unbound cannot resolve dns entries from LAN ISC DHCP Lease when they are offline

[ralfonat]

heya,

I really love opnsense, but sometimes it can be quite confusing to find info.

I have my LAN interface setup to serve IPs via ISC DHCP and to register new leases with dns (unbound).

But whenever devices go offline, they seem to vanish from unbound. Is this per definition? Can I deactivate this? I want the dns entries to stay as long as the dhcp lease is still not expired.

Please help me to help myself:

Where can I verify that the entries are in fact removed from unbound, where can I see the current dns list?

If it is actually removed, where should I go look for these "unregister" messages in unbound?

Where can I change settings as to keep DNS?

Many thanks!

BTW: Using OPNsense 24.1.8-amd64.

If theres anything else I should post please advise. Thanks!

[meyergru]

I would guess that this happens only if ISC DHCP releases the lease. Unexpired leases are kept in /var/unbound/dhcpleases.conf, if you enable "Register ISC DHCP4 Leases".

This expiry should occur automatically when the DHCP lease expires or if it is explicitely released by a DHCPRELEASE. Windows can be configured to do this, I do not know what the default is.

If you want to keep those DNS names active, create a static DHCP mapping and enable "Register ISC DHCP Static Mappings" in Unbound (those can be found in /var/unbound/host_entries.conf).

[ralfonat]

hey meyergru,

thanks!

so opnsense /ui/dhcpv4/leases shows 29 entries

and
@opnpx:/var/unbound # cat dhcpleases.conf | sort | cut -d":" -f1 | uniq -c
  22 local-data-ptr
  22 local-data

so 7 missing. Is there a command to re-register them?

[meyergru]

That alone does not say that something is off: You can have DHCP leases with no hostname - I gues those would not be registered in DNS. IDK of a command to re-register.

[ralfonat]

thanks for your help. I thought this was maybe a hiccup, but this keeps happening. Every configuration I have that relies on a FQDN continually breaks...

So I made a small script to detect the missing items:

Code: [Select]

#!/usr/local/bin/bash

IP_HOSTNAMES=$(awk '/lease / {ip=$2} /client-hostname/ {print ip, $2}' /var/dhcpd/var/db/dhcpd.leases | tr -d '";')
COUNT=0

while IFS= read -r line; do
  HOST=$(echo $line | cut -f2 -d' ')
  grep $HOST /var/unbound/dhcpleases.conf >/dev/null || {
    echo "$HOST is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf"
  }
  COUNT=$(($COUNT+1))
done <<< "$IP_HOSTNAMES"

echo "---"
echo "$COUNT total records in dhcpd//dhcpd.leases"


this is the output:

Code: [Select]

./unbound_dhcp_check.sh
RS is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
LGwebOSTV is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
PX-i7 is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
LGwebOSTV is in dhcpd//dhcpd.leases but not found in unbound/dhcpleases.conf
---
24 total records in dhcpd//dhcpd.leases
Is there any simple way to find out whats wrong?

Do I have to make a script to patch unbound continually? I don't know a command to re-register dhcp leases into unbound...

Many thanks in advance for your help.

[doktornotor]

Not really sure what are you "fixing" here? The client can decide whether to DHCPRELEASE or not, e.g. on shutdown. Why should a client that explicitly relinquished its lease have a DNS entry created via DHCP? Make the leases static if you want the records to be persistent, as noted above. Or configure the clients to not do it.

https://datatracker.ietf.org/doc/html/rfc2131#section-3.2

Code: [Select]

4. The client may choose to relinquish its lease on a network
      address by sending a DHCPRELEASE message to the server.  The
      client identifies the lease to be released with its
      'client identifier', or 'chaddr' and network address in the
      DHCPRELEASE message.

      Note that in this case, where the client retains its network
      address locally, the client will not normally relinquish its
      lease during a graceful shutdown.  Only in the case where the
      client explicitly needs to relinquish its lease, e.g., the client
      is about to be moved to a different subnet, will the client send
      a DHCPRELEASE message.


[ralfonat]

my clients are not releasing anything. the leases are still there in opnsense. (see also script output) It seems non-sensical to me to give every single client a static lease.

I have never had to do this with any other dhcp server whether win or *nix.

Also to make this extra clear: the LGwebOSTV client is/was connected and active, still was not in unbound database...

My browser extension couldn't connect as the FQDN dns lookup failed..

[doktornotor]

It seems non-sensical to me to give every single client a static lease. I have never had to do this with any other dhcp server whether win or *nix.

Yeah, neither do we. We do it for clients that are supposed to be in DNS permanently and not change their IPs - which certainly is not every single piece of random equipment out there sending out its hostname that's supposed to be trusted by DNS. The whole "feature" is a hack, not something integrated in Unbound and ISC DHCP (unlike Windows AD, now that you've mentioned it)

Related: this "feature" is currently missing altogether in Kea DHCP... https://github.com/opnsense/core/issues/7475

[ralfonat]

Yeah, neither do we. We do it for clients that are supposed to be in DNS permanently and not change their IPs - which certainly is not every single piece of random equipment out there sending out its hostname that's supposed to be trusted by DNS. The whole "feature" is a hack, not something integrated in Unbound and ISC DHCP (unlike Windows AD, now that you've mentioned it)

Related: this "feature" is currently missing altogether in Kea DHCP... https://github.com/opnsense/core/issues/7475

Just so I understand correctly, who is 'we' in this context? OPNsense devs?

Anyways, just to reiterate, I do not care what IP address my clients have, I just want to be able to ping/connect/whatever them by their hostname. Shouldn't be a too radical thing to do?

I thought that if the feature to register those DHCP leases in DNS is enabled that it would magically just work.

So are you saying this is not a real feature and only works sometimes? Maybe it would be best to include that in the description.

Also if that is the case, again my question: can I patch it up with my script? I would only need to know how to send unbound registrations manually. Or do I append to the unbound/dhcpleases.conf and send a SIGHUP?

Maybe this is not something others find useful, but again I would love to have the feature simply work, even with a patch script in crontab rather than having to manually go and assign static leases just because I want to VNC to a PC via its hostname.

Thanks again for any help in advance.

[doktornotor]

I'm not a developer.

As said, that functionality does not exist in Unbound nor in ISC DHCP / Kea for that matter. For fixing your trouble, see /usr/local/opnsense/scripts/dhcp/unbound_watcher.py (and related scripts in that directory) and find out why it doesn't work for you. Daisy-chaining scripting hacks won't make it work better.

[ralfonat]

thanks for pointing out the script, I will try and fix it from here.