Unbound and new WAN IPv6 suffix

Started by JasMan, February 07, 2025, 05:18:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 07, 2025, 05:18:52 PM
Hi,

I've configured static DHCPv6 leases for some of my IoT devices to be able to resolve the DNS name to their IPv6 address in my LAN.

When my provider gives me a new IPv6 suffix DHCPv6 distributes the new suffix to all clients correctly.
But Unbound does not update the DNS AAAA records with the new suffix. Unbound resolves the names to the previous IPv6 addresses until I restart Unbound.

I'm sure that this behaviour was already disscused in the past. But I can't find the disscusion in the forum.

Have I missed a setting to force Unbound to reload when the WAN IP changes? Or what would be the best way to solve my little issue?

Jas
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
February 07, 2025, 05:54:29 PM #1 Last Edit: February 07, 2025, 05:57:37 PM by meyergru
Essentially, you have two cases where you want IPv6 devices to be reachable by name:

1. From outside of your LAN. This means that with dynamic IPv6 prefixes, you will have to update some DNS entries via dynamic DNS. Also, these DNS names cannot be used in order to create firewall rules. Therefore, you need "Dynamic IPv6 Host" firewall aliases on top. Those are, BTW, easier to manage via SLAAC than by DHCPv6, and also not all devices even support DHVPc6, e.g. Android.
If ever possible, I would use a reverse proxy like Caddy, HAproxy or Nginx to make services available - in that case, they could use IPv4 addresses on the LAN as well.

2. From inside of your LAN(s). In such cases, you probably do not need any firewall rules. However, as you have seen, unbound must be restarted to reload the static reservations. If it is internal DNS, I would just use ULA addressing - and guess what, this will work alongside GUA addresses only with SLAAC, because DHCPv6 can only advertise one prefix. With ULA, you can also have static addresses within your LAN(s) and you do not have to worry about the changing prefix any more. I do not bother to do that, as all of my internal addressing is using IPv4 only.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
February 15, 2025, 03:46:58 PM #2
Good contribution! I hadn't thought about the ULA addresses before. But indeed, this could solve my problem. I'll have to think about it if it fits for my LAN.

Thank you very much!
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
February 16, 2025, 03:00:36 PM #3
There's a script in OPNsense called "unbound_watcher.py" which should update DNS records if a DHCP lease has changed.
But it seems that it monitores dynamic DHCP leases only and no static lease or IPv6 prefix changes.

To solve my "issue" I added a Unbound restart command to my monit script which monitors the WAN IP addresses of my appliance.
Duck, Duck, Duck, Duck, Duck, Duck, Duck, Duck, Goose
February 17, 2025, 02:26:08 PM #4
How can one define a static lease respecting prefix changes in OPNsense?
February 17, 2025, 02:50:53 PM #5
The answer is in the help text: "When using a dynamic WAN address, only enter the suffix part (i.e. ::1:2:3:4)."
Print
Go Up Pages1
User actions