Default DNS servers obtained via ISC DHCP

Started by EricPerl, December 11, 2024, 09:53:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 11, 2024, 09:53:44 PM
I had 1.1.1.1 & 8.8.8.8 set up in System > Settings > General > DNS Servers (override of ISP DNS obtained from WAN).
Then Unbound was set up to use the System nameservers in Services > Unbound > Query Forwarding (& DNS over TLS).

That seemed sufficient until I played with AGH.
My clients got the GW of each VLAN setup set up as their DNS server. All good.

When I added AdGuardHome in the mix, I moved Unbound to port 53530, enabled AGH on 53.
Somehow, my clients now get the System name servers as DNS servers.

I realize that I can override this in ISC DHCP (DNS Servers per interface).
But the info for this setting indicates this:
QuoteLeave blank to use the system default DNS servers: This interface IP address if a DNS service is enabled or the configured global DNS servers.
I guess it means that "This interface IP address if a DNS service is enabled" is not established by checking if some process listens on 53.
Does this only work if the built-in DNS servers are used as primary (and enabled on the interface in question)?
December 12, 2024, 10:07:39 AM #1
Possibly related.... I recently transitioned back from Kea DHCP to ISC, and was surprised when some DHCP clients started hacing issues due to being given no DNS servers. I also have AGH on port 53 and Unbound on a non-standard port. I have no DNS servers configured at System -> Settings -> General. In haste to get things working again, I manually added my firewall's address to the DNS servers in ISC DHCPv4 config, and then forgot to look into it further ;) Looking again now, I did *not* have DNS servers specified in my Kea config ("Auto collect option data" was in effect"). There may be a bug here (or at least an inconsistency)...
December 12, 2024, 10:29:28 PM #2
In absence of entries in System -> Settings -> General (I've seen that setup mentioned somewhere else), I'm not sure where OPN itself gets DNS from (for updates to work for example).
Maybe from WAN DHCP if you're happy with using your ISP DNS?
I guess it's also possible it defaults to localhost. I'll give that a shot on my backup device at some point.

There's definitely an inconsistency because the AGH logs show requests from devices in other VLANs so these still get DNS via the GW of their VLANs.
I actually noticed the switch to the "configured global DNS servers" from my main PC because the OPN GUI was accessed by hostname and no longer resolved...

December 12, 2024, 10:32:48 PM #3
You do not need an upstream DNS - at all. Every recursive DNS server or "resolver" like e.g. Unbound is able to work it out all on its own by just having IP/Internet connectivity.

So AGH aside the default installation of OPNsense will just do that.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 13, 2024, 10:35:42 AM #4
Quote from: EricPerl on December 12, 2024, 10:29:28 PMIn absence of entries in System -> Settings -> General (I've seen that setup mentioned somewhere else), I'm not sure where OPN itself gets DNS from (for updates to work for example).
Maybe from WAN DHCP if you're happy with using your ISP DNS?
I guess it's also possible it defaults to localhost.

System -> Settings -> General -> Networking -> DNS Server Options:

"[ ] Do not use the local DNS service as a nameserver for this system
By default localhost (127.0.0.1) will be used as the first nameserver when e.g. Dnsmasq or Unbound is enabled, so system can use the local DNS service to perform lookups. Checking this box omits localhost from the list of DNS servers."


and the cryptically described:

"[ ] Allow DNS server list to be overridden by DHCP/PPP on WAN
If this option is set, DNS servers assigned by a DHCP/PPP server on WAN will be used for their own purposes (including the DNS services). However, they will not be assigned to DHCP clients. Since this option concerns all interfaces retrieving dynamic dns entries, you can exclude items from the list below."

Not sure what "for their own purposes means" - what purpose would a DNS server have other than as a DNS service? Also not sure what the last sentence means, as there is no list below. Anyway, with this option enabled, DNS servers obtained via WAN get added *after* l27.0.0.1 in /etc/resolv.conf

December 13, 2024, 11:08:57 AM #5
Ahh, I think I found the answer; Services -> Adguardhome -> General -> "Primary DNS" needs to be checked when AGH is on port 53 for it to be offered to DHCP clients. After checking that box, I also had to reapply my DHCPv4 config for my LAN interface for it to take effect.
December 13, 2024, 09:52:32 PM #6 Last Edit: December 13, 2024, 10:05:16 PM by EricPerl
Quote from: Patrick M. Hausen on December 12, 2024, 10:32:48 PMYou do not need an upstream DNS - at all. Every recursive DNS server or "resolver" like e.g. Unbound is able to work it out all on its own by just having IP/Internet connectivity.

So AGH aside the default installation of OPNsense will just do that.
Hmm, is there a discovery mechanism I don't know about (very possible)?
I was curious enough that I tested on my backup proxmox. I reset its OPN VM (clearly sitting behind my live OPN).
By default, "Allow DNS servers to be overridden by DHCP" is on. I knew about that one.
Also by default, Unbound has "use system nameservers" set to off (so the DHCP assigned servers are typically ignored. Interface diagnostics use it though).
Yet Unbound indeed resolves happily, using a wide variety of servers. Are those hardcoded for bootstrap purposes?
December 13, 2024, 10:03:14 PM #7
Quote from: dseven on December 13, 2024, 11:08:57 AMAhh, I think I found the answer; Services -> Adguardhome -> General -> "Primary DNS" needs to be checked when AGH is on port 53 for it to be offered to DHCP clients. After checking that box, I also had to reapply my DHCPv4 config for my LAN interface for it to take effect.
Ah, I had switched that on pretty quickly after I set up AGH but it's possible that some machines renewed their lease in the short window when I moved Unbound to 53530 and finished the basic AGH setup...

I cleared the DNS setting in my main VLAN. I'll notice pretty quickly if VLAN clients are pointed to OPN defaults again.
Then at some point, I'll move these settings in the Unbound config.
December 14, 2024, 10:12:55 AM #8
Quote from: EricPerl on December 13, 2024, 09:52:32 PMAlso by default, Unbound has "use system nameservers" set to off (so the DHCP assigned servers are typically ignored. Interface diagnostics use it though).
Yet Unbound indeed resolves happily, using a wide variety of servers. Are those hardcoded for bootstrap purposes?

If not configured to forward to upstream resolvers, unbound would start from the root servers and recursively resolve by itself. You can see the root servers in /var/unbound/root.hints . I believe there's a basic set hard-coded too (used if there's no root-hints file).
December 14, 2024, 08:23:27 PM #9
Geez, of course... I knew this functionality existed as the first DNS building block. It didn't click that it was available right there in OPN (versus a plain forwarder + cache)... Thanks!
Print
Go Up Pages1
User actions