25.1.6 - DNS/DHCP best practice

Started by gstyle, May 08, 2025, 03:51:39 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 3 4 5 6 7
User actions
May 16, 2025, 11:42:59 AM #60
Is it possilble to use ISC and DNSMASQ at the same time, to facilitate a migration one VLAN interface at a time?

My setup is simple with
3no [VLAN] > ISC > Unbound
1no [VLAN] > ISC > AdGuardHome > Unbound
2no WireGuard > ISC > Unbound

Would be nice to move each VLAN individually
May 16, 2025, 01:07:21 PM #61
You have to check with
sockstat -l
if dhcpd binds to just specific or all interfaces.

In dnsmasq you can set strict interface binding in the advanced general options.
Hardware:
DEC740
May 17, 2025, 05:44:06 AM #62
I'm using Unbound as DNS server so i can sort of use it as an adblocker, and for DHCP, i migrated to KEA
Works fine here.
May 17, 2025, 02:28:20 PM #63 Last Edit: May 18, 2025, 01:41:08 AM by Ground_0
Following the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts on the local domain by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.
AppNeta m50 8GB
DEC690

*Nothing takes 5 minutes.*
May 17, 2025, 05:51:17 PM #64
Quote from: Ground_0 on May 17, 2025, 02:28:20 PMFollowing the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.
Unbound is not going anywhere as far as i know, so why not migrate to Kea for DHCP ?
May 17, 2025, 09:30:14 PM #65
Quote from: Ground_0 on May 17, 2025, 02:28:20 PMFollowing the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.

Do you have any servers defined in "System -> Settings -> General -> DNS servers" ? I noticed that I had a similar issue if I didn't have server explicitly defined there.

For me, this ended up being resolved by applying the patch at:

https://github.com/opnsense/core/issues/8614#issuecomment-2866675332

After applying the patch, I did not need explicit DNS servers defined and I no longer had any timeouts doing lookups through dnsmasq.
May 18, 2025, 01:32:00 AM #66
Quote from: TeeJayD on May 17, 2025, 05:51:17 PM
Quote from: Ground_0 on May 17, 2025, 02:28:20 PMFollowing the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.
Unbound is not going anywhere as far as i know, so why not migrate to Kea for DHCP ?

Mainly because Kea does not register the DNS names of leases, which is one aspect of ISC DHCP that made for such a seamless UX when combined with Unbound.
AppNeta m50 8GB
DEC690

*Nothing takes 5 minutes.*
May 18, 2025, 01:39:22 AM #67 Last Edit: May 18, 2025, 02:02:04 AM by Ground_0
Quote from: Drinyth on May 17, 2025, 09:30:14 PM
Quote from: Ground_0 on May 17, 2025, 02:28:20 PMFollowing the DHCPv4 with DNS registration example in the documentation, I have migrated from ISC IPv4 to DNSmasq on a test system.
I have unbound on port 53 pointing to DNSmasq on 53053 for local name resolution, as instructed.
It does work, however, resolving and pinging hosts by hostname lags for a long time.
The ping time from one host to another is in the .250 ms range, but it sits there for about 10 seconds thinking about it before spitting out the results.
Opening a browser and navigating to cockpit using machine-hostname.localdomain:9090 is equally as laggy.
Anyone else experiencing this sort of behavior?
For now, ISC with Unbound is working perfectly for me on the main router, so I suppose I will keep it that way for a while.
However, if Unbound pointing to DNSmasq for local domain name resolution is the future, I hope to figure it out.

Do you have any servers defined in "System -> Settings -> General -> DNS servers" ? I noticed that I had a similar issue if I didn't have server explicitly defined there.

For me, this ended up being resolved by applying the patch at:

https://github.com/opnsense/core/issues/8614#issuecomment-2866675332

After applying the patch, I did not need explicit DNS servers defined and I no longer had any timeouts doing lookups through dnsmasq.

I do have servers defined there, but they are ignored, as I have Unbound pointing to servers using DoT. Just to clarify, I have no problem with name resolution on the internet, it's just slow on the local domain.
AppNeta m50 8GB
DEC690

*Nothing takes 5 minutes.*
May 19, 2025, 11:37:39 AM #68 Last Edit: May 19, 2025, 11:39:31 AM by OPNenthu
I just completed migration from ISC DHCPv4 + Unbound to Dnsmasq + Unbound (as per the example in the OPNsense Guide).  Unbound is the default resolver for external domains and internal ones get forwarded to Dnsmasq.

In my case I am seeing consistent timeouts on both internal and external resolutions.  They do work, but only after a few seconds.

Code Select
C:\>nslookup firewall.h1.home.arpa
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    firewall.h1.home.arpa
Addresses:  2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:39a0  (*redacted)
          192.168.1.1

Code Select
C:\>nslookup opnsense.org
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    opnsense.org
Addresses:  2001:1af8:2050:a001:1::1
          89.149.225.137

Unbound is using a public DoT resolver (dns.quad9.net).

I see that some patches are floating around on GitHub and I think an OPNsense update is due soon, so will try again.

I'm very confused about why the external resolutions are showing this, since those shouldn't be hitting Dnsmasq at all and Unbound itself was working fine prior to migration.
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x 2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x 1GbE i210
May 19, 2025, 12:09:47 PM #69
Looks like a release already dropped before I wrote that.

Updated to 25.1.7 and flushed DNS caches in OPNsense.  Also flushed Windows cache and did ipconfig release/renew.

Now external domains resolve normally, but internal ones not at all.

Code Select
C:\>nslookup firewall.h1.home.arpa
Server:  UnKnown
Address:  192.168.30.1

*** UnKnown can't find firewall.h1.home.arpa: Server failed

Code Select
C:\>nslookup opnsense.org
Server:  UnKnown
Address:  192.168.30.1

Non-authoritative answer:
Name:    opnsense.org
Addresses:  2001:1af8:2050:a001:1::1
          89.149.225.137

I tried several and this is repeatable. 

Double-checking my configs...
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x 2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x 1GbE i210
May 19, 2025, 12:15:43 PM #70 Last Edit: May 19, 2025, 12:20:18 PM by OPNenthu
spoke too soon- there are intermittent timeouts still on external:

Code Select
C:\>nslookup starbucks.com
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    starbucks.com
Address:  23.50.66.53


EDIT: the internal ones starting working again, after several minutes.  No changes on my part.  Looks like there is something timing related going on (?)

Code Select
C:\>nslookup firewall.h1.home.arpa
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    firewall.h1.home.arpa
Address:  192.168.1.1
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x 2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x 1GbE i210
May 19, 2025, 07:22:46 PM #71
I moved my issues/observations to a separate thread. https://forum.opnsense.org/index.php?topic=47278.0

Thanks!
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x 2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x 1GbE i210
May 19, 2025, 07:51:48 PM #72
Ok, I am slightly confused: in certain comments people say they use dnsmasq for internal resolution and unbound for external.

Just to be clear, does this mean I can use dnsmasq for internal address resolution (including reverse lookups)? Because another comment mentioned that reverse lookups would have to be forwarded to Unbound or maybe it meant a setting in Unbound has to be set. Either way, Unbound seems to be required.

As mentioned before, I currently use Unbound only for internal address resolution.

So what is it? Can dnsmasq (when used as an ISC DHCP v4 and Unbound replacement) resolve local addresses including reverse lookups?
May 19, 2025, 09:45:04 PM #73
DNS requests come into Unbound. Unbound can then forward internal DNS and internal reverse lookups to DNSmasq. The docs were updated to show that two forwards are needed from Unbound (1 for DNS and 1 for reverse lookups). I have it configured this way it is working fine.
May 19, 2025, 11:49:56 PM #74
QuoteDnsmasq DHCP/RA for small and medium deployments

What is the definition of small and medium?

What should i use for 2000 Wi-Fi devices in a school?


Print
Go Up Pages 1 ... 3 4 5 6 7
User actions