Dnsmasq+Unbound observations in 25.1.7

Started by OPNenthu, May 19, 2025, 07:13:28 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3 ... 5
User actions
May 19, 2025, 07:13:28 PM Last Edit: May 19, 2025, 07:39:54 PM by OPNenthu
Hi all,

I followed the section DHCPv4 with DNS registration in the guide as closely as I could, so that Unbound is the default resolver for clients and forwards to Dnsmasq for internal domains.  For external domains Unbound forwards to Quad9 over TLS (unchanged from my previous setup with ISC).

These are the issues I am seeing so far with the latest update today.  If any of this is deemed valid here I can submit scoped issue(s) in GitHub.

For all of these examples, I only have IPv4 configurations in Dnsmasq.  Presently I am still using Services->Router Advertisements for IPv6 RAs.

My system default domain in System->Settings->General is "h1.home.arpa" (to distinguish from a remote site "h2.home.arpa").  I am using this domain for my LAN.

For each of the VLANs where clients connect, I defined a respective ".internal" domain in Dnsmasq per the examples in the guide.

You cannot view this attachment.

In Unbound I configured the forwarding as follows:

You cannot view this attachment.

Unbound is configured on all interfaces ('All (recommended)' in GUI options) at port 53.

Dnsmasq is on all explicit interfaces (LAN, GUEST, etc.) at port 53053 with "Strict Interface Binding" disabled.

Code Select
root@firewall:~ # sockstat -l | grep :53
unbound  unbound     4479 5   udp6   *:53                  *:*
unbound  unbound     4479 6   tcp6   *:53                  *:*
unbound  unbound     4479 7   udp4   *:53                  *:*
unbound  unbound     4479 8   tcp4   *:53                  *:*
unbound  unbound     4479 9   udp6   *:53                  *:*
unbound  unbound     4479 10  tcp6   *:53                  *:*
unbound  unbound     4479 11  udp4   *:53                  *:*
unbound  unbound     4479 12  tcp4   *:53                  *:*
unbound  unbound     4479 13  udp6   *:53                  *:*
unbound  unbound     4479 14  tcp6   *:53                  *:*
unbound  unbound     4479 15  udp4   *:53                  *:*
unbound  unbound     4479 16  tcp4   *:53                  *:*
unbound  unbound     4479 17  udp6   *:53                  *:*
unbound  unbound     4479 18  tcp6   *:53                  *:*
unbound  unbound     4479 19  udp4   *:53                  *:*
unbound  unbound     4479 20  tcp4   *:53                  *:*
nobody   dnsmasq    19536 13  udp4   *:53053               *:*
nobody   dnsmasq    19536 14  tcp4   *:53053               *:*
nobody   dnsmasq    19536 15  udp6   *:53053               *:*
nobody   dnsmasq    19536 16  tcp6   *:53053               *:*
root     mdns-repea 50866 3   udp4   *:5353                *:*
root     mdns-repea 50866 4   udp4   192.168.20.1:5353     *:*
root     mdns-repea 50866 6   udp4   192.168.30.1:5353     *:*
root     mdns-repea 50866 7   udp4   192.168.40.1:5353     *:*

I do not have any system default DNS servers in System->Settings->General and I am not allowing DNS overrides from WAN.


Observation #1: Incorrect DNS options in DHCP offer

Per the guide, these DHCP options do not need to be explicitly defined and are defaulted as follows:

Quoterouter[3] -> IPv4 address of the receiving interface
dns-server[6] -> IPv4 address of the receiving interface
domain-search[119] -> Domain set in DHCP range

This is the DHCP offer as captured in Wireshark to my client on the HOME network, which has a static reservation (192.168.30.2):

Code Select
Dynamic Host Configuration Protocol (Offer)
    Message type: Boot Reply (2)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x20ab4ae0
    Seconds elapsed: 0
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
    Client IP address: 0.0.0.0
    Your (client) IP address: 192.168.30.2
    Next server IP address: 192.168.30.1
    Relay agent IP address: 0.0.0.0
    Client MAC address: ASUSTekCOMPU_xx:xx:xx (24:4b:fe:xx:xx:xx)   (*redacted)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Offer)
    Option: (54) DHCP Server Identifier (192.168.30.1)
    Option: (51) IP Address Lease Time
    Option: (58) Renewal Time Value
    Option: (59) Rebinding Time Value
    Option: (1) Subnet Mask (255.255.255.0)
    Option: (28) Broadcast Address (192.168.30.255)
    Option: (3) Router
        Length: 4
        Router: 192.168.30.1
    Option: (15) Domain Name
        Length: 12
        Domain Name: h1.home.arpa
    Option: (6) Domain Name Server
        Length: 4
        Domain Name Server: 192.168.30.1
    Option: (255) End

- 'router[3]' is correct
- 'dns-server[6]' is correct
- 'domain-seearch[119]' is missing
- 'domain-name[15]' is incorrect  (should be 'home.internal')


Observation #2: Frequent DNS timeouts  / slow resolution

It doesn't matter whether the internal host being resolved is static (for example, 'firewall' is in /etc/hosts) or not, the requests are experiencing a lot of timeouts and resolution takes several seconds.

Code Select
C:\>nslookup firewall
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.30.1

Non-authoritative answer:
Name:    firewall.h1.home.arpa
Addresses:  2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:39a0
          192.168.1.1

Code Select
C:\>nslookup firewall.h1.home.arpa
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    firewall.h1.home.arpa
Addresses:  2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:39a0
          192.168.1.1

The same is happening for external requests, which previously had no issue:

Code Select
C:\>nslookup opnsense.org
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    opnsense.org
Addresses:  2001:1af8:2050:a001:1::1
          89.149.225.137

Observation #3: Intermittent resolution failures

Sometimes there is no response, even for statically defined hosts in Dnsmasq:

Code Select
C:\>nslookup unifi
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
*** UnKnown can't find unifi: Server failed

Ditto for fully qualified queries:

Code Select
C:\>nslookup unifi.h1.home.arpa
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

You cannot view this attachment.


Observation #4: Static addresses not registered

My Proxmox node (pve) has a static IP which I also defined as a static reservation in Dnsmasq for tracking purposes. My UniFi controller (running on Proxmox) is also static on the host and as a static reservation.  Neither of these are reflected in the Dnsmasq leases table, although both are running and responding.

A Gitea instance also running on Proxmox, but with a dynamic lease, is shown in the table.

A static reservation for my desktop PC is also shown in the table.

In general, it appears that static reservations are only shown for hosts which receive their IPs from DHCP but are omitted for hosts which have static IPs set on the host itself even if a static entry is present in Dnsmasq.


 
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x1GbE i225-v
May 19, 2025, 07:21:01 PM #1
For issues #2 and #3, do I need to define additional search domains explicitly in DHCP options?
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x1GbE i225-v
May 19, 2025, 07:25:41 PM #2
In Unbound enable query request and response logging, in dnsmasq enable the same in advanced general options.

Do nslookups and check what the servers ask each other and what their responses are.
Hardware:
DEC740
May 19, 2025, 07:29:56 PM #3
Option 15 is correct for the default fomain suffix. Option 119 is for multiple domain suffixes. So have to adjust that in the docs, I refered to the wrong option.
Hardware:
DEC740
May 19, 2025, 08:12:56 PM #4
Here's a lookup on 'opnsense.org' from the client at 192.168.30.2.

Result:

Code Select
C:\>nslookup opnsense.org
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    opnsense.org
Addresses:  2001:1af8:2050:a001:1::1
          89.149.225.137

Unbound side:

Code Select
2025-05-19T13:53:48-04:00    Informational    unbound    [5329:3] info: 127.0.0.1 opnsense.org.h1.home.arpa. AAAA IN   
2025-05-19T13:53:48-04:00    Informational    unbound    [5329:3] info: 127.0.0.1 opnsense.org.h1.home.arpa. AAAA IN   
2025-05-19T13:53:42-04:00    Informational    unbound    [5329:3] info: 127.0.0.1 opnsense.org.h1.home.arpa. AAAA IN   
2025-05-19T13:53:42-04:00    Informational    unbound    [5329:3] info: 127.0.0.1 opnsense.org.h1.home.arpa. AAAA IN   
2025-05-19T13:53:42-04:00    Informational    unbound    [5329:0] info: 127.0.0.1 opnsense.org.h1.home.arpa. A IN   
2025-05-19T13:53:42-04:00    Informational    unbound    [5329:0] info: 127.0.0.1 opnsense.org.h1.home.arpa. A IN   
2025-05-19T13:53:40-04:00    Informational    unbound    [5329:2] info: 192.168.30.2 opnsense.org. AAAA IN NOERROR 0.081485 0 58   
2025-05-19T13:53:40-04:00    Informational    unbound    [5329:2] info: 192.168.30.2 opnsense.org. AAAA IN   
2025-05-19T13:53:40-04:00    Informational    unbound    [5329:1] info: 192.168.30.2 opnsense.org. A IN NOERROR 0.321781 0 46   
2025-05-19T13:53:40-04:00    Informational    unbound    [5329:1] info: 192.168.30.2 opnsense.org. A IN   
2025-05-19T13:53:40-04:00    Informational    unbound    [5329:1] info: 127.0.0.1 1.30.168.192.in-addr.arpa. PTR IN   
2025-05-19T13:53:40-04:00    Informational    unbound    [5329:1] info: 127.0.0.1 1.30.168.192.in-addr.arpa. PTR IN   
2025-05-19T13:53:39-04:00    Informational    unbound    [5329:0] info: 127.0.0.1 opnsense.org.h1.home.arpa. A IN   
2025-05-19T13:53:39-04:00    Informational    unbound    [5329:0] info: 127.0.0.1 opnsense.org.h1.home.arpa. A IN   
2025-05-19T13:53:38-04:00    Informational    unbound    [5329:3] info: 127.0.0.1 opnsense.org.h1.home.arpa. AAAA IN   
2025-05-19T13:53:38-04:00    Informational    unbound    [5329:0] info: 192.168.30.2 opnsense.org.h1.home.arpa. AAAA IN   
2025-05-19T13:53:37-04:00    Informational    unbound    [5329:1] info: 127.0.0.1 1.30.168.192.in-addr.arpa. PTR IN   
2025-05-19T13:53:37-04:00    Informational    unbound    [5329:1] info: 127.0.0.1 1.30.168.192.in-addr.arpa. PTR IN   
2025-05-19T13:53:36-04:00    Informational    unbound    [5329:0] info: 127.0.0.1 opnsense.org.h1.home.arpa. A IN   
2025-05-19T13:53:36-04:00    Informational    unbound    [5329:3] info: 192.168.30.2 opnsense.org.h1.home.arpa. A IN   

Dnsmasq side:

Code Select
2025-05-19T13:53:51-04:00 Informational dnsmasq 32 127.0.0.1/17159 DHCP 192.168.40.3 is chromecast-br.h1.home.arpa
2025-05-19T13:53:51-04:00 Informational dnsmasq 32 127.0.0.1/17159 query[PTR] 3.40.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:53:51-04:00 Informational dnsmasq 31 127.0.0.1/28211 DHCP 192.168.30.2 is blackbox.h1.home.arpa
2025-05-19T13:53:51-04:00 Informational dnsmasq 31 127.0.0.1/28211 query[PTR] 2.30.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:53:48-04:00 Informational dnsmasq 30 127.0.0.1/46952 forwarded opnsense.org.h1.home.arpa to 127.0.0.1
2025-05-19T13:53:48-04:00 Informational dnsmasq 30 127.0.0.1/46952 query[AAAA] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:48-04:00 Informational dnsmasq 29 127.0.0.1/39373 forwarded opnsense.org.h1.home.arpa to 127.0.0.1
2025-05-19T13:53:48-04:00 Informational dnsmasq 29 127.0.0.1/39373 query[AAAA] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:42-04:00 Informational dnsmasq 28 127.0.0.1/24915 forwarded opnsense.org.h1.home.arpa to 127.0.0.1
2025-05-19T13:53:42-04:00 Informational dnsmasq 28 127.0.0.1/24915 query[AAAA] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:42-04:00 Informational dnsmasq 27 127.0.0.1/44700 forwarded opnsense.org.h1.home.arpa to 127.0.0.1
2025-05-19T13:53:42-04:00 Informational dnsmasq 27 127.0.0.1/44700 query[AAAA] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:42-04:00 Informational dnsmasq 26 127.0.0.1/61536 forwarded opnsense.org.h1.home.arpa to 127.0.0.1
2025-05-19T13:53:42-04:00 Informational dnsmasq 26 127.0.0.1/61536 query[A] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:42-04:00 Informational dnsmasq 25 127.0.0.1/27840 forwarded opnsense.org.h1.home.arpa to 127.0.0.1
2025-05-19T13:53:42-04:00 Informational dnsmasq 25 127.0.0.1/27840 query[A] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:40-04:00 Informational dnsmasq 24 127.0.0.1/12293 forwarded 1.30.168.192.in-addr.arpa to 127.0.0.1
2025-05-19T13:53:40-04:00 Informational dnsmasq 24 127.0.0.1/12293 query[PTR] 1.30.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:53:40-04:00 Informational dnsmasq 23 127.0.0.1/48131 forwarded 1.30.168.192.in-addr.arpa to 127.0.0.1
2025-05-19T13:53:40-04:00 Informational dnsmasq 23 127.0.0.1/48131 query[PTR] 1.30.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:53:39-04:00 Informational dnsmasq 22 127.0.0.1/37728 query[AAAA] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:39-04:00 Informational dnsmasq 21 127.0.0.1/45135 query[AAAA] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:39-04:00 Informational dnsmasq 20 127.0.0.1/26717 forwarded opnsense.org.h1.home.arpa to 127.0.0.1
2025-05-19T13:53:39-04:00 Informational dnsmasq 20 127.0.0.1/26717 query[A] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:39-04:00 Informational dnsmasq 19 127.0.0.1/14309 forwarded opnsense.org.h1.home.arpa to 127.0.0.1
2025-05-19T13:53:39-04:00 Informational dnsmasq 19 127.0.0.1/14309 query[A] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:38-04:00 Informational dnsmasq 18 127.0.0.1/29080 query[AAAA] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:38-04:00 Informational dnsmasq 17 127.0.0.1/12969 forwarded opnsense.org.h1.home.arpa to 127.0.0.1
2025-05-19T13:53:38-04:00 Informational dnsmasq 17 127.0.0.1/12969 query[AAAA] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:37-04:00 Informational dnsmasq 16 127.0.0.1/54709 query[A] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:37-04:00 Informational dnsmasq 15 127.0.0.1/43769 query[A] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:37-04:00 Informational dnsmasq 14 127.0.0.1/26508 forwarded 1.30.168.192.in-addr.arpa to 127.0.0.1
2025-05-19T13:53:37-04:00 Informational dnsmasq 14 127.0.0.1/26508 query[PTR] 1.30.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:53:37-04:00 Informational dnsmasq 13 127.0.0.1/46047 forwarded 1.30.168.192.in-addr.arpa to 127.0.0.1
2025-05-19T13:53:37-04:00 Informational dnsmasq 13 127.0.0.1/46047 query[PTR] 1.30.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:53:36-04:00 Informational dnsmasq 12 127.0.0.1/51277 query[A] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:36-04:00 Informational dnsmasq 11 127.0.0.1/16835 query[A] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:36-04:00 Informational dnsmasq 10 127.0.0.1/18449 query[A] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:36-04:00 Informational dnsmasq 9 127.0.0.1/17611 forwarded opnsense.org.h1.home.arpa to 127.0.0.1
2025-05-19T13:53:36-04:00 Informational dnsmasq 9 127.0.0.1/17611 query[A] opnsense.org.h1.home.arpa from 127.0.0.1
2025-05-19T13:53:35-04:00 Informational dnsmasq 8 127.0.0.1/55149 query[PTR] 1.30.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:53:35-04:00 Informational dnsmasq 7 127.0.0.1/52966 query[PTR] 1.30.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:53:34-04:00 Informational dnsmasq 6 127.0.0.1/61290 query[PTR] 1.30.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:53:34-04:00 Informational dnsmasq 5 127.0.0.1/64544 query[PTR] 1.30.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:53:34-04:00 Informational dnsmasq 4 127.0.0.1/4460 query[PTR] 1.30.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:53:34-04:00 Informational dnsmasq 3 127.0.0.1/53395 forwarded 1.30.168.192.in-addr.arpa to 127.0.0.1
2025-05-19T13:53:34-04:00 Informational dnsmasq 3 127.0.0.1/53395 query[PTR] 1.30.168.192.in-addr.arpa from 127.0.0.1
2025-05-19T13:51:27-04:00 Informational dnsmasq 2 127.0.0.1/23723 reply error is SERVFAIL
2025-05-19T13:51:27-04:00 Informational dnsmasq 2 127.0.0.1/23723 forwarded omv.h1.home.arpa to 127.0.0.1
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x1GbE i225-v
May 19, 2025, 08:20:30 PM #5 Last Edit: May 19, 2025, 08:23:10 PM by OPNenthu
Quote from: Monviech (Cedrik) on May 19, 2025, 07:29:56 PMOption 15 is correct for the default fomain suffix. Option 119 is for multiple domain suffixes. So have to adjust that in the docs, I refered to the wrong option.

Shouldn't the default domain in that example be 'home.internal' rather than 'h1.home.arpa' as that is what I defined for the DHCP range?  Or is that option referring to the system default domain, regardless of the DHCP range?

Do the subnets each need to have multiple domain suffixes in order to query each other?  Or does Dnsmasq handle that?

Apologies, I'm still learning about DNS, but this is a good test case for the presumption that Dnsmasq should be simple to configure relative to ISC/Kea with Unbound :-P
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x1GbE i225-v
May 19, 2025, 08:40:32 PM #6
I do not understand why opnsense.org is forwarded to Dnsmasq.

Somehow Unbound thinks its an internal domain first and forwards it to the query forwarding configured for h1.home.arpa. before finally noticing after multiple responses of dnsmasq that its not there and then recursively resolving it.

At first glance it looks like an Unbound issue now. It should recursively resolve fqdns that do not fall into configured query forwarding domains right away, or so is my assumption.
Hardware:
DEC740
May 19, 2025, 10:19:06 PM #7
Although it doesn't help with the DNS resolution issue, there is something strange going on with static reservations.

My desktop PC has 2 NICs (one of them is kept disabled).  Until now I was using the first NIC with a static reservation in Dnsmasq.  In this case, the DNS suffix was always coming as "h1.home.arpa" even though that client is not part of that DHCP range:

Code Select
Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : h1.home.arpa
   Description . . . . . . . . . . . : Intel(R) Ethernet Controller (2) I225-V
   Physical Address. . . . . . . . . : 24-xx-xx-xx-xx-CD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:xx:xxxx:xxxx:xxxx:xxxx:xxx:f69(Preferred)
   IPv6 Address. . . . . . . . . . . : fdf8:fb25:3a87:1030:xxxx:xxxx:xxxx:3a21(Preferred)
   Temporary IPv6 Address. . . . . . : 2601:xx:xxxx:xxxx:9cb5:6288:f91:c4c6(Preferred)
   Temporary IPv6 Address. . . . . . : fdf8:fb25:3a87:1030:9cb5:6288:f91:c4c6(Preferred)
   Link-local IPv6 Address . . . . . : fe80::52cc:xxxx:xxxx:c813%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.30.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, May 19, 2025 3:58:47 PM
   Lease Expires . . . . . . . . . . : Tuesday, May 20, 2025 3:58:44 PM
   Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:39a0%11
                                       192.168.30.1
   DHCP Server . . . . . . . . . . . : 192.168.30.1
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : 00-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-CD
   DNS Servers . . . . . . . . . . . : 192.168.30.1
                                       2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:39a0
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       h1.home.arpa

Switching over to the second NIC, this time I get a DHCP dynamic lease in the same range (192.168.30.x), but now the DNS suffix comes as "home.internal" (as configured in the pool):

Code Select
Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : home.internal
   Description . . . . . . . . . . . : Realtek PCIe 2.5GbE Family Controller
   Physical Address. . . . . . . . . : 78-xx-xx-xx-xx-55
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:xx:xxxx:xxxx:xxx:xxxx:2631:c6ff(Preferred)
   IPv6 Address. . . . . . . . . . . : fdf8:fb25:3a87:1030:xxxx:xxxx:xxxx:e66b(Preferred)
   Temporary IPv6 Address. . . . . . : 2601:xx:xxxx:xxxx:1de4:e57c:4ae3:f9dd(Preferred)
   Temporary IPv6 Address. . . . . . : fdf8:fb25:3a87:1030:1de4:e57c:4ae3:f9dd(Preferred)
   Link-local IPv6 Address . . . . . : fe80::ec8a:xxxx:xxxx:454c%8(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.30.164(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, May 19, 2025 4:02:00 PM
   Lease Expires . . . . . . . . . . : Tuesday, May 20, 2025 4:01:59 PM
   Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:39a0%8
                                       192.168.30.1
   DHCP Server . . . . . . . . . . . : 192.168.30.1
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : 00-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-CD
   DNS Servers . . . . . . . . . . . : 192.168.30.1
                                       2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:39a0
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       h1.home.arpa

Why should static leases not get the same DNS suffix as the DHCP range configured?
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x1GbE i225-v
May 19, 2025, 10:24:57 PM #8 Last Edit: May 19, 2025, 10:28:03 PM by Taunt9930
Quote from: OPNenthu on May 19, 2025, 10:19:06 PMAlthough it doesn't help with the DNS resolution issue, there is something strange going on with static reservations.

My desktop PC has 2 NICs (one of them is kept disabled).  Until now I was using the first NIC with a static reservation in Dnsmasq.  In this case, the DNS suffix was always coming as "h1.home.arpa" even though that client is not part of that DHCP range:

Code Select
Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : h1.home.arpa
   Description . . . . . . . . . . . : Intel(R) Ethernet Controller (2) I225-V
   Physical Address. . . . . . . . . : 24-xx-xx-xx-xx-CD
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:xx:xxxx:xxxx:xxxx:xxxx:xxx:f69(Preferred)
   IPv6 Address. . . . . . . . . . . : fdf8:fb25:3a87:1030:xxxx:xxxx:xxxx:3a21(Preferred)
   Temporary IPv6 Address. . . . . . : 2601:xx:xxxx:xxxx:9cb5:6288:f91:c4c6(Preferred)
   Temporary IPv6 Address. . . . . . : fdf8:fb25:3a87:1030:9cb5:6288:f91:c4c6(Preferred)
   Link-local IPv6 Address . . . . . : fe80::52cc:xxxx:xxxx:c813%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.30.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, May 19, 2025 3:58:47 PM
   Lease Expires . . . . . . . . . . : Tuesday, May 20, 2025 3:58:44 PM
   Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:39a0%11
                                       192.168.30.1
   DHCP Server . . . . . . . . . . . : 192.168.30.1
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : 00-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-CD
   DNS Servers . . . . . . . . . . . : 192.168.30.1
                                       2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:39a0
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       h1.home.arpa

Switching over to the second NIC, this time I get a DHCP dynamic lease in the same range (192.168.30.x), but now the DNS suffix comes as "home.internal" (as configured in the pool):

Code Select
Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : home.internal
   Description . . . . . . . . . . . : Realtek PCIe 2.5GbE Family Controller
   Physical Address. . . . . . . . . : 78-xx-xx-xx-xx-55
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:xx:xxxx:xxxx:xxx:xxxx:2631:c6ff(Preferred)
   IPv6 Address. . . . . . . . . . . : fdf8:fb25:3a87:1030:xxxx:xxxx:xxxx:e66b(Preferred)
   Temporary IPv6 Address. . . . . . : 2601:xx:xxxx:xxxx:1de4:e57c:4ae3:f9dd(Preferred)
   Temporary IPv6 Address. . . . . . : fdf8:fb25:3a87:1030:1de4:e57c:4ae3:f9dd(Preferred)
   Link-local IPv6 Address . . . . . : fe80::ec8a:xxxx:xxxx:454c%8(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.30.164(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, May 19, 2025 4:02:00 PM
   Lease Expires . . . . . . . . . . : Tuesday, May 20, 2025 4:01:59 PM
   Default Gateway . . . . . . . . . : fe80::xxxx:xxxx:xxxx:39a0%8
                                       192.168.30.1
   DHCP Server . . . . . . . . . . . : 192.168.30.1
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : 00-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-xx-CD
   DNS Servers . . . . . . . . . . . : 192.168.30.1
                                       2601:xx:xxxx:xxxx:xxxx:xxxx:xxxx:39a0
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       h1.home.arpa

Why should static leases not get the same DNS suffix as the DHCP range configured?


Does the static address sit within a configured DHCP range (set as mode static) in DNSMASQ for that interface? E.g. an additional range for your reservations?

Per the Docs:

"DHCP reservations
A DHCP reservation will always assign the same IPv4 and IPv6 addresses to a client.

For an IPv4 reservation, a DHCPv4 range should exist. If this DHCPv4 range should only serve reservations, set it to static"
May 19, 2025, 10:30:08 PM #9 Last Edit: May 19, 2025, 10:35:25 PM by julsssark
For issue #4, Proxmox doesn't use DHCP by default and it is not recommended (see here link). Unless you've changed it manually, it is a fixed address that is set within Proxmox. I also have a static reservation set in DNSmasq for that IP so I don't forget that it is assigned, but since Proxmox isn't using DHCP, you won't see a lease. You'd only see a lease if DHCP handed out the IP address (either a static or dynamic address).

For Unifi, I have my controller set to receive its address via a static DHCP reservation and the lease is showing up correctly.
May 19, 2025, 10:51:06 PM #10
Quote from: Taunt9930 on May 19, 2025, 10:24:57 PMDoes the static address sit within a configured DHCP range (set as mode static) in DNSMASQ for that interface? E.g. an additional range for your reservations?

Per the Docs:

"DHCP reservations
A DHCP reservation will always assign the same IPv4 and IPv6 addresses to a client.

For an IPv4 reservation, a DHCPv4 range should exist. If this DHCPv4 range should only serve reservations, set it to static"

Interesting.  No, I only have the dynamic pool defined (192.168.30.100 - 192.168.30.199).

So I need to create a second pool then, 192.168.30.2 - 192.168.30.99, and set it static? 

Will try it out.  That's definitely one difference from ISC...

Quote from: julsssark on May 19, 2025, 10:30:08 PM[...] since Proxmox isn't using DHCP, you won't see a lease. You'd only see a lease if DHCP handed out the IP address (either a static or dynamic address).

For Unifi, I have my controller set to receive its address via a static DHCP reservation and the lease is showing up correctly.

My Proxmox management interface is static (192.168.60.2) and I added it in Dnsmasq also, for traceability.

The UniFi controller is also static within Proxmox (192.168.1.16- I'm using a VLAN trunk) and it too is added in Dnsmasq.

You cannot view this attachment.

Both of these would show up in the ISC leases, IIRC, even though they are static in Proxmox.  I think this is a new behavior but I'll have to confirm.

Gitea is the only non-static service in Proxmox (it's using DHCP) and that one shows up in the leases table no problem.
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x1GbE i225-v
May 19, 2025, 10:58:47 PM #11
It's been a while since I used ISC, but I would not expect an address to show up as a lease if the DHCP service did not hand the address out.
May 19, 2025, 11:01:46 PM #12
There's a "Lease Type" column in the ISC leases table.  It would label it as "static" but the line item would still be there, along with a client status (green/connected or red/disconnected).
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x1GbE i225-v
May 19, 2025, 11:07:13 PM #13
I did not follow all of this, but at least with static reservations, there is a new DNS problem with 25.1.7:

https://github.com/opnsense/core/issues/8694
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 19, 2025, 11:33:50 PM #14 Last Edit: May 19, 2025, 11:38:35 PM by OPNenthu
Quote from: meyergru on May 19, 2025, 11:07:13 PMI did not follow all of this, but at least with static reservations, there is a new DNS problem with 25.1.7:

https://github.com/opnsense/core/issues/8694


This is one of the things I'm observing also, except I am not using aliases.  It seems any static reservation by MAC & IP is failing to resolve.

Code Select
C:\>nslookup unifi.h1.home.arpa
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
*** UnKnown can't find unifi.h1.home.arpa: Server failed

By all accounts, this ^ should work.

However, dynamic leases  resolve (eventually-- once I get past the timeouts):

Code Select
C:\>nslookup OnePlus-6T.iot.internal
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    OnePlus-6T.iot.internal
Address:  192.168.40.165
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x1GbE i225-v
Print
Go Up Pages1 2 3 ... 5
User actions