internal DNS issues

[donee]

I feel like a idiot.  All external DNS worked.  I did have any internal hostnames properly resolving internally.  I had and still have the issue where internal DNS would not resolve when connected via wireguard.  Now after trying to fix the wireguard issue internal hosts will not resolve properly any more.   
Luckily external is still working at least. 

[nero355]

I feel like a idiot.

That sucks, but if you want help you need to post more information about your setup and settings applied ;)

[donee]

Sorry that makes sense.  There are just so many diferent setting I did not know where to start.  I did a fresh install and searched for the suggested setting an it appears that I should only have to
Unbound DNS: General
check
 Register ISC DHCP4 Leases
 Register DHCP Static Mappings
which is did.

still no luck
I just get

** server can't find client: NXDOMAIN

[meyergru]

I severely doubt that those are the "suggested settings". Maybe you got them from an outdated Youtube video about OpnSense?

How do I know this? For starters, when you look at the official docs, you will find a prominent warning about how ISC DHCP is end-of-life. That means: Do not use it.

Apart from that: If you want your clients to be resolved in internal DNS, you will have to make sure that these things work as intended (and you did not say which work and which do not):

1. Your clients must be registered in your local DNS by "some" means. That could be static reservations and corresponding DNS entries or dynamic reservations. Also, they should register under a domain, such that xxx.aaa.zzz can resolve to an IP. You can also enter DNS names directly without a DHCP entry by just having a DNS override (e.g. in Unbound).

So, how did you register the DNS names and BTW: which DNS service did you use? DNSmasq or Unbound? You did not tell.

2. In order to be able to actually resolve the names, you must have a DNS service running and allow your networks clients to access it.
Which is it and can you reach it (a good test would be "nslookup xxx.aaa.zzz <ip-of-opnsense>".

3. The best way of telling your clients where to ask for DNS names and with what "search domains" (e.g. aaa.zzz) to use would be DHCP.
So: do your clients know the correct DNS server IP and do they look for the correct domain names if you only ask for "xxx"?

You see: "no luck" is one thing - as of now, we do not even know where to start.

"Does not work" is by no means a specification by which anyone can help you. Maybe you should look at this.

[donee]

I believe the default behavior is a combo of 
Services: Dnsmasq DNS & DHCP and Services: Unbound DNS
which is what I am trying to get working.  My external DNS works but I want it so that when a new machine is added to the network via DHCP, its hostname is automatically gets added to DNS and it can be resolved anywhere internally.  I have never had so much trouble getting this working in the past.   Sorry about not being as cear as possible. Hopefully this works better. 


PDF print out of Services: Unbound DNS: General
screenshot of Services: Unbound DNS: General

and a screenshot from Services: Dnsmasq DNS & DHCP: Leases

[Netlearn]

This is a simple approach that could solve your needs. Hope it helps.


1. Be sure that your DHCP server is offering the right DNS server to your clients.

2. Uncheck "Register ISC DHCP4 Leases" and "Register DHCP Static Mappings".

3. Create "overrides" in Unbound for the needed hosts and apply/restart.

To create an override for a machine with hostname "mypc.mydomain.internal" and IP "192.168.1.2":

    Host: mypc
    Domain: mydomain.internal
    Type: A (IPv4 address)
    IP address: 192.168.1.2
    Description: Whatever that you understand in the future.

    Leave "Add PTR record" checked (default).

[donee]

1. when you say DHCP offering the correct DNS server, do you mean check what DHCP put in /etc/resolv.conf, because yes the router/DHCP server ip's are added to  /etc/resolv.conf properly

Code Select Expand

cat /etc/resolv.conf
search home.arpa
nameserver 2600:4040:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
nameserver 10.10.10.1
2. I thought that was supposed to take the hostname from DHCP and add them to DNS?

3. So that will add any entry that I manually add.  Is there a way to make it so any new machine that registered with DHCP gets their hostname automatically added to DNS?  It would be nice if the process was automatic and not manual. 

[Netlearn]

1. OPNsense DHCP usually takes it's own DNS server to offer to the clients in the correct iface, assuming it uses DNSMasq or Unbound as DNS. If your case needs to serve a different DNS, it has to be configured manually.

2. Deselect both options = no auto-register from dynamic nor static DHCP leases.

3. As point 2. is done, manual overrides will give you the way to configure host by host, similar as you would do in a proper local zone.

I think this could be a good approach to solve your need, but I'm just guessing because information given is quite short. Easy to try, though.

[donee]

I don't want to do manual overrides just like I don't want to manually IP each client with its own ip address.  It is just way too much work.  that is why I use DHCP And DNS so they do the work for me. 
I just want opnsense to automatically add anything that is in
Services: Dnsmasq DNS & DHCP: Leases
IP and hostname to be added to DNS

[Mpegger]

Unbound should handle all external name lookups. Unbound should pass all internal lookups to DNSmasq. As suggested, do not use ISC as it will eventually be dropped. This is the setup I have come up with after gleaning over many articles, guides, and posts, over a long time trying to get my DNS resolution to work as I want it to on my network. It is a mixed IPv4/IPv6 setup that uses the typical 192.168.1.1, only a single LAN network segment (no VLANS either), as well as IPv6 GUA addresses as my ISP supplies a dynamic /56 IPv6 prefix. I also use 2 Pihole servers in my setup, but I will leave that part out to not complicate the setup. If you or anyone else wants I can include Pihole in the mix in another post.

Starting with Unbound:

General:
  Listen Port: 53
  Network Interfaces: Lan (Check all interfaces you want Unbound to listen on. Leave those you don't want it to listen to unchecked)
  Enable DNSSEC Support: (If you are going to use DNSSEC with a DNS server that supports it, check it)
  DHCP Domain Override: lan.internal (.internal is the only current top level local domain name for LAN use by ICANN, and is recognized by many modern apps to *not* be used in the WAN. You can add in whatever you want before .internal as your LAN FQDN. System > Settings > General > Domain: should also match)
  Register DHCP Static Mappings: Checked

Overrides:
  I do not use overrides as DNSmasq can take care of that for local LAN systems.

Advanced:
  Private Domains: lan.internal (Enter your domain)
  Rebind protection networks: (Add in any local LAN networks you are using that are not already entered here by default)
  Insecure Domains: lan.internal (Enter your domain if you are using DNSSEC)

Access List:
  Default Action: Allow (unless you have multiple networks being served up by different DNS daemons, leave at Allow to let Unbound responds to all network segments its listening on that was configured earlier. There is no need for any entries when set to Allow)

Query Forwarding:
  Use System Nameservers: Unchecked (We are going to use DNSmasq for local DNS FQDN resolution)
    Add a new server entry:
      Domain: lan.internal (what you used earlier)
      Server IP: 192.168.1.1 (The LAN IP address of your Opnsense)
      Server Port: 53053 (this is the port we will use to contact DNSmasq. Do not use 5353 as often suggested. I forget the exact reason, but there's another established service out there that uses that port. You can of course, use whatever port you want, just make sure its not a commonly used port)
    Add another new server entry:
      Domain: 1.168.192.in-addr.arpa (this entry will perform reverse lookups for you LAN addresses)
      Server IP: 192.168.1.1 (same as before)
      Server Port: 53053 (same as before)


Now onto DNSmasq:
General:
  Interface: LAN (As with Unbound, check all interfaces you want Unbound to listen on. Leave those you don't want it to listen to unchecked)
  Listen Port: 53053 (same as what you used in previous settings)
  No hosts lookup: Checked
  Query DNS servers sequentially: Unchecked
  Require domain: Checked (I have it checked because I always use FQDN, but even then I can still nslookup a name without domain and receive the IP address)
  Do not forward to system defined DNS servers: Checked (since DNSmasq is used only for Local LAN lookups, we check this)
  Do not forward private reverse lookups: Checked (same as above)
  DHCP FQDN: Checked (this will register system names obtain through DHCP requests)
  DHCP default domain: lan.internal (enter your LAN FQDN)
  DHCP local domain: Checked
  DHCP authoritative: Checked
  DHCP register firewall rules: Checked (I don't fully understand what rules are added or needed, so I leave it checked)
  Router advertisements: Checked (because I do use dynamic IPv6 on my network)

Domains:
  Nothing needed here

Skip to DHCP ranges:
Add a new entry:
  Interface: LAN (I only have 1 LAN segment, if you have multiple and you want DNSmasq to serve as the DHCP on each segment, you will need to make additional server entries)
  Start address: 192.168.1.10 (where to start handing out IPv4 address in your DHCP range)
  End address: 192.168.1.200 (where to end)
  Domain: lan.internal (enter your LAN FQDN)
If using IPv6 and you want to assign a DHCP range for IPv6, add another entry:
  Interface: LAN
  Start address: ::a:b:c:1000 (again, I have a dynamic IPv6 prefix address assigned to me by my ISP, so this would be where I enter the remaining bits to assign to local clients)
  End address: ::a:b:c:9000
  Constructor: LAN
  RA mode: slaac, ra-names (this will allow clients to obtain thier own IPv6 address via SLAAC [like Android devices], as well as being able to assign a fixed IPv6 GUA address to those clients that support that feature. The mode will depend on how you are assigned IPv6 by your ISP but this should work in most cases)
  Domain: lan.internal (you know the drill, enter your LAN FQDN)

DHCP options:
Add a new entry: (This will tell the DHCP client the IPv4 address of your DNS server(s))
  Interface: LAN
  Type: Set
  Option: dns-server [6]
  Option6: None
  Value: 192.168.1.1 (In this example we use the LAN ip address of the OPNSense firewall since that is where Unbound resides and listens)
  Force: Checked

I have IPv6, so I add another entry:
  Interface: LAN
  Type: Set
  Option: None
  Option6: dns-server [23]
  Value: fe80::1 (Use the IPv6 address that starts with fe80: for your LAN interface. Link Local Addresses (LLA, fe80:) don't change unless the network hardware itself changes as it's derived from the MAC address, and will work in mixed IPv4, IPv6 networks)
  Force: Checked

Now back to DHCP Hosts tab:
The DHCP Hosts tab is where you will enter any and every device on your network that you want to assign a FQDN for your local LAN, and fixed IP address, be it IPv4, or GUA IPv6 with the assigned prefix from your ISP. These IP address you assign do not have to be in the DHCP range(s) you defined earlier. You can also define devices that don't use DHCP, but have a fixed IP address and you want to assign a FQDN to them. For instance, my Opnsense firewall has a entry for it for the FQDN, IPv4 and internal Link Local IPv6 address it can be reached at. CNAME and Alias records can also be defined in this section.

When dealing with IPv6, be aware that not every device will support being assigned a IPv6 address via DHCP. You can easily tell what devices can be assigned a IPv6 address by allowing the device to connect via DHCP and in the 'DNSmasq > Leases' window you can look for the device IPv6 address, and the DUID that you need to use to assign a IPv6 address via DHCP will be there as well. Devices that only support IPv6 via SLAAC (like Android) will not show up in the 'Leases' window IPv6 section, and cannot be assigned a fixed IPv6 GUA address.

Those devices that do not need a fixed IP or FQDN of any kind you do not need to define here, as they will just grab a random IPv4 and/or IPv6 address according to your DHCP ranges setting. Those devices that request a DHCP address, can also report to DNSmasq thier device name, and DNSmasq will register that name as a FQDN, that can be used just like any other fixed entry you yourself added.

With this setup, all local FQDN lookups will stay within Opnsense, and will be resolvable via DNSmasq. Any other lookups will go out to the net via Unbound. You will only need to maintain 1 set of entries for you LAN devices via DNSmasq, and not have to use Unbound for overrides.