23.1.7_3 dhcp seems to no longer hand out dns and search domains

Started by securid, May 12, 2023, 01:39:50 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 12, 2023, 01:39:50 PM
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

Since the updates I installed this morning, clients that renew no longer receive settings other than an IP address, subnet mask and default gateway. No DNS servers or search domains seem to get passed on to clients.

I've noticed this behavior on mobile phones, macos clients, linux clients and windows.

I've seen some other issues recently mentioned on the forums, about dynamic dns, unbound restarting.

Perhaps we can add this to the pile of issues ;).

if theres a quick fix I'd love to hear it, for now Im setting DNS manually.

Thanks.
May 13, 2023, 08:04:58 AM #1
I'm not so sure anymore if this issue was due to the updates.

I rolled back to 23.1.6 and reverted to a config from a couple of days back. The issue persists.

I reverted another change I made in Unifi controller which didn't help (and it shouldn't have it was unrelated).

I then entered the DNS IP address and search domains in DHCP in OPNsense (which I tried before after the updates) and slowly clients are coming back online.

I have now reverted all the clients manual changes I made to DNS.

I have no idea what is causing this and it did start after the updates yesterday morning. Obvioulsy OPNsense was the first thing I looked at to blame :) . When I looked into it, it looked like when clients renewed their lease they were loosing DNS settings as if OPNsense wasn't passing that along anymore.

Every client, including STB's, mobile devices, appliances lost their DNS settings.

Settings are still in place even though they should'nt have to. I might remove it later today to see what happens.
May 13, 2023, 09:37:05 AM #2
Are you using AdGuard plugin? Possibly AdGuard running on port 53? Or something else out of the ordinary running on port 53 other than Dnsmasq/Unbound?


Cheers,
Franco
May 13, 2023, 09:47:30 PM #3
Yes, nextdns actually.

Unbound runs on 5353. Nextdns listens on 53 and has forwarders for my internal domains to localhost:5353. Ive been using this setup for years now, first on pfsense and more recenty on opnsense.

May 14, 2023, 09:16:43 AM #4
Quote from: franco on May 13, 2023, 09:37:05 AM
Are you using AdGuard plugin? Possibly AdGuard running on port 53? Or something else out of the ordinary running on port 53 other than Dnsmasq/Unbound?


Cheers,
Franco

I'd love to hear your thoughts as to you why you'd ask.

Even though DNS is working fine and I was able to confirm that my clients weren't picking up DNS and search domain info after a lease renew, I guess it could be something else has changed and my setup no longer works as I expect?

I actually prefer unbound as primary DNS resolver but when I setup split DNS with unbound, the NextDNS cloud portal showed only a single device for all DNS queries (ie, opnsense).

With the nextdns local service, it logs the client name (hostname) for each query which makes it really easy to troubleshoot why a webpage or redirect isn't working. With all queries coming from opnsense, there's no telling as there can be hundreds of queries per minute or even per second sometimes.
May 14, 2023, 09:40:24 AM #5
A quick search and you would have found https://forum.opnsense.org/index.php?topic=33661.0

Short version - you'll need to set manually until the DNS plugin you are using is updated to properly register/announce itself on port 53.
May 14, 2023, 10:19:14 AM #6
Cheers!
May 14, 2023, 10:41:14 AM #7
May 14, 2023, 09:31:37 PM #8
Who is building a plugin for NextDNS? Maybe I'm misreading the upstream report, but want to stress the point that we talk about a hard requirement of a plugin for OPNsense, not just fixing upstream software (it doesn't care and that's good).

FWIW, I would encourage authors of plugins to try and contribute to the official plugins repository so that way I could have changed it up front without any visible breakage. ;)


Cheers,
Franco
May 14, 2023, 09:44:31 PM #9
Quote from: franco on May 14, 2023, 09:31:37 PM
Who is building a plugin for NextDNS? Maybe I'm misreading the upstream report, but want to stress the point that we talk about a hard requirement of a plugin for OPNsense, not just fixing upstream software (it doesn't care and that's good).

FWIW, I would encourage authors of plugins to try and contribute to the official plugins repository so that way I could have changed it up front without any visible breakage. ;)


Cheers,
Franco

No one, I think. Nextdns-cli isn't actually a plugin, its small application (nextdns-cli) that can be installed by calling a installer script.

I made the report hoping the Nextdns-cli devs could have a look at it. I don't think they are aware OPNsense made this change.
May 15, 2023, 10:08:59 AM #10
Ok, my point is they do not need to be aware.

Though it would be practical if at least a service definition for nextdns would exist that could either extract the port from its configuration or just statically set the port being used so that OPNsense knows it can rely on port 53 when no other known DNS service is using it.


Cheers,
Franco
Print
Go Up Pages1
User actions