26.1.6 - DNS/DHCP best practice

[Monviech (Cedrik)]

I read this thread and I still don't understand few things.


I use Unbound as DNS and don't want to change to Dnsmasq.

I'm all in favor to drop ISC DHCP and migrate to Kea but I need Router Advertisement support for IPV6.

What are my options ?

That is easy, you use:
- Services/Unbound DNS
- Services/Kea DHCPv4
- Services/Router Advertisements

[Patrick M. Hausen]

You don't need a DHCP server for RA. That is covered by the router advertisement service.

[franco]

See https://docs.opnsense.org/manual/dhcp.html

[bugacha]

I read this thread and I still don't understand few things.


I use Unbound as DNS and don't want to change to Dnsmasq.

I'm all in favor to drop ISC DHCP and migrate to Kea but I need Router Advertisement support for IPV6.

What are my options ?

That is easy, you use:
- Services/Unbound DNS
- Services/Kea DHCPv4
- Services/Router Advertisements

Apologies, I also use DHCPv6 and RA runs in Assisted mode today.

It's a standard setup, I get IPV6 prefix from ISP and I use DHCPv6 to assign IPs from one of the subnets.

[Monviech (Cedrik)]

Here is an updated technical overview of IPv6 in OPNsense:

https://docs.opnsense.org/manual/ipv6.html

[Unspec]

Wait, so for Dnsmasq DHCP, are we not supposed to rely on radvd anymore and instead need to use the Dnsqmasq RA function?

[Monviech (Cedrik)]

No, you can mix and match these services however you want.

You can also mix dnsmasq dhcpv6 with radvd.

[Unspec]

No, you can mix and match these services however you want.

You can also mix dnsmasq dhcpv6 with radvd.

Yep, figured that out after some testing.

Unbound lookups for local hostnames is pretty broken for DHCP reservations though (https://github.com/opnsense/core/issues/8612). dnsmasq is definitely not ready for the limelight yet, at least not in opnsense.

[Monviech (Cedrik)]

I would not say its broken, I would say now that it is released there are more testers that find out all the edge cases that can still be improved.

Thanks for reporting something :)

[Unspec]

I would not say its broken, I would say now that it is released there are more testers that find out all the edge cases that can still be improved.

Thanks for reporting something :)

Seems like a different way of saying it's broken :)

Overall, since switching, my DNS queries for local services have been extremely flakey - it almost feels like dnsmasq is crumpling under pressure or something with unbound blasting it lookup requests.

I have cache for dnsmasq disabled since it seems unnecessary (it's all local lookups anyhow), don't know if that's what killing dnsmasq. In theory it shouldn't be since unbound has its own cache, but given how strange things are with dnsmasq, who knows.

[Monviech (Cedrik)]

You should try to find out where your dns queries get stuck.

I think Unbound does not cache queries it forwards to other DNS servers, and Dnsmasq should not need to cache its own DNS entries because they are static.

I'm just a bit surprised because I run dnsmasq fully features like in the docs since 2 months now and did not experience anything strange. Though I also do not query local services quite as much as you might do. So saying its broken is kinda not true.

Maybe our setups are quite different.

[julsssark]

I've been happy with KEA but I am looking forward to trying out dnsmasq with IPv4. I read the OPNsense dnsmasq docs and the examples are really helpful. However, it is not clear how to setup a subnet that has only DHCP reservations and no dynamic addresses. I assume I set up a subnet and create Hosts entries for the reservations. I setup the subnet with mode=static but starting address is a required field. What should the starting address be? I tried to enter the subnet in CIDR format but it wants an actual address.

[gstyle]

One question regarding DHCPv6 and RA.

In my LAN interface I track my WAN interface for IPv6 and just define a prefix for my 56-subnet I get from my provider.
If I then do not select the manual configuration (Allow manual adjustment of DHCPv6 and Router Advertisements).

What are then the defaults for DHCPv6 and RA?
My challenge is that, when the "manual configuration" is not ticked, I do not even see the Service->RA or the Service->ISC-DHCPv6 settings showing up.

[Monviech (Cedrik)]

I've been happy with KEA but I am looking forward to trying out dnsmasq with IPv4. I read the OPNsense dnsmasq docs and the examples are really helpful. However, it is not clear how to setup a subnet that has only DHCP reservations and no dynamic addresses. I assume I set up a subnet and create Hosts entries for the reservations. I setup the subnet with mode=static but starting address is a required field. What should the starting address be? I tried to enter the subnet in CIDR format but it wants an actual address.

The starting address can be anything from which point on you want to supply addresses. It cannot be a range or a subnet.

E.g. if your network is 192.168.1.0/24 and you want to supply addresses from 192.168.1.100 on, that is your starting address for the static pool.

[Monviech (Cedrik)]

One question regarding DHCPv6 and RA.

In my LAN interface I track my WAN interface for IPv6 and just define a prefix for my 56-subnet I get from my provider.
If I then do not select the manual configuration (Allow manual adjustment of DHCPv6 and Router Advertisements).

What are then the defaults for DHCPv6 and RA?
My challenge is that, when the "manual configuration" is not ticked, I do not even see the Service->RA or the Service->ISC-DHCPv6 settings showing up.

I have set up RA like this with dnsmasq:

Interfaces: LAN
IPv6 Configuration: Track Interface

Services -> Router Advertisements -> LAN
Router Advertisements - Disabled

Then in Dnsmasq it is just like this:

https://docs.opnsense.org/manual/dnsmasq.html#dhcpv6-and-router-advertisements