dnsmasq DNS/DHCP Oddities/Wishlist

[Drinyth]

With dnsmasq suggested for small/medium installations moving forward, I decided to take a stab at converting my Unbound and ISC/KEA configuration over to just using dnsmasq. It wasn't without its problems, so I decided to document my findings here in hope that it will be helpful to others (and perhaps for potential improvements moving forward).

----------------------------------

DHCP register firewall rules
This was a setting that appears to be enabled by default, but where the equivalent setting I hadn't had enabled in KEA (I don't see such an option for it under ISC). I figured that since the setting wasn't enabled in KEA, that I would try and mimic this configuration in dnsmasq. This ended up causing all sorts of intermittent issues for me where some devices were able to register DHCP leases where other devices never appeared to reach the dnsmasq DHCP server at all (at least according to the logs). I do have some VLANs on my home network with rules prohibiting traffic to other VLANs. I suspect that these inter-VLAN blocks might have been the root cause, but still was weird that some devices worked while others didn't in this configuration.

Interface
Adding onto the firewall issue above, the default configuration in the GUI has the "Interface" set to "All" which is a bit misleading. When leaving this at "All" and checking DHCP register firewall rules, these rules actually don't get written to all the available interfaces. Obviously, this also causes DHCP services to behave sporadically since the firewall rules for proper operation never get added to their respective interfaces. I initially wanted it as all because I wanted to be able to do lookups on localhost. Later I would find out that localhost is enabled regardless. Once I explicitly enabled all of my interfaces where I needed DHCP services, I then saw the appropriate firewall rules being created accordingly.

System -> Settings -> General -> DNS servers
In my configuration, I have AdGuard Home as my primary DNS server (on port 53) with it sending queries to dnsmasq (formerly unbound) on port 8053 for lookups for static DHCP entries and so that private DNS lookups resolve nicely. In this configuration, if I do not have DNS servers explicitly set in the system settings, I cannot get dnsmasq to perform DNS lookups. When trying to query dnsmasq on port 8053 directly, queries just timeout when no DNS servers are defined despite having my ISP's DNS servers in resolv.conf. Not sure why this is the case? Nothing in dnsmasq.conf has these DNS servers defined in it. It's quite odd.

EDIT: This has been fixed in the patch posted in the #2 comment below.

DHCP ranges
I have a few VLANs with only static IPs in them with another VLAN with some statics and some dynamic. If you try and define static IPs under the "Hosts" tab and you don't define that subnet in "DHCP ranges", dnsmasq DHCP will not work properly. Luckily, there is verbiage in the logs to reflect this. I just wanted to mention it in case someone ran into that issue.

Static IP Wishlist
As a nice to have, it would be nice if for static IPs that the domain could be set globally someplace or perhaps if it used the system domain if nothing was defined? I had to include the domain name for each of my static entries individually in order to get FQDN lookups to work for those entries. Similarly, it would be nice if the lease time for static IPs could be defined globally someplace. Again, I had to define them individually for each static IP entry. Luckily for both of the above, the export and import features from the GUI allowed me to do some quicker editing to a text file to make the changes.

Regarding import/export, it also appears that if an entry already exists in the configuration and you try to export the config, make a change to one of those entries and import the updates, the update doesn't actually take effect. Instead I had to export the config, then delete entries from the GUI, make changes to the exported configuration, and then do an import for it to take effect. I don't know what the proper solution is here and what should be authoritative (i.e. do we leave the GUI entry in place since it already exists or should it get overwritten by whatever is in the imported config). But just wanted to throw that out there. Hopefully some of the above can be implemented in a future release?

EDIT: After further testing of import/export behavior, it appears that imports of existing entries do update their respective entry as I would expect.

----------------------------------

All that said, thank you to the developers for continuing to improve opnsense on a regular basis! With constant releases and new features, bugs are bound to creep up which end up causing you guys more work to fix them. As a user, I appreciate all your work that you put into these new releases and that you continue to drive forward with the feature set of opnsense!

[irrenarzt]

For anyone that cares, the online guide spells most of this out in the examples section. At least three of your main points are explicitly covered, so I never ran into these issues when swapping over.

[Drinyth]

System -> Settings -> General -> DNS servers
In my configuration, I have AdGuard Home as my primary DNS server (on port 53) with it sending queries to dnsmasq (formerly unbound) on port 8053 for lookups for static DHCP entries and so that private DNS lookups resolve nicely. In this configuration, if I do not have DNS servers explicitly set in the system settings, I cannot get dnsmasq to perform DNS lookups. When trying to query dnsmasq on port 8053 directly, queries just timeout when no DNS servers are defined despite having my ISP's DNS servers in resolv.conf. Not sure why this is the case? Nothing in dnsmasq.conf has these DNS servers defined in it. It's quite odd.

The following patch appears to have fixed this issue for me.

https://github.com/opnsense/core/issues/8614#issuecomment-2866675332

[bassopt]

Ive been plating with new dnsmasq implementations and i have huge issues with dchp clients! Some never get an ip others take forever or very slow to do so. Not sure if it's related  DHCP register firewall rules option
I've read the documentation a dozen times and followed it strictly and still have these issues.
Dns works more or less ok.
 

[Drinyth]

Ive been plating with new dnsmasq implementations and i have huge issues with dchp clients! Some never get an ip others take forever or very slow to do so. Not sure if it's related  DHCP register firewall rules option
I've read the documentation a dozen times and followed it strictly and still have these issues.
Dns works more or less ok.
 

After you check the register firewall rules option, be sure to reload your firewall rules. I think I read someplace that it does not do this by default for you.

[bassopt]

Ive been plating with new dnsmasq implementations and i have huge issues with dchp clients! Some never get an ip others take forever or very slow to do so. Not sure if it's related  DHCP register firewall rules option
I've read the documentation a dozen times and followed it strictly and still have these issues.
Dns works more or less ok.
 

Hmmm I have rebooted pfsense many times what do you mean reload firewall rules? That doesn't make much sense even less pratical.
Does the DHCP register firewall rules really necessary.
To be honest the DNSMasq instructions are a bit confusing at the time.

After you check the register firewall rules option, be sure to reload your firewall rules. I think I read someplace that it does not do this by default for you.

[Drinyth]

Hmmm I have rebooted pfsense many times what do you mean reload firewall rules? That doesn't make much sense even less pratical.
Does the DHCP register firewall rules really necessary.
To be honest the DNSMasq instructions are a bit confusing at the time.

If you have rebooted opnsense after making changes, your firewall rules will have reloaded as part of that reboot.

For my configuration (basic home network with a bunch of VLANs), setting "DHCP register firewall rules" was necessary. It wasn't necessary when I ran KEA, but dnsmasq must behave differently somehow to require those rules be there? Without those rules, DHCP services only worked intermittently where some devices were able to obtain an IP from the dnsmasq DHCP server, but others would not. After adding the firewall rules and reloading them, all those devices that would not connect previously started working.

[cspr]

DHCP ranges
I have a few VLANs with only static IPs in them with another VLAN with some statics and some dynamic. If you try and define static IPs under the "Hosts" tab and you don't define that subnet in "DHCP ranges", dnsmasq DHCP will not work properly. Luckily, there is verbiage in the logs to reflect this. I just wanted to mention it in case someone ran into that issue.

It seems that I was running into this "issue" too.

Is the correct way of configure this:

Code Select Expand

DHCP range:
LAN 10.11.12.1, static (so no dynamic hosts are generated)
LAN 10.11.12.101-10.11.12.199 (for dynamic range)

Or what would the correct way of doing this be?
I haven't been able to find this exactly in the documentation, but I might be somehow looking over it

[julsssark]

My understanding from a response on another thread is that the static start IP address should be the first address that you want to use for a static reservation. 10.11.12.1 would most likely be used by your router, so you'd use 10.11.12.2.