Unbound to DNSMasq

[gspannu]

Constructive criticism or suggestions for improvements are not bad at all. I do this all the time and also did it on this topic, because I think that the DHCP options could be made more user-friendly. The amount of comments about DNSmasq seems logical to me, because there are some areas that could be improved, as the Github issues section also shows.

It is more the constant whining about how bad this and generally showing an egoistic attitude (I want to have it right now) won't help.

I think some people should start by understanding how things like Proxmox and OpnSense work: If you want great software for free, you have to put in some effort, like accepting to use the less proven und in some respects "immature" community version.

If you want to have it another way, get ready to pay for the business version and then you may start complaining, preferably directly to the manufacturer.

And as mentioned: With this specific topic, there is even less reason to complain, because DNS and DHCP still works with ISC DHCP and Unbound.

👍

[keeka]

I'm not going to run two DNS services just to be able to resolve internal host names. This whole deprecation of ISC has been a mess. ISC+Unbound is exceedingly simple and functional, Kea and dnsmasq are both half-baked.

I felt the same until I read through the updated docs. DNSmasq is primarily being introduced for dhcpd. Using it also for local name resolution (via an unbound forwarding) means no unbound restarts on updated leases. You retain a recursive resolver and still only have two daemons running in order to provide DNS/DHCP. If it all works as described in the docs, I will be more than happy to switch since I was fond of dnsmasq from previous experience.

[kasper93]

I'm not going to run two DNS services just to be able to resolve internal host names. This whole deprecation of ISC has been a mess. ISC+Unbound is exceedingly simple and functional, Kea and dnsmasq are both half-baked.

I felt the same until I read through the updated docs. DNSmasq is primarily being introduced for dhcpd. Using it also for local name resolution (via an unbound forwarding) means no unbound restarts on updated leases. You retain a recursive resolver and still only have two daemons running in order to provide DNS/DHCP. If it all works as described in the docs, I will be more than happy to switch since I was fond of dnsmasq from previous experience.

In theory it looks ok, but unfortunately in practice it is not stable currently. As reported in the other thread.

[julsssark]

I just switched over from Kea v4 to DNSmasq for DHCP. Unbound is pointed to DNSmasq for internal lookups and it is working fine in my configuration (some vlans, ip v4 only and AdGuard->Unbound for DNS.

[Brano]

How do I configure Unbound and Dnsmasq to play along nicely? I don't see option for upstream (forwarding) servers in Dnsmasq? I'm on version 25.1.7_4-amd64.

This option (to set forwarding servers in Dnsmasq) seems to be described in online user manual but does not exist on the above mentioned firmware version.

Basically I'd like to have Dnsmasq for DHCP and DNS for local LANs. Then point Dnsmasq to Unbound for DNS resolutions and DNS blocking.

And I need local unqualified hostnames to be inserted into DNS.

[meyergru]

Just follow the docs.

[jata]

On my home network I have a simple setup using ISC (IPv4 only) and unbound with a few DNS overrides for reverse proxied services and DNS over TLS. It works perfectly.

Looking through the threads, I know that do not have to change anything but I want to help the devs / community test the new approach (dnsmasq + unbound)

I have around 40 static mappings and I'd like to mitrgrate/transfer them to dnsmasq.

Is there a easy way to migrate/transfer static mapping? A tool (button) in the GUI would be a big help I think or a script to extract ISC static mappings from the config file into the format to import to dnsmasq?

[meyergru]

Yes, here, but it takes into account the patches that will be in the next release...

Also "easy" is relative.

[Brano]

Just follow the docs.

Thanks for that. That's a one way of doing it and I'll give it a go.
But it would allow for much more flexibility if Dnsmasq hand a configurable option to set upstream (forwarding) DNS servers.

That would allow much cleaner setup: client -> DHCP/DNS Dnsmasq -> DNS Unbound -> upstream ISP/Internet

[Monviech (Cedrik)]

Dnsmasq uses the DNS servers defined in "System - Settings - General" as upstream.

Otherwise, you need this patch:

Code Select Expand

opnsense-patch https://github.com/opnsense/core/commit/220dbc7931e11c71587734ed9c1731abdf9eaff8

With it you can set "Do not forward to system defined DNS servers" in dnsmasq and provide your own ones in the "Domain" tab. Just use an asterisk (*) to specify any domain, and then define an IP address (e.g. 1.1.1.1) or Unbound if it runs on a different port (127.0.0.1, Port 53053).

[Brano]

Just use an asterisk (*) to specify any domain

Ahh, thank you! This was the missing point. I saw the section but didn't realize asterisk can be used. This solves it then. :)

I just need to wait for the patch to be released.

[Monviech (Cedrik)]

You can already apply it. Connect via SSH, choose 8, and input the opnsense-patch command just as written above, no need to change it.

https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-patch

[jbhorner]

The goal for 25.7 default installation we're moving to:

Unbound as DNS (same as before)
Dnsmasq as DHCPv4 (away from ISC and ignoring Kea)
ISC for DHCPv6 (same as before)
Router Advertisements "radvd" as RA (same as before)

As you can se we're changing one variable here for 25.7. DNS isn't a concern either. It's all DHCP/RA that is going to change further as ISC moves to plugins in 26.1.


Cheers,
Franco

I'm curious. Why ISC for DHCP6 versus either Kea or DNSMASQ--or just DNSMASQ if ignoring Kea?

[chrisgtl]

Dnsmasq uses the DNS servers defined in "System - Settings - General" as upstream.

Otherwise, you need this patch:

Code Select Expand

opnsense-patch https://github.com/opnsense/core/commit/220dbc7931e11c71587734ed9c1731abdf9eaff8

With it you can set "Do not forward to system defined DNS servers" in dnsmasq and provide your own ones in the "Domain" tab. Just use an asterisk (*) to specify any domain, and then define an IP address (e.g. 1.1.1.1) or Unbound if it runs on a different port (127.0.0.1, Port 53053).

Just finished doing this with thanks from your help. Everything working great, apart from my Blocklist now just gets ignored. Any way around this?

[agh1701]

The goal for 25.7 default installation we're moving to:

Unbound as DNS (same as before)
Dnsmasq as DHCPv4 (away from ISC and ignoring Kea)
ISC for DHCPv6 (same as before)
Router Advertisements "radvd" as RA (same as before)

As you can se we're changing one variable here for 25.7. DNS isn't a concern either. It's all DHCP/RA that is going to change further as ISC moves to plugins in 26.1.


Cheers,
Franco

I'm curious. Why ISC for DHCP6 versus either Kea or DNSMASQ--or just DNSMASQ if ignoring Kea?

Yes, I am curious too.