dnsmasq and query forwarding

[OPNenthu]

I had some issues earlier with short name resolution, so going forward I'll probably follow the advice here to keep a 'unifi' alias in addition to the host entry, maybe even in Unbound.  Maybe I'll do that regardless of the DHCP and DNS services used.

[Alessandro Del Prete]

This means, KEA + Unbound with static leases could work for businesses if they want a different DHCP server + DNS server combination. (As it exists right now)
For home users, Dnsmasq could be the preferable choice, even as single DNS/DHCP server that just forwards to e.g., google or cloudflare or the ISP DNS servers.
The choices are there, everybody can take what they think is the better one.
In my home network with quite some vlans and homelab, I run dnsmasq dhcpv4+dhcpv6+RA and all DNS features since 3 months and have peace and quiet.
Sometimes its just personal preference that clouds the correct answer. I am leaning a bit more towards dnsmasq though since it makes more sense to me.

I am so glad dev team took this decision. I expressed my wish to Franco in this 2023 post, and the answer didn't make me much happy. :)

I used dnsmasq for many years both in business environments and in my homelab (before the term homelab was created actually) because of its flexibility and reliability.

I migrated from KEA+Unbound to dnsmasq this evening, took me less than 1h to migrate all settings+data (reservations, aliases, etc.) and I must say that dnsmasq is much simpler and more efficient in terms of configuration. For example, the way you define a host and in one window you can configure a reservation, define multiple mac addresses for one ip, aliases, etc. is much easier to maintain.

I never liked unbound configuration approach, and I also had reliability issues with it: the unbound service restarted several times throughout the day, and I never really understood the cause. I also didn't like KEA much, even though it has been very reliable, but it was missing some features.

Like you said: to each their own. OPNsense now allows the user to choose the services and the architecture, and it doesn't force the user to use a specific service for whatever reason.

Great job devs, hope you don't change this approach. :)

[cinergi]

I think the problem is with the DNSmasq / Unbound interaction: I have observed, that when you ask DNSmasq for names it cannot resolve and which are not considered "local" (i.e. that DNSmasq does not think it is authoritative for), it returns REFUSED instead of the usual NXDOMAIN.

Alas, Unbound turns those answers into SERVFAIL and then thinks DNSmasq is broken. It then stops asking it for a short while, despite the custom forwarding it tells it do do so.

It all depends upon keeping DNSmasq from ever returning REFUSED answers. The problem here is that, e.g., Windows adds a DNS search domain to any DNS name it is asking for. So, if you ask for www.google.com, it may ask DNSmasq for www.google.com.internal. If that name is forwarded to DNSmasq, but not one of the "local" domains, the problem will occur.

@Monviech has changed the scheme on how to determine the "local" domains by his latest patch once again. It requires the user to mark at least one DHCP host entry from each forwarded domain to be marked as "local" (a new flag introduced by the commit).

But still: that commit is also not yet part of any release and you have to apply both previous patches in order first, therefore I am not showing how to do it. Just keep your patience and hope it will work. I have switched back to ISC DHCP / Unbound for the time being as I was struck by the same problem.

Could anyone please confirm whether the latest release 25.1.8_1 has resolved the issue described by meyergru?  I have reverted back to ISC + Unbound due to this issue and would like to confirm that it's fixed before I change the configuration again.

Thank you!