25.1.6 - DNS/DHCP best practice

[gstyle]

Hi everybody,

honestly I am now a bit confused and need some advice.

In the past I was using unbound for DNS and ISC DHPC for DHCP.
I defined private IPV4 subnets in ISC-DHCP for my vlans.

For IPV6 i set DHCPv6 in my WAN interface (PPPOE - Deutsche Telekom) and in my LAN interfaces just tracked the WAN and set a prefix id.

Some time then, I switched to KEA for DHCPv4 (as it was supposed to be the new standard). Created my subnets there, set fixed IPs etc.

Now with Kea IPv6 and also everything in DNSMASQ: Which is the preferred setup?

Is it only DNSMASQ instead of ISC + KEA + UNBOUND?

[franco]

The goal for 25.7: Dnsmasq DHCP/RA for small and medium deployments and Kea/Router Advertisements (radvd) for bigger deployments (requiring seamless HA support).

The docs are in the works, but we also need a bit more code glue for 25.7 and 26.1 to make the most of these transitions.

But TLDR: nothing changes for users. Anyone can use what they want. Even ISC for the forseeable future (2-5 years).


Cheers,
Franco

[yeraycito]

Unclear and contradictory ideas in the management of DHCP in Opnsense by the developers. Some time ago, Kea DHCP was included in Opnsense because, as they said, ISC DHCP was abandoned and Kea was its replacement. However, that inclusion was partial and is resolved today by including Kea DHCPv6, which would complete the migration. But it turns out that now Kea DHCP is also not valid, and in the near future, Dnsmasq DHCP will be used by default. The bottom line is that users no longer know what to expect on an issue that isn't even that complicated.

[franco]

> Unclear and contradictory ideas in the management of DHCP in Opnsense by the developers.

That's unfair and untrue.  ISC discontinued DHCPD and left everyone with Kea, but it's not as good as DHCPD still is.  Period.


Cheers,
Franco

[Monviech (Cedrik)]

The docs are up to date with suggestions and setup examples:

https://docs.opnsense.org/manual/dhcp.html

https://docs.opnsense.org/manual/dnsmasq.html

[gstyle]

OK, so this would mean before changing my setup waiting for 25.7. correct?

So if I understand right, then DNS would be still Unbound on port 53 and DNSMASQ on another port to answer queries for local hostnames?

And regarding ISC: I can dissable ISC for IPv4. But how does this work for IPv6? Can only view the leases there but find no further options.

[Monviech (Cedrik)]

You can still run your current setup for a while there is no immediate need to change it.

It's correct that you would run dnsmasq and Unbound at the same time on different ports. That's whats described in the setup example in the documentation.

[gstyle]

OK thanks.
And just one (I think now rather stupid question).
I was always thinking, I am running a DHCPv6 server on my Opnsense.
But after a short ChatGPT consultation, I think I understood now that without the manual IPv6 configuration of the interface, I am only using router advertisement and the clients are using SLAAC to generate their IP. Is this correct?
This would explain why I cannot deactivate it and the only menu option below ISC DHCPv6 are the "Leases".

If I understood this right, I can ignore DHCPv6 in my current setup....?

[Monviech (Cedrik)]

In the most basic IPv6 setup you only need Router Advertisements, these will allow your clients to generate a SLAAC address, the default gateway, and you can also get a DNS server option.

DHCPv6 is when you want to hand specific addresses and options to the clients that RA cannot do.

So for you probably only RA is important.

[gspannu]

> Unclear and contradictory ideas in the management of DHCP in Opnsense by the developers.

That's unfair and untrue.  ISC discontinued DHCPD and left everyone with Kea, but it's not as good as DHCPD still is.  Period.


Cheers,
Franco

100% agree with Franco.

The comment "Unclear and contradictory ideas in the management of DHCP in Opnsense by the developers" is not justified and rude to the development team.

The dev team tries very hard to support both personal users & large users - and each has different requirements.

ISC discontinued DHCPD; and a good choice at that time was Kea.
However, Kea is not very well suited for smaller users; and neither did Kea really develop into a full fledged dnsmasq alternative.

What we have today is a plethora of choices:
- ISC (as is)
- dnsmasq (with dhcpd now!)
- Kea (with IPv6 now!)

Unbound continues to work as is.

What could be better? Everyone has a choice ! Use whatever you fancy and whatever works best for your use case/ environment.

The fact that dnsmasq will be the default in 25.7 is really a non-issue. Everything that existed is still being supported.

Thank you @franco, @monviech(cedrik), @patrick and all contributors for this wonderful software and your hard work.

[wootonius]

In the most basic IPv6 setup you only need Router Advertisements, these will allow your clients to generate a SLAAC address, the default gateway, and you can also get a DNS server option.

DHCPv6 is when you want to hand specific addresses and options to the clients that RA cannot do.

So for you probably only RA is important.

That makes sense, I'm guessing it would work for AT&T Prefix delegation scenarios like this https://github.com/lilchancep/att-pfsense-ipv6, right?

[franco]

Prefix delegation downstream is only possible with ISC DHCPD or Kea. Dnsmasq does not have the support.  Your router could still consume a PD with Dnsmasq DHCP but cannot pass a prefix on. That one of the reasons why we believe Dnsmasq works well for small and medium setups, but an alternative with Kea makes sense in these cases. It depends on the requirements in the end.

Cheers,
Franco

[Patrick M. Hausen]

In that case I will have to look into at least a limited pre-defined set of vendor options for Kea ...

[julsssark]

@gspannu I'd upvote your post if I could :)

[bugacha]

I read this thread and I still don't understand few things.


I use Unbound as DNS and don't want to change to Dnsmasq.

I'm all in favor to drop ISC DHCP and migrate to Kea but I need Router Advertisement support for IPV6.

What are my options ?