Unbound to DNSMasq

[spetrillo]

Hello all,

I need some clarity. In reading the notes from 25.1.6 update it seems to give me the impression that DNSmasq is beginning to take over from Unbound. I run Unbound as my DNS server, and use ISC DHCP for DHCP purposes. If the move is to Kea DHCP does that mean I need to move from Unbound to DNSMasq for DNS purposes? Like I said I am trying to gain some clarity here.

Thanks,
Steve

[meyergru]

I would rather say that DNSmasq is taking over from ISC DHCP. @Monviech wrote that with ISC DHCP phasing out and with Kea DHCP not being up to par yet, there needed to be an alternative.

While DNQmasq can do all three of DNS, DHCP and router advertisements in one tool, it cannot do recursive DNS or DoT/DoH - it needs an upstream DNS resolver. So the proposed approach is to have Unbound for that, if you need it. I do not, so I started to use it now for all it supports.

I have even used some scripts to facilitate the migration from local Unbound DNS aliases and ISC DHCP reservations.

[franco]

The goal for 25.7 default installation we're moving to:

Unbound as DNS (same as before)
Dnsmasq as DHCPv4 (away from ISC and ignoring Kea)
ISC for DHCPv6 (same as before)
Router Advertisements "radvd" as RA (same as before)

As you can se we're changing one variable here for 25.7. DNS isn't a concern either. It's all DHCP/RA that is going to change further as ISC moves to plugins in 26.1.


Cheers,
Franco

[milkywaygoodfellas]

Still no support for registering DHCP leases from anything other than ISC DHCP? At least the verbiage in Unbound and dnsmasq settings both suggest that they will only register leases from ISC.

[allan]

Still no support for registering DHCP leases from anything other than ISC DHCP?

Dnsmasq can handle hostname registration. Unbound is the primary resolver and forwards internal zone requests to Dnsmasq. This is covered in the documentation and walks you through the setup. I recommend someone create a sticky with a link to this doc since there are a lot of questions and discussions right now.

[milkywaygoodfellas]

Still no support for registering DHCP leases from anything other than ISC DHCP?

Dnsmasq can handle hostname registration. Unbound is the primary resolver and forwards internal zone requests to Dnsmasq. This is covered in the documentation and walks you through the setup. I recommend someone create a sticky with a link to this doc since there are a lot of questions and discussions right now.

I'm not going to run two DNS services just to be able to resolve internal host names. This whole deprecation of ISC has been a mess. ISC+Unbound is exceedingly simple and functional, Kea and dnsmasq are both half-baked.

[Monviech (Cedrik)]

Man kann das Pferd zur Tränke führen, man kann es nicht zum trinken zwingen.

[milkywaygoodfellas]

Man kann das Pferd zur Tränke führen, man kann es nicht zum trinken zwingen.

Really? The official response is telling people to just use two DNSs and deal with the bugs and performance issues that people are reporting with the Unbound/dnsmasq setup?

Sheesh, you guys are losing it.

[Monviech (Cedrik)]

You can simply use whatever works for your personal setup, even Unbound + ISC as long as it works.

Its not my responsibility to tell you what to do, I can only tell you which possibilities exist.

[milkywaygoodfellas]

You can simply use whatever works for your personal setup, even Unbound + ISC as long as it works.

Its not my responsibility to tell you what to do, I can only tell you which possibilities exist.

Didn't ask and don't care about your responsibility, I only asked about support for registering hostnames from Kea or dnsmasq DHCP in Unbound.

At least the members here try to be helpful, even if the official staff chooses to cop a holier-than-thou attitude.

[allan]

I'm not going to run two DNS services just to be able to resolve internal host names. This whole deprecation of ISC has been a mess. ISC+Unbound is exceedingly simple and functional, Kea and dnsmasq are both half-baked.

The devs are caught in the middle with the ISC deprecation. Running EOL software is not an option in certain environments and Kea does not offer the same options. This gives users two paths with supported options depending on what their priority is. ISC is still there if EOL is fine. These additional choices bring extra support complexity so I think the devs would prefer not adding dnsmasq. Personally, I would prefer not running 2 DNS servers as well but hostname registration is important to me.

[Monviech (Cedrik)]

The state with KEA dynamic hostname registrations is some effort from the community which shows the complexity of the issue.

https://github.com/opnsense/core/issues/7475

[meyergru]

At this time, ISC DHCP plus Unbound is still viable, so if anyone deems other (new) combinations of services to be too unstable as of yet: stay with something that still works fine. If you used the business version, which is more matured and lags behind the community version, you would automatically be at this point, anyway. So, if you expect production-ready quality - please buy it!

Other than than, who would really use DNSmasq DHCP, but expect Unbound DNS to be supported registering DNSmasq leases, when DNSmasq supports this out-of-the-box?

As I noted, DNSmasq alone can handle DHCP, (local) DNS and RA, and also non-recursive DNS. If you really need recursive DNS or want DoH on top, you are free to choose Unbound (as is the current recommendation) or, if you do not like that (as myself), go along with something like DNSCrypt-Proxy. I just tried that and it also works just fine.

Like @Monviech said: It is just anybody's choice on what to use, IDK why there seems so much undeserved fuzz made about it.

I, at least, appreciate the effort to have those services integrated more closely - but I do not expect it to be perfect from the get-go.

[gspannu]

At this time, ISC DHCP plus Unbound is still viable, so if anyone deems other (new) combinations of services to be too unstable as of yet: stay with something that still works fine. If you used the business version, which is more matured and lags behind the community version, you would automatically be at this point, anyway. So, if you expect production-ready quality - please buy it!

Other than than, who would really use DNSmasq DHCP, but expect Unbound DNS to be supported registering DNSmasq leases, when DNSmasq supports this out-of-the-box?

As I noted, DNSmasq alone can handle DHCP, (local) DNS and RA, and also non-recursive DNS. If you really need recursive DNS or want DoH on top, you are free to choose Unbound (as is the current recommendation) or, if you do not like that (as myself), go along with something like DNSCrypt-Proxy. I just tried that and it also works just fine.

Like @Monviech said: It is just anybody's choice on what to use, IDK why there seems so much undeserved fuzz made about it.

I, at least, appreciate the effort to have those services integrated more closely - but I do not expect it to be perfect from the get-go.

Very well said, @meyergru

I too do not understand what the fuss is all about at the moment. There are choices available; and the best part is if one does not change anything and just upgrades - everything works anyway and the existing setups remain as they were.

Do not understand the amount of comments being made about dnsmasq. It is just being improved without any detriment to either ISC/Kea at the moment.