addresses in DHCPv6 except for those devices?

Have you tried Unbound with a DNS-over-TLS upstream?

Yes... All popular DNS servers are blocked here, hence the need for dnscrypt-proxy (for its large dynamic list of servers) and why it has a higher latency.

I need to have 2 DNS servers on 2 IPs:

• One for other members of the family, run by DNSmasq forwarding to ISP DNS servers, which are very fast, but have no DNSSEC support and probably have some poisoning (e.g. Tiktok videos doesn't load unless they use the other DNS).
• One for myself and OPNsense, run by dnscrypt-proxy with DNSSEC support but has higher latency, which is unacceptable for others (web page opens too slowly).

It needs to be on another IP and standard port due to DHCP option and NetworkManager's nm-dns-systemd-resolved plugin not supporting port (tested).
What's the best way to approach this problem? Is there a way to augment ISP's DNS answers so that we can use just 1 server with DNSSEC enabled? (I'm guessing no...)

Currently I have a virtual IP 192.168.1.53 with "Deny service binding" for dnscrypt-proxy to listen on (plus 127.0.0.1), and DNSmasq is on "port 53" (so the wildcard address 0.0.0.0). However, sometimes when I switch off the VPN on my laptop, I get DNS reply without RRsig as if it's from DNSmasq instead dnscrypt-proxy, but packet cap shows it's indeed from the virtual IP. I don't know if it's an OS bug or if DNSmasq is fighting with dnscrypt-proxy for the virtual IP.
Unbound (instead of DNSmasq) just refuses to start or produce any log if dnscrypt-proxy is listening on 192.168.1.53.

Is there a way to fix ISP's DNS poisoning? For NO-DATA I can add dnscrypt-proxy to system DNS so DNSmasq forwards to it as well, for fake IP I'm guessing no...
Is there a way to not have ISP's DHCP DNS in OPNsense's system DNS but still let DNSmasq forward to them?

The timezone in dashboard is always GMT-08 no matter what I set in System - Settings - General - Timezone. How to fix it?

Yep the bridge port is definitely not excluded from LAN, all LAN peers are also on WAN in Neighbors - Automatic Discovery.

EDIT: Saw LAN ARPs when packet capturing igb1, and not if I unplug LAN cable to the modem. Unfortunately there is nothing in the modem's admin page about excluding LAN port from switching, and its VLAN functionality is insufficient. The bridge connection is indeed "bound" to LAN1 but apparently doesn't stop it from being a switch port.

When packet capturing my WAN physical interface, I saw Router Advertisements from my router, even though I have set interface to LAN in Dnsmasq (both General - Default and DHCP ranges). How to fix this?

My WAN interface is PPPoE for IPv4 and DHCPv6 for IPv6 on igb1 (I packet captured igb1). The igb1 port is connected to the ISP ONU in bridge mode. However the ONU is also plugged into my switch (with a LAN port) because the modem also has AP functionality. The ONU port that connected to igb1 is bound to the bridge mode connection.

p.s. Although I don't remember this happening in 25.7, I now suspect the bridge port was not excluded from LAN during ISP configuration. I'll reply to this post if I manage to get the modem's admin account.

When I refresh the WAN connection in Interfaces - Overview, sometimes Router Solicitation is not sent, which caused the router to have no IPv6 address for itself. Why and can I fix this somehow?

My ISP expects routers to configure its address with SLAAC and request prefix through DHCPv6-PD, no address can requested via DHCPv6 or the gateway will reply with an error with no prefix given. The gateway also sends Router Advertisement very infrequently but responds to Router Solicitation.

[modes]

I understood it as "Setting Router Advertisement modes in DHCPv6 ranges will have no effect without this global option enabled."
In the DHCP ranges for IPv6 there are several modes, e.g. SLAAC, ra-stateless etc.

What would be the correct way forward?

I added an IPv6 range like this, not sure what the default for new installs is...