Kea + Unbound + Bind for local name resolution

[Monviech (Cedrik)]

@Allan

I feel like you ran into this here:
https://github.com/opnsense/plugins/pull/5102

Sounds like an external Bind server might be better, I don't know if this can be reasonably fixed in the plugin.
If your workarounds work, well, that's good though, nice job figuring this all out.

@cinergi

Keeping it simple in your setup sounds indeed like the best plan. The configuration we recommend is this:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

Good choice :)

[nero355]

@cinergi

Keeping it simple in your setup sounds indeed like the best plan. The configuration we recommend is this:
https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

Good choice :)

Now that you mention it...

Why is this :

So it's dnsmasq --> Unbound.

Not the default setup ?!

When using DNSmasqd for DHCP and DNS it would be a lot more easier for a lot of people if Unbound was not used as the Primary DNS Resolution and instead just for talking to the Root DNS Servers after DNSmasqd sends it a DNS Query made by a Client on a local network.

[Monviech (Cedrik)]

Most users also want to use Unbound statistics or blocklists by subnet and then it would only show Dnsmasq as its only client (127.0.0.1)

Unbound cannot use magic like dnsmasqs "add-subnet" or "add-mac" which extract the real IP address of the client when the request is forwarded by another dns server.

So having Unbound as main entry point has more benefits.

Also the project owner simply calls it "dnsmasq" https://thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

[allan]

I feel like you ran into this here:
https://github.com/opnsense/plugins/pull/5102

Sounds like an external Bind server might be better, I don't know if this can be reasonably fixed in the plugin.
If your workarounds work, well, that's good though, nice job figuring this all out.

Thank you! This is indeed what I am bumping into. I wonder if it is possible to write DDNS changes into a separate zone file. That way, the journal can monitor that file instead.

[tkreagan]

Hi all — I've been following this topic and wanted to share something I built that I think addresses exactly this problem.

**os-kea-ubnd-ddns** is an OPNsense plugin that bridges Kea DHCP → Unbound DNS directly, without Bind. It runs a lightweight RFC 2136 stub listener that receives DNS UPDATE packets from `kea-dhcp-ddns` and applies them to Unbound via `unbound-control` — so you get real-time hostname registration when a lease is issued - no zone files, no journal corruption, no `.jnl` cleanup.

**What it solves from this thread specifically:**

- No Bind required — Unbound stays the primary resolver, so blocklists and per-client analytics work normally
- No journal files or `rndc sync -clean` — Unbound `local_data` is ephemeral and gets rebuilt from Kea on restart
- IPv4 and IPv6 (A, AAAA, PTR) all handled — including dual-stack hosts where the same hostname has both an A and AAAA record
- The "RRset exists" race condition doesn't apply — the listener processes one UPDATE at a time and Unbound's local_data is not authoritative in the RFC 2136 sense

There's also a **Config Check** tab that reads your live Kea config and flags common mistakes (missing trailing dots on zone names, subnets with DDNS disabled, kea-dhcp-ddns listener state) — and a one-click **Configure All Subnets** button that pushes the correct DDNS settings to every subnet automatically.

Tested on OPNsense 26.1 with Kea DHCP4 and DHCP6. Current version is 0.96.

GitHub: https://github.com/tkreagan/os-kea-ubnd-ddns 
Pre-built package on the releases page — `pkg add os-kea-ubnd-ddns-0.96.pkg`, no package repo needed.

Happy to answer questions here but GitHub issues might be easier.