25.1.6 - DNS/DHCP best practice

[foggygray]

I use home.arpa for my local domain since that was purposely set aside for home networks.

Any way between the great documentation and this thread I was able to go full ipv4 and ipv6+ra with dnsmasq and it has been working wonderfully.

[Patrick M. Hausen]

Ok, I find myself confused about this, again.
If I have no VLANs and I am simply using the OPNsense default ".localdomain" for my LAN, would you recommend I be using .localdomain or lan.internal?

You can use either of the two... both will work.

Mind you that there can be a minor downside to using "localdomain". If you want to run your own local CA - on OPNsense or anywhere else - and you also want to use a wildcard certificate for a variety of devices that for some reason cannot use a real FQDN and Letsencrypt, then ...

- *.home.arpa will work while
- *.localdomain will not work

with current browsers. There have to be at least two dots in there.

I prefer - at work just like at home - to use a subdomain of a real domain I own.

So if I own e.g. company.com, then for the internal network I use internal.company.com. I know this will never conflict with anybody else, I do not publish this domain anywhere outside on the Internet, therefore I will not have leaks of any kind ... perfect solution but for the slightly longer FQDNs.

Also *.internal.company.com works with certificates as well as with MS Active Directory. Using your official Internet domain company.com with AD leads to all sorts of unexpected constraints.

HTH,
Patrick

[gspannu]

Ok, I find myself confused about this, again.
If I have no VLANs and I am simply using the OPNsense default ".localdomain" for my LAN, would you recommend I be using .localdomain or lan.internal?

You can use either of the two... both will work.

Mind you that there can be a minor downside to using "localdomain". If you want to run your own local CA - on OPNsense or anywhere else - and you also want to use a wildcard certificate for a variety of devices that for some reason cannot use a real FQDN and Letsencrypt, then ...

- *.home.arpa will work while
- *.localdomain will not work

with current browsers. There have to be at least two dots in there.

I prefer - at work just like at home - to use a subdomain of a real domain I own.

So if I own e.g. company.com, then for the internal network I use internal.company.com. I know this will never conflict with anybody else, I do not publish this domain anywhere outside on the Internet, therefore I will not have leaks of any kind ... perfect solution but for the slightly longer FQDNs.

Also *.internal.company.com works with certificates as well as with MS Active Directory. Using your official Internet domain company.com with AD leads to all sorts of unexpected constraints.

HTH,
Patrick

Thanks for the great tip about browsers possibly having an issue with .localdomain 👍

[Ground_0]

Anyone who uses OPNsense belongs here... let no one make you think otherwise !

Thank you, brother.

[wootonius]

I apologize if I've missed something in this thread but I'm not sure how best to implement my current IPV6 DHCP setup with Kea or dnsmasq.

My current IPV6 setup is based on this guide: https://github.com/lilchancep/att-pfsense-ipv6

In short, when my WAN interface is configured to run a script which requests IPV6 prefixes from AT&T to be delegated for each my my vlans. Each VLAN interface uses the "Tracking" option for IPV6 to determine its delegated prefix. I believe selecting "Tracking" means that SLAAC is used to determine addresses for each device but I may be wrong. Is there a way in Kea or dnsmasq to duplicate this functionality or is it best that I sit tight until the dust settles on the changes that are being worked on?

[Monviech (Cedrik)]

If it works for you right now better wait for a while. No need to change anything.

[wootonius]

If it works for you right now better wait for a while. No need to change anything.

Will do, I appreciate the feedback.