25.1.6 - DNS/DHCP best practice

Transmog-rifier · May 16, 2025, 11:42:59 AM

Is it possilble to use ISC and DNSMASQ at the same time, to facilitate a migration one VLAN interface at a time?

My setup is simple with
3no [VLAN] > ISC > Unbound
1no [VLAN] > ISC > AdGuardHome > Unbound
2no WireGuard > ISC > Unbound

Would be nice to move each VLAN individually

Monviech (Cedrik) · May 16, 2025, 01:07:21 PM

You have to check with
sockstat -l
if dhcpd binds to just specific or all interfaces.

In dnsmasq you can set strict interface binding in the advanced general options.

TeeJayD · May 17, 2025, 05:44:06 AM

I'm using Unbound as DNS server so i can sort of use it as an adblocker, and for DHCP, i migrated to KEA
Works fine here.

Ground_0 · May 17, 2025, 02:28:20 PM

Following the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts on the local domain by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.

TeeJayD · May 17, 2025, 05:51:17 PM

Quote from: Ground_0 on May 17, 2025, 02:28:20 PMFollowing the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.

Unbound is not going anywhere as far as i know, so why not migrate to Kea for DHCP ?

Drinyth · May 17, 2025, 09:30:14 PM

Quote from: Ground_0 on May 17, 2025, 02:28:20 PMFollowing the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.

Do you have any servers defined in "System -> Settings -> General -> DNS servers" ? I noticed that I had a similar issue if I didn't have server explicitly defined there.

For me, this ended up being resolved by applying the patch at:

https://github.com/opnsense/core/issues/8614#issuecomment-2866675332

After applying the patch, I did not need explicit DNS servers defined and I no longer had any timeouts doing lookups through dnsmasq.

Ground_0 · May 18, 2025, 01:32:00 AM

Quote from: TeeJayD on May 17, 2025, 05:51:17 PM
Quote from: Ground_0 on May 17, 2025, 02:28:20 PMFollowing the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.
Unbound is not going anywhere as far as i know, so why not migrate to Kea for DHCP ?

Mainly because Kea does not register the DNS names of leases, which is one aspect of ISC DHCP that made for such a seamless UX when combined with Unbound.

Ground_0 · May 18, 2025, 01:39:22 AM

Quote from: Drinyth on May 17, 2025, 09:30:14 PM
Quote from: Ground_0 on May 17, 2025, 02:28:20 PMFollowing the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.

Do you have any servers defined in "System -> Settings -> General -> DNS servers" ? I noticed that I had a similar issue if I didn't have server explicitly defined there.

For me, this ended up being resolved by applying the patch at:

https://github.com/opnsense/core/issues/8614#issuecomment-2866675332

After applying the patch, I did not need explicit DNS servers defined and I no longer had any timeouts doing lookups through dnsmasq.

I do have servers defined there, but they are ignored, as I have Unbound pointing to servers using DoT. Just to clarify, I have no problem with name resolution on the internet, it's just slow on the local domain.

25.1.6 - DNS/DHCP best practice

Transmog-rifier

May 16, 2025, 11:42:59 AM #60

Monviech (Cedrik)

May 16, 2025, 01:07:21 PM #61

TeeJayD

May 17, 2025, 05:44:06 AM #62

Ground_0

May 17, 2025, 02:28:20 PM #63 Last Edit: May 18, 2025, 01:41:08 AM by Ground_0

TeeJayD

May 17, 2025, 05:51:17 PM #64

Drinyth

May 17, 2025, 09:30:14 PM #65

Ground_0

May 18, 2025, 01:32:00 AM #66

Ground_0

May 18, 2025, 01:39:22 AM #67 Last Edit: May 18, 2025, 02:02:04 AM by Ground_0