KEA, DNS and "Auto collect option data"

[funkyd]

Hi all,

Just migrated from ISC DHCP to KEA DHCP and have a quick question regarding DNS. For ISC, when the DNS field was left blank, it would use the DNS servers provided under System -> Settings -> General. With KEA, since it uses the interface IP as the DNS server when the "Auto collect option data" is checked, am I assuming correctly that it no longer pulls from the General settings page and needs the Unbound service running and listening on the appropriate interfaces for DNS to work with that option checked?

I'm planning on just unchecking the box and setting DNS manually since I only had ISC set up like this for a few guest vlans, but just wanted to be sure I wasn't missing something other than Unbound when trying to make this work like ISC worked in the past.

Thanks in advance for any guidance!

[franco]

Yes, it will auto-fill these values from the system like before, but instead of being dynamically loaded at config creation time they are added to the config.xml persistently on save so the config creation can be from static values, which is more predictable from an implementational standpoint.

Your plan should be ok.



Cheers,
Franco

[funkyd]

Thank you, Franco. The reason I asked about Unbound is because on my system, with only the System -> Settings -> General DNS fields filled and the Unbound service not running, KEA pulls the gateway IP as the DNS server when the "auto collect option data" box is checked and I'm unable to resolve hostnames. I did not try turning back on ISC, but I believe it populated the DNS servers listed from the settings page and not the gateway IP for DNS when the server was not manually populated?

I was obviously able to work around this by unchecking the box and manually setting the DNS servers, but wondering if there is something I was missing on my setup, if this is expected behavior, or if this is a possible bug. Thank you again for your response!

[franco]

Could be a bug. In ISC DHCP it figured out if unbound or dnsmasq was running and if not try to use one of the global servers (or ISP supplied name servers). We'll take a look.


Cheers,
Franco

[franco]

We agreed to add a simple validation so you cannot use auto-collect if preconditions are not met (like no enabled DNS server)

https://github.com/opnsense/core/issues/9185

Expect a patch later this week, definitely not for 25.7.3 tomorrow. It would only validate so you have to uncheck auto-collect to proceed anyway. Don't want to auto-collect more dynamic values than actual local addresses to publish automatically.


Cheers,
Franco

[Patrick M. Hausen]

Don't want to auto-collect more dynamic values than actual local addresses to publish automatically.

👍

[funkyd]

Thank you, Franco. That should make it obvious to anyone running a similar setup. I appreciate you taking a look and the upcoming fix!

[RedVortex]

FYI, I also had to disable auto collect and manually fill in the gateway, DNS and NTP for my 5 networks since I'm setup in HA and it was using the interfaces IP instead of the CARP VIP.

Every time there was a failover, everything was losing connectivity because the gateway and DNS were not working anymore since they were pointing to the interface that was down or rebooting instead of the CARP VIP.

I'm not really considering this a "bug" but more of a "heads up" if you use HA and CARP VIP.

The biggest problem I still have with kea is that I cannot send option 121 anymore, the UI doesn't support it (classless static routes, not the static routes in the UI that no client supports or nobody uses that is only 1 IP to 1 Gateway which is option 33). I had a thread on that issue a long time ago and that is problematic a lot for me: https://forum.opnsense.org/index.php?topic=39563.0