25.1.6 - DNS/DHCP best practice

Started by gstyle, May 08, 2025, 03:51:39 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 4 5 6 7
User actions
May 20, 2025, 07:16:59 AM #75
The dnsmasq upstream documentation states the expected setup size without issues is 1000 clients, and with some tweaks a bit higher because they are conservative.

Though I would choose KEA if its a big school with lots of clients.
Hardware:
DEC740
May 20, 2025, 08:16:07 AM #76
KEA + HA.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 20, 2025, 10:00:40 AM #77
Still Kea is missing most of the IANA DHCP options at this time - at least in the GUI. There are some that are needed, like WPAD or vendor option 43 for Unifi. Also, some others for VoIP. You cannot "add" them via add-on config files, like with ISC DHCP, but only create your own, "full" manual configuration.

ISC DCHP and DNSmasq offer those in OpnSense, via the GUI.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 20, 2025, 01:50:18 PM #78
Quote from: kasper93 on May 12, 2025, 02:54:32 AM
Quote from: Unspec on May 09, 2025, 09:31:49 PMI believe it's unbound because when running a nslookup on my windows machine to a host that is in unbound's overrides, it times out twice before finally succeeding, suggesting unbound is choking on...something because it's a local lookup to unbound.

I'm seeing the same thing. I think current documentation is incomplete in a way of setting up this unbound to dnsmasq forward. And in fact I don't even see how it suppose to work in practice. Symptoms are like @Unspec described, timeouts and generally instability, it sometimes works, other times does not. It queries unbound multiple times, also with host.lan.internal.lan.internal.

If you think about it, unless I'm missing something it is lucky it even manages to return anything sometimes, breaking recursion.

If dnsmasq dns is set on alternative port, it will forward queries back to unbound which is main dns server. Unbound then sees that this query should be forwarded (back) to dnsmasq, which ask unbound again... and we get infinite recursion. I hope I missed something in configuration, because as it stand now it hardly can work like that.

I'm still confused about this one. Can someone explain how should a infinite recursion of dns resolution between unbound and dnsmasq prevented?
May 20, 2025, 02:13:13 PM #79
By doing it like so:

1. Unbound is your main DNS resolver. It either resolves internet DNS by itself, working as a resolving DNS or you configure it to use an upstream server, like 8.8.8.8 via normal DNS or DNS-over-TLS. You also tell it to "Do not forward private reverse lookups". The import part is that you instruct it to forward specific domains, namely, you private domains, to 127.0.0.1:53053. This includes the reverse domains, say "168.192.in-addr.arpa".

2. You configure DNSmasq to run on port 53053 and set it up to resolve your internal domains, it will use the system name servers as upstream servers. These do not even have to use 127.0.0.1 (Unbound).

Thus, regular queries go to Unbound first and are either forwarded to DNSmasq (if they match fordwarded domains) or resolved by Unbound.
Because the forwarded, local domains can be resolved by DNSmasq, you will either get an IP or an NXDOMAIN. And since DNSmasq is only ever asked for internal domains (by Unbound only), its upstream server will never get used, even if it is Unbound by accident.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 20, 2025, 02:35:13 PM #80
Quote from: meyergru on May 20, 2025, 02:13:13 PMBy doing it like so:

1. Unbound is your main DNS resolver. It either resolves internet DNS by itself, working as a resolving DNS or you configure it to use an upstream server, like 8.8.8.8 via normal DNS or DNS-over-TLS. You also tell it to "Do not forward private reverse lookups". The import part is that you instruct it to forward specific domains, namely, you private domains, to 127.0.0.1:53053. This includes the reverse domains, say "168.192.in-addr.arpa".

2. You configure DNSmasq to run on port 53053 and set it up to resolve your internal domains, it will use the system name servers as upstream servers. These do not even have to use 127.0.0.1 (Unbound).

Thus, regular queries go to Unbound first and are either forwarded to DNSmasq (if they match fordwarded domains) or resolved by Unbound.
Because the forwarded, local domains can be resolved by DNSmasq, you will either get an IP or an NXDOMAIN. And since DNSmasq is only ever asked for internal domains (by Unbound only), its upstream server will never get used, even if it is Unbound by accident.

I've been watching this thinking how I'll be going when the time comes. So far I'm settled on continuing how I am i.e. ISC + Unbound (no IPv6).
This succint overview is very helpful, should make it to the docs. Thanks @meyergru for such a good explanation.
May 20, 2025, 02:47:15 PM #81
Great explanation, many thanks @meyergru.

One thing I can't find for Unbound is:

Quote from: meyergru on May 20, 2025, 02:13:13 PMYou also tell it to "Do not forward private reverse lookups".

Please tell me where this setting is.
May 20, 2025, 03:21:26 PM #82
Sorry, I meant on DNSmasqs "general" tab.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 21, 2025, 11:52:41 AM #83 Last Edit: May 22, 2025, 12:03:11 PM by Ground_0 Reason: details
Quote from: meyergru on May 20, 2025, 02:13:13 PMBy doing it like so:

This includes the reverse domains, say "168.192.in-addr.arpa".
Here's a stupid question (from a not-so-smart-person).
This is one point that the documentation is not completely clear about. I realize that in-addr.arpa is a domain associated with reverse lookups, but are you (and the documentation) offering it as a theoretical example, or should one actually enter it verbatim according to the docs?
For instance, the docs suggest using 1.168.192.in-addr.arpa as well as lan.internal..
I have been using the name of my actual local domain in these fields.
So are in-addr.arpa and/or lan.internal actually recognized by OPNsense as "the local, internal network"?
AppNeta m50 8GB
DEC690

*Nothing takes 5 minutes.*
May 21, 2025, 12:44:57 PM #84
OpnSense does not "recognize" those in that they do anything special with them, Deciso just follows the standards in their recommendations.
The DNS software underlying OpnSense will do so as well. So, if you follow these recommendations, it will most probably work.

The .arpa TLD explicitely has in-addr.arpa defined for the purpose of reverse lookups (just google it). Thus, this is a standard. However, which sub-domain you delegate is mainly dependend on what RFC1918 subnets you use. You can also delegate to 168.192.in-addr.arpa if you use multiple /24 subnets or 2.168.192.in-addr.arpa if you use only 192.168.2.0/24.

The ".internal" TLD is an DNS TLD that has been recommended by IANA, but is not yet approved, so you can use it for your own VLAN subdomains. Formerly, .home.arpa was often used for such purposes.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 21, 2025, 02:02:54 PM #85 Last Edit: May 21, 2025, 02:06:45 PM by Ground_0
Quote from: meyergru on May 21, 2025, 12:44:57 PMOpnSense does not "recognize" those in that they do anything special with them, Deciso just follows the standards in their recommendations.
The DNS software underlying OpnSense will do so as well. So, if you follow these recommendations, it will most probably work.

The .arpa TLD explicitely has in-addr.arpa defined for the purpose of reverse lookups (just google it). Thus, this is a standard. However, which sub-domain you delegate is mainly dependend on what RFC1918 subnets you use. You can also delegate to 168.192.in-addr.arpa if you use multiple /24 subnets or 2.168.192.in-addr.arpa if you use only 192.168.2.0/24.
Thank you, this is very clear to me now.
QuoteThe ".internal" TLD is an DNS TLD that has been recommended by IANA, but is not yet approved, so you can use it for your own VLAN subdomains. Formerly, .home.arpa was often used for such purposes.

Ok, I find myself confused about this, again.
If I have no VLANs and I am simply using the OPNsense default ".localdomain" for my LAN, would you recommend I be using .localdomain or lan.internal?
AppNeta m50 8GB
DEC690

*Nothing takes 5 minutes.*
May 21, 2025, 02:04:35 PM #86
You can use any domain you like, even .com, if you accept that this masks "real" .com domains.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 21, 2025, 03:57:28 PM #87
QuoteOk, I find myself confused about this, again.
If I have no VLANs and I am simply using the OPNsense default ".localdomain" for my LAN, would you recommend I be using .localdomain or lan.internal?


You can use either of the two... both will work.
May 21, 2025, 05:10:04 PM #88 Last Edit: May 21, 2025, 05:19:42 PM by Ground_0
Thank you meyergru and gspannu for the straightforward answers, they help immensely for my style of connecting the dots.
And, thank you for your patience; I do realize I don't really belong here and I appreciate your kind assistance.
Although I can gather facts and knowledge, I freely admit that I lack the level of intelligence for a deep insight into networking.
Trying not to be a help vampire.
AppNeta m50 8GB
DEC690

*Nothing takes 5 minutes.*
May 21, 2025, 07:35:09 PM #89
Quote from: Ground_0 on May 21, 2025, 05:10:04 PMThank you meyergru and gspannu for the straightforward answers, they help immensely for my style of connecting the dots.
And, thank you for your patience; I do realize I don't really belong here and I appreciate your kind assistance.
Although I can gather facts and knowledge, I freely admit that I lack the level of intelligence for a deep insight into networking.
Trying not to be a help vampire.

Anyone who uses OPNsense belongs here... let no one make you think otherwise !
Print
Go Up Pages 1 ... 4 5 6 7
User actions