Dnsmasq+Unbound observations in 25.1.7

Started by OPNenthu, May 19, 2025, 07:13:28 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4 5
User actions
May 19, 2025, 11:37:18 PM #15 Last Edit: May 19, 2025, 11:39:58 PM by meyergru
I just updated the ticket title accordingly. We have discovered that in the meantime as well:

No static reservations work unless their DHCP registrations are active. This is because of a bugfix for IPv6 reservations with dynamic prefixes, which obviously cannot work before the actual IPv6 is known. This fix breaks all static IPv6 and IPv4 reservations that expect the DNS resolution regardless of how the client obtains its address.

My preferred fix for this would be to write the reservations like before, leaving out only the affected "partial" IPv6s. However, a fix make take until 25.7. as of now.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 20, 2025, 12:04:55 AM #16
Quote from: meyergru on May 19, 2025, 11:37:18 PMI just updated the ticket title accordingly. We have discovered that in the meantime as well:

No static reservations work unless their DHCP registrations are active. This is because of a bugfix for IPv6 reservations with dynamic prefixes, which obviously cannot work before the actual IPv6 is known. This fix breaks all static IPv6 and IPv4 reservations that expect the DNS resolution regardless of how the client obtains its address.

My preferred fix for this would be to write the reservations like before, leaving out only the affected "partial" IPv6s. However, a fix make take until 25.7. as of now.

When you say the fix may take until 25.7, does this mean all local DNS resolution is broken until then for all static leases?

I migrated to DNSMasq+Unbound over the weekend and everything was running great. I upgraded to 25.1.7 earlier today and now all local resolution of static reservations is broken. Dynamic reservations work just fine. Have confirmed I am setup like the docs suggest, the queries just never resolve at the DNSMasq level for static leases.
May 20, 2025, 07:27:23 AM #17
I put up the issue to the link here just to save you from finding out by yourself the hard way that this is broken with 25.1.7.

It is not my decision or business when it will be fixed (I just happen to be on the same boat). Look at the linked ticket. Maybe Deciso will decide to put out a hotfix or patch earlier, but the target milestone is 25.7 as of the time of my writing.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 20, 2025, 07:31:34 AM #18
Just to put it into perspective the issue is less than 24 hours old and we already discussed some potential ways to tackle this, but finding the right fix just takes some weighting of options and discussions which takes time.

You can always go back to 25.1.6 for a while longer.
Hardware:
DEC740
May 20, 2025, 08:09:39 AM #19
Correct. Reverting just works.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 20, 2025, 12:30:52 PM #20 Last Edit: May 20, 2025, 04:09:13 PM by meyergru
As does using "opnsense-patch e69b02c" and reapplying the DNSmasq host reservations, at least for that specific issue.

As @Monviech pointed out, there is a hotfix out already, so please use that and reapply DNSmasq configuration.

Thanks to @Monviech for solving it that fast!
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
May 20, 2025, 02:04:03 PM #21
Just want to say thank you to everyone involved for tracking this down and fixing it!

I had this problem when upgrading to 25.1.7 and immediately rolled back to my old KEA/Unbound configuration since that was working as intended. I applied patch e69b02c above and everything is working again.
May 20, 2025, 03:31:59 PM #22
Quote from: meyergru on May 20, 2025, 12:30:52 PMAs does using "opnsense-patch e69b02c" and reapplying the DNSmasq host reservations, at least for that specific issue.


Stupid question time. How do you apply that patch?
May 20, 2025, 03:33:05 PM #23
Just search for updates, it is already hotfixed now.

You might have to press "Apply" in dnsmasq one time after the update.
Hardware:
DEC740
May 20, 2025, 04:31:35 PM #24
Nice work!  Just updated to 25.1.7_2 and now I am able to query static reservations.

Qualified names work:

Code Select
C:\>nslookup unifi.h1.home.arpa
Server:  UnKnown
Address:  192.168.30.1

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    unifi.h1.home.arpa
Address:  192.168.1.16

Plain names don't work initially, but after several tries they do:

Code Select
C:\>nslookup unifi
Server:  UnKnown
Address:  192.168.30.1

*** UnKnown can't find unifi: Server failed


Code Select
C:\>nslookup unifi
Server:  UnKnown
Address:  192.168.30.1

Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    unifi.h1.home.arpa
Address:  192.168.1.16

Obviously my Unbound is still broken / having trouble with internal forwards.
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x1GbE i225-v
May 20, 2025, 04:50:01 PM #25
I'm seeing exactly the same symptoms; DNS timeouts for internal and external addresses.

I do have a slightly different configuration though in that I use Adguard Home running on OPNsense for all DNS queries (port 53). This is then passed on to Unbound running on port 65353 as an upstream DNS server with Private Reverse DNS Server configured to point to Dnsmasq. I've followed the instructions exactly including Dnsmasq running on port 53053 and created the necessary query forwards for all internal domains and reverse lookups.

However, nslookup gives timeouts for every query - even for the same query.

One thing I have noticed though is that the timeouts only happen on Windows devices. I can run nslookup on a Macbook and on Linux and don't see any timeouts, just an instant response.
 
May 20, 2025, 04:59:00 PM #26 Last Edit: May 20, 2025, 05:16:49 PM by Monviech (Cedrik)
@OP

Lets go at this structured, let's first compare Unbound configurations. Here is mine where I do not have any timeouts, maybe we can find a difference. Please post yours. Do not omit anything, do not anonymize anything. If you cant post it, please PM it to me.

I do not see any slow responses with Windows (Surface Pro 5 with Windows 11), MacOS (Macbook Pro) or Linux (Debian 12)

UNBOUND:

Code Select
   
<unboundplus version="1.0.12">
      <general>
        <enabled>1</enabled>
        <port>53</port>
        <stats/>
        <active_interface/>
        <dnssec>0</dnssec>
        <dns64>0</dns64>
        <dns64prefix/>
        <noarecords>0</noarecords>
        <regdhcp>0</regdhcp>
        <regdhcpdomain/>
        <regdhcpstatic>0</regdhcpstatic>
        <noreglladdr6>0</noreglladdr6>
        <noregrecords>0</noregrecords>
        <txtsupport>0</txtsupport>
        <cacheflush>1</cacheflush>
        <local_zone_type>transparent</local_zone_type>
        <outgoing_interface/>
        <enable_wpad>0</enable_wpad>
      </general>
      <advanced>
        <hideidentity>0</hideidentity>
        <hideversion>0</hideversion>
        <prefetch>1</prefetch>
        <prefetchkey>0</prefetchkey>
        <dnssecstripped>0</dnssecstripped>
        <aggressivensec>1</aggressivensec>
        <serveexpired>0</serveexpired>
        <serveexpiredreplyttl/>
        <serveexpiredttl/>
        <serveexpiredttlreset>0</serveexpiredttlreset>
        <serveexpiredclienttimeout/>
        <qnameminstrict>0</qnameminstrict>
        <extendedstatistics>0</extendedstatistics>
        <logqueries>1</logqueries>
        <logreplies>1</logreplies>
        <logtagqueryreply>1</logtagqueryreply>
        <logservfail>0</logservfail>
        <loglocalactions>0</loglocalactions>
        <logverbosity>1</logverbosity>
        <valloglevel>0</valloglevel>
        <privatedomain/>
        <privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
        <insecuredomain/>
        <msgcachesize/>
        <rrsetcachesize/>
        <outgoingnumtcp/>
        <incomingnumtcp/>
        <numqueriesperthread/>
        <outgoingrange/>
        <jostletimeout/>
        <discardtimeout/>
        <cachemaxttl/>
        <cachemaxnegativettl/>
        <cacheminttl/>
        <infrahostttl/>
        <infrakeepprobing>0</infrakeepprobing>
        <infracachenumhosts/>
        <unwantedreplythreshold/>
      </advanced>
      <acls>
        <default_action>allow</default_action>
      </acls>
      <dnsbl>
        <enabled>1</enabled>
        <safesearch>0</safesearch>
        <type>sb</type>
        <lists/>
        <whitelists/>
        <blocklists/>
        <wildcards/>
        <address/>
        <nxdomain>1</nxdomain>
      </dnsbl>
      <forwarding>
        <enabled>0</enabled>
      </forwarding>
      <dots>
        <dot uuid="7917a181-1ba1-4ec1-aa57-7463b4b5a325">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>ad.pischem.com</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description/>
        </dot>
        <dot uuid="0fc28394-2da5-470c-b9d8-9d51979878b9">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>gast.pischem.com</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description/>
        </dot>
        <dot uuid="2dc5bc5c-a57b-475b-98a8-84d0d10b9bb2">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>16.172.in-addr.arpa</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description/>
        </dot>
      </dots>
      <hosts/>
      <aliases/>
    </unboundplus>

DNSMASQ:

Code Select
 
<dnsmasq version="1.0.5">
    <enable>1</enable>
    <regdhcp>0</regdhcp>
    <regdhcpstatic>0</regdhcpstatic>
    <dhcpfirst>0</dhcpfirst>
    <strict_order>0</strict_order>
    <domain_needed>1</domain_needed>
    <no_private_reverse>0</no_private_reverse>
    <log_queries>1</log_queries>
    <no_hosts>0</no_hosts>
    <strictbind>0</strictbind>
    <dnssec>0</dnssec>
    <regdhcpdomain/>
    <interface>opt1,opt2</interface>
    <port>53053</port>
    <dns_forward_max/>
    <cache_size/>
    <local_ttl/>
    <add_mac/>
    <add_subnet>0</add_subnet>
    <strip_subnet>0</strip_subnet>
    <dhcp>
      <no_interface/>
      <fqdn>1</fqdn>
      <domain/>
      <lease_max/>
      <authoritative>1</authoritative>
      <default_fw_rules>1</default_fw_rules>
      <reply_delay/>
      <enable_ra>1</enable_ra>
      <nosync>0</nosync>
    </dhcp>
    <no_ident>1</no_ident>
    <hosts uuid="474a0dca-beef-4e56-908a-e8ab086640fa">
      <host>pc02</host>
      <domain/>
      <ip>172.16.0.140</ip>
      <client_id/>
      <hwaddr>f0:6e:0b:c1:24:4c</hwaddr>
      <lease_time/>
      <ignore>0</ignore>
      <set_tag/>
      <descr/>
      <comments/>
      <aliases/>
    </hosts>
    <dhcp_tags uuid="63db3d8f-e6a8-45ed-b4a5-832a3fcc9160">
      <tag>test</tag>
    </dhcp_tags>
    <dhcp_ranges uuid="3e1125ad-42c6-4e87-a1f1-c3199111b878">
      <interface>opt1</interface>
      <set_tag/>
      <start_addr>172.16.0.100</start_addr>
      <end_addr>172.16.0.199</end_addr>
      <constructor/>
      <mode/>
      <prefix_len/>
      <lease_time/>
      <domain>ad.pischem.com</domain>
      <nosync>0</nosync>
      <ra_mode/>
      <ra_priority/>
      <ra_mtu/>
      <ra_interval/>
      <ra_router_lifetime/>
      <description/>
    </dhcp_ranges>
    <dhcp_ranges uuid="779c0310-fc06-4051-a445-5bb2cad7c9f6">
      <interface>opt2</interface>
      <set_tag/>
      <start_addr>172.16.1.100</start_addr>
      <end_addr>172.16.1.199</end_addr>
      <constructor/>
      <mode/>
      <prefix_len/>
      <lease_time/>
      <domain>gast.pischem.com</domain>
      <nosync>0</nosync>
      <ra_mode/>
      <ra_priority/>
      <ra_mtu/>
      <ra_interval/>
      <ra_router_lifetime/>
      <description/>
    </dhcp_ranges>
    <dhcp_ranges uuid="84184b4c-2145-4052-8991-56088a7dfaa0">
      <interface>opt1</interface>
      <set_tag/>
      <start_addr>::100</start_addr>
      <end_addr>::999</end_addr>
      <constructor>opt1</constructor>
      <mode/>
      <prefix_len/>
      <lease_time/>
      <domain/>
      <nosync>0</nosync>
      <ra_mode>slaac,ra-names</ra_mode>
      <ra_priority/>
      <ra_mtu/>
      <ra_interval/>
      <ra_router_lifetime/>
      <description/>
    </dhcp_ranges>
    <dhcp_ranges uuid="6c525437-5e47-473f-a226-d86d15c5960d">
      <interface>opt2</interface>
      <set_tag/>
      <start_addr>::</start_addr>
      <end_addr/>
      <constructor>opt2</constructor>
      <mode/>
      <prefix_len/>
      <lease_time/>
      <domain/>
      <nosync>0</nosync>
      <ra_mode>ra-names,ra-stateless</ra_mode>
      <ra_priority/>
      <ra_mtu/>
      <ra_interval/>
      <ra_router_lifetime/>
      <description/>
    </dhcp_ranges>
    <dhcp_options uuid="84858973-99b7-48e0-b969-c3cfcf1ac031">
      <type>set</type>
      <option/>
      <option6>23</option6>
      <interface>opt1</interface>
      <tag/>
      <set_tag/>
      <value>[::]</value>
      <force>0</force>
      <description/>
    </dhcp_options>
    <dhcp_options uuid="0f7518aa-dcdd-45df-a15e-9ed010422654">
      <type>set</type>
      <option/>
      <option6>23</option6>
      <interface>opt2</interface>
      <tag/>
      <set_tag/>
      <value>[::]</value>
      <force>0</force>
      <description/>
    </dhcp_options>
</dnsmasq>

I am using the exact setup as described here (it was recently updated): https://docs.opnsense.org/manual/dnsmasq.html#dhcpv4-with-dns-registration

Only difference is that I own a domain and use that as my internal one.
Hardware:
DEC740
May 20, 2025, 06:06:49 PM #27
@Monviech, thanks.  The full Unbound config is pasted below.  I'll PM you my Dnsmasq config because it contains MACs, but I'll also paste a redacted version here.

Unbound:

Code Select
    <unboundplus version="1.0.12">
      <general>
        <enabled>1</enabled>
        <port>53</port>
        <stats>1</stats>
        <active_interface/>
        <dnssec>1</dnssec>
        <dns64>0</dns64>
        <dns64prefix/>
        <noarecords>0</noarecords>
        <regdhcp>0</regdhcp>
        <regdhcpdomain/>
        <regdhcpstatic>0</regdhcpstatic>
        <noreglladdr6>1</noreglladdr6>
        <noregrecords>1</noregrecords>
        <txtsupport>0</txtsupport>
        <cacheflush>1</cacheflush>
        <local_zone_type>transparent</local_zone_type>
        <outgoing_interface/>
        <enable_wpad>0</enable_wpad>
      </general>
      <advanced>
        <hideidentity>1</hideidentity>
        <hideversion>1</hideversion>
        <prefetch>0</prefetch>
        <prefetchkey>1</prefetchkey>
        <dnssecstripped>0</dnssecstripped>
        <aggressivensec>0</aggressivensec>
        <serveexpired>0</serveexpired>
        <serveexpiredreplyttl/>
        <serveexpiredttl/>
        <serveexpiredttlreset>0</serveexpiredttlreset>
        <serveexpiredclienttimeout/>
        <qnameminstrict>0</qnameminstrict>
        <extendedstatistics>0</extendedstatistics>
        <logqueries>1</logqueries>
        <logreplies>1</logreplies>
        <logtagqueryreply>0</logtagqueryreply>
        <logservfail>0</logservfail>
        <loglocalactions>0</loglocalactions>
        <logverbosity>1</logverbosity>
        <valloglevel>0</valloglevel>
        <privatedomain/>
        <privateaddress>0.0.0.0/8,10.0.0.0/8,100.64.0.0/10,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,233.252.0.0/24,::1/128,2001:db8::/32,fc00::/8,fd00::/8,fe80::/10</privateaddress>
        <insecuredomain/>
        <msgcachesize/>
        <rrsetcachesize/>
        <outgoingnumtcp/>
        <incomingnumtcp/>
        <numqueriesperthread/>
        <outgoingrange/>
        <jostletimeout/>
        <discardtimeout/>
        <cachemaxttl/>
        <cachemaxnegativettl/>
        <cacheminttl/>
        <infrahostttl/>
        <infrakeepprobing>0</infrakeepprobing>
        <infracachenumhosts/>
        <unwantedreplythreshold/>
      </advanced>
      <acls>
        <default_action>allow</default_action>
      </acls>
      <dnsbl>
        <enabled>1</enabled>
        <safesearch>0</safesearch>
        <type>ag,sb</type>
        <lists/>
        <whitelists/>
        <blocklists>trace.svc.ui.com</blocklists>
        <wildcards/>
        <address/>
        <nxdomain>1</nxdomain>
      </dnsbl>
      <forwarding>
        <enabled/>
      </forwarding>
      <dots>
        <dot uuid="c98be808-4cd7-473d-9cb5-bc0d40bab267">
          <enabled>1</enabled>
          <type>dot</type>
          <domain/>
          <server>9.9.9.9</server>
          <port>853</port>
          <verify>dns.quad9.net</verify>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description/>
        </dot>
        <dot uuid="b84bb19f-0d53-4ec3-989a-012284f8035e">
          <enabled>1</enabled>
          <type>dot</type>
          <domain/>
          <server>149.112.112.112</server>
          <port>853</port>
          <verify>dns.quad9.net</verify>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description/>
        </dot>
        <dot uuid="b38fc5d6-a348-4758-b6c1-81523afd1160">
          <enabled>1</enabled>
          <type>dot</type>
          <domain/>
          <server>2620:fe::fe</server>
          <port>853</port>
          <verify>dns.quad9.net</verify>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description/>
        </dot>
        <dot uuid="8d4320ea-0a34-430a-96ad-d3c93a71d6b7">
          <enabled>1</enabled>
          <type>dot</type>
          <domain/>
          <server>2620:fe::9</server>
          <port>853</port>
          <verify>dns.quad9.net</verify>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description/>
        </dot>
        <dot uuid="0fb43272-d79b-4473-9b63-b1b803eb017c">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>h1.home.arpa</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq lookup (A) for LAN</description>
        </dot>
        <dot uuid="9391bbdb-2135-4480-a9c7-0248a1125a0a">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>1.168.192.in-addr.arpa</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq reverse lookup (PTR) for LAN</description>
        </dot>
        <dot uuid="a47d7759-d555-47bf-a2ad-88a03f292e72">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>guest.internal</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq lookup (A) for GUEST</description>
        </dot>
        <dot uuid="a13a9eaa-78b5-41a8-a678-a1b5f6f242de">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>20.168.192.in-addr.arpa</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq reverse lookup (PTR) for GUEST</description>
        </dot>
        <dot uuid="cf891bd5-53cb-4e0c-a755-8e92ff03e4ec">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>home.internal</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq lookup (A) for HOME</description>
        </dot>
        <dot uuid="6e6834a6-2136-413e-9a25-de7f44695526">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>30.168.192.in-addr.arpa</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq reverse lookup (PTR) for HOME</description>
        </dot>
        <dot uuid="940a25f0-22ca-4b23-a90d-824613220185">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>iot.internal</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq lookup (A) for IOT</description>
        </dot>
        <dot uuid="093e0408-209c-4659-ae5b-b9ba80b6a181">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>40.168.192.in-addr.arpa</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq reverse lookup (PTR) for IOT</description>
        </dot>
        <dot uuid="e02893f4-5823-4f6f-aa04-3731d8f8ba1c">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>vpn.internal</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq lookup (A) for VPN</description>
        </dot>
        <dot uuid="a19e7326-baa1-4050-aac7-e0c27bd5700b">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>50.168.192.in-addr.arpa</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq reverse lookup (PTR) for VPN</description>
        </dot>
        <dot uuid="5c2aae7e-57a5-4cce-8077-832425ac4406">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>lab.internal</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq lookup (A) for LAB</description>
        </dot>
        <dot uuid="4700bebf-1fe0-421d-a712-23d973634adc">
          <enabled>1</enabled>
          <type>forward</type>
          <domain>60.168.192.in-addr.arpa</domain>
          <server>127.0.0.1</server>
          <port>53053</port>
          <verify/>
          <forward_tcp_upstream>0</forward_tcp_upstream>
          <forward_first>0</forward_first>
          <description>Dnsmasq reverse lookup (PTR) for LAB</description>
        </dot>
      </dots>
      <hosts>
        <host uuid="772b3900-8559-4f54-9231-773362eda505">
          <enabled>1</enabled>
          <hostname>firewall</hostname>
          <domain>h2.home.arpa</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <ttl/>
          <server>192.168.130.1</server>
          <description>OPNsense @ h2 site</description>
        </host>
        <host uuid="b26a8d34-d59a-49e1-9e3b-0195ffa21e13">
          <enabled>1</enabled>
          <hostname>unifi</hostname>
          <domain>h2.home.arpa</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <ttl/>
          <server>192.168.130.2</server>
          <description>UniFi Network @ h2 site</description>
        </host>
        <host uuid="b7432305-e3f0-4500-a860-aa675935e97b">
          <enabled>1</enabled>
          <hostname>epirus</hostname>
          <domain>h2.home.arpa</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <ttl/>
          <server>192.168.130.3</server>
          <description>Bedroom PC @ h2 site</description>
        </host>
        <host uuid="9898e09f-7902-49d6-8c46-51d7224d677c">
          <enabled>1</enabled>
          <hostname>demati</hostname>
          <domain>h2.home.arpa</domain>
          <rr>A</rr>
          <mxprio/>
          <mx/>
          <ttl/>
          <server>192.168.130.4</server>
          <description>Synology DS224+ @ h2 site</description>
        </host>
      </hosts>
      <aliases/>
    </unboundplus>


Dnsmasq (MACs redacted):

Code Select
<dnsmasq version="1.0.5">
    <enable>1</enable>
    <regdhcp>0</regdhcp>
    <regdhcpstatic>0</regdhcpstatic>
    <dhcpfirst>0</dhcpfirst>
    <strict_order>0</strict_order>
    <domain_needed>0</domain_needed>
    <no_private_reverse>1</no_private_reverse>
    <log_queries>1</log_queries>
    <no_hosts>0</no_hosts>
    <strictbind>0</strictbind>
    <dnssec>0</dnssec>
    <regdhcpdomain/>
    <interface>opt2,opt3,opt4,opt1,lan,opt5</interface>
    <port>53053</port>
    <dns_forward_max/>
    <cache_size/>
    <local_ttl/>
    <add_mac/>
    <add_subnet>0</add_subnet>
    <strip_subnet>0</strip_subnet>
    <dhcp>
      <no_interface/>
      <fqdn>1</fqdn>
      <domain/>
      <lease_max/>
      <authoritative>0</authoritative>
      <default_fw_rules>1</default_fw_rules>
      <reply_delay/>
      <enable_ra>0</enable_ra>
      <nosync>0</nosync>
    </dhcp>
    <no_ident>1</no_ident>
    <hosts uuid="47645bc7-e777-40ee-91ce-5e59f0c3def9">
      <host>sw1</host>
      <domain>h1.home.arpa</domain>
      <ip>192.168.1.6</ip>
      <client_id/>
      <hwaddr>xx:xx:xx:xx:xx:xx</hwaddr>
      <lease_time/>
      <ignore>0</ignore>
      <set_tag/>
      <descr>USW-Pro-Max-16-PoE</descr>
      <comments/>
      <aliases/>
    </hosts>
    <hosts uuid="42e20b17-96ee-485c-a6f8-a294e9d805cc">
      <host>ap1</host>
      <domain>h1.home.arpa</domain>
      <ip>192.168.1.11</ip>
      <client_id/>
      <hwaddr>xx:xx:xx:xx:xx:xx</hwaddr>
      <lease_time/>
      <ignore>0</ignore>
      <set_tag/>
      <descr>U7 Lite 2nd Floor</descr>
      <comments/>
      <aliases/>
    </hosts>
    <hosts uuid="9d830c51-58e5-409c-9491-337047bd23d1">
      <host>unifi</host>
      <domain>h1.home.arpa</domain>
      <ip>192.168.1.16</ip>
      <client_id/>
      <hwaddr>xx:xx:xx:xx:xx:xx</hwaddr>
      <lease_time/>
      <ignore>0</ignore>
      <set_tag/>
      <descr>UniFi Network Application</descr>
      <comments/>
      <aliases/>
    </hosts>
    <hosts uuid="415529a5-6805-4a84-8300-9f46dc0ae9ae">
      <host>tinybox</host>
      <domain>h1.home.arpa</domain>
      <ip>192.168.1.17</ip>
      <client_id/>
      <hwaddr>xx:xx:xx:xx:xx:xx</hwaddr>
      <lease_time/>
      <ignore>0</ignore>
      <set_tag/>
      <descr>NUT server / RPi 3B+</descr>
      <comments/>
      <aliases/>
    </hosts>
    <hosts uuid="e28acf68-839f-4ccc-a554-e4a0f140e247">
      <host>BLACKBOX</host>
      <domain>home.internal</domain>
      <ip>192.168.30.2</ip>
      <client_id/>
      <hwaddr>xx:xx:xx:xx:xx:xx</hwaddr>
      <lease_time/>
      <ignore>0</ignore>
      <set_tag/>
      <descr>Desktop PC</descr>
      <comments/>
      <aliases/>
    </hosts>
    <hosts uuid="fc8e9408-1cda-44bc-b690-f9f544d09e24">
      <host>omv</host>
      <domain>home.internal</domain>
      <ip>192.168.30.8</ip>
      <client_id/>
      <hwaddr>xx:xx:xx:xx:xx:xx</hwaddr>
      <lease_time/>
      <ignore>0</ignore>
      <set_tag/>
      <descr>OpenMediaVault</descr>
      <comments/>
      <aliases/>
    </hosts>
    <hosts uuid="82cdefab-0215-4324-a279-66c0712f4f90">
      <host>hp6088aa</host>
      <domain>iot.internal</domain>
      <ip>192.168.40.2</ip>
      <client_id/>
      <hwaddr>xx:xx:xx:xx:xx:xx</hwaddr>
      <lease_time/>
      <ignore>0</ignore>
      <set_tag/>
      <descr>HP Photosmart 7525</descr>
      <comments/>
      <aliases/>
    </hosts>
    <hosts uuid="712bd0c6-8ba6-4615-9b6a-b36ea0e678b8">
      <host>chromecast-br</host>
      <domain>iot.internal</domain>
      <ip>192.168.40.3</ip>
      <client_id/>
      <hwaddr>xx:xx:xx:xx:xx:xx</hwaddr>
      <lease_time/>
      <ignore>0</ignore>
      <set_tag/>
      <descr>Bedroom Chromecast</descr>
      <comments/>
      <aliases/>
    </hosts>
    <hosts uuid="1f966d3b-3c07-488d-b12a-6dd27e86918f">
      <host>chromecast-lr</host>
      <domain>iot.internal</domain>
      <ip>192.168.40.4</ip>
      <client_id/>
      <hwaddr>xx:xx:xx:xx:xx:xx</hwaddr>
      <lease_time/>
      <ignore>0</ignore>
      <set_tag/>
      <descr>Living Room Chromecast</descr>
      <comments/>
      <aliases/>
    </hosts>
    <hosts uuid="ec1df31a-6b69-4c12-99ed-6d7c8f1e0358">
      <host>pve</host>
      <domain>lab.internal</domain>
      <ip>192.168.60.2</ip>
      <client_id/>
      <hwaddr>xx:xx:xx:xx:xx:xx</hwaddr>
      <lease_time/>
      <ignore>0</ignore>
      <set_tag/>
      <descr>Proxmox VE</descr>
      <comments/>
      <aliases/>
    </hosts>
    <dhcp_ranges uuid="5c0e81f5-b10b-4cb2-836f-f7501b3be776">
      <interface>lan</interface>
      <set_tag/>
      <start_addr>192.168.1.100</start_addr>
      <end_addr>192.168.1.199</end_addr>
      <constructor/>
      <mode/>
      <prefix_len/>
      <lease_time/>
      <domain>h1.home.arpa</domain>
      <nosync>0</nosync>
      <ra_mode/>
      <ra_priority/>
      <ra_mtu/>
      <ra_interval/>
      <ra_router_lifetime/>
      <description/>
    </dhcp_ranges>
    <dhcp_ranges uuid="1f9156cc-3f3d-4d7b-a9f8-8cb57b959456">
      <interface>opt2</interface>
      <set_tag/>
      <start_addr>192.168.20.100</start_addr>
      <end_addr>192.168.20.199</end_addr>
      <constructor/>
      <mode/>
      <prefix_len/>
      <lease_time/>
      <domain>guest.internal</domain>
      <nosync>0</nosync>
      <ra_mode/>
      <ra_priority/>
      <ra_mtu/>
      <ra_interval/>
      <ra_router_lifetime/>
      <description/>
    </dhcp_ranges>
    <dhcp_ranges uuid="8026572d-7028-499d-87d3-dd839667af64">
      <interface>opt3</interface>
      <set_tag/>
      <start_addr>192.168.30.100</start_addr>
      <end_addr>192.168.30.199</end_addr>
      <constructor/>
      <mode/>
      <prefix_len/>
      <lease_time/>
      <domain>home.internal</domain>
      <nosync>0</nosync>
      <ra_mode/>
      <ra_priority/>
      <ra_mtu/>
      <ra_interval/>
      <ra_router_lifetime/>
      <description/>
    </dhcp_ranges>
    <dhcp_ranges uuid="690266e3-481e-41f1-a30f-bf1b68d7217f">
      <interface>opt4</interface>
      <set_tag/>
      <start_addr>192.168.40.100</start_addr>
      <end_addr>192.168.40.199</end_addr>
      <constructor/>
      <mode/>
      <prefix_len/>
      <lease_time/>
      <domain>iot.internal</domain>
      <nosync>0</nosync>
      <ra_mode/>
      <ra_priority/>
      <ra_mtu/>
      <ra_interval/>
      <ra_router_lifetime/>
      <description/>
    </dhcp_ranges>
    <dhcp_ranges uuid="f1e1f6a9-5b3a-4f88-a760-58d07af51897">
      <interface>opt5</interface>
      <set_tag/>
      <start_addr>192.168.50.100</start_addr>
      <end_addr>192.168.50.199</end_addr>
      <constructor/>
      <mode/>
      <prefix_len/>
      <lease_time/>
      <domain>vpn.internal</domain>
      <nosync>0</nosync>
      <ra_mode/>
      <ra_priority/>
      <ra_mtu/>
      <ra_interval/>
      <ra_router_lifetime/>
      <description/>
    </dhcp_ranges>
    <dhcp_ranges uuid="8035e2df-4f21-4b63-a4ea-8d72404a2993">
      <interface>opt1</interface>
      <set_tag/>
      <start_addr>192.168.60.100</start_addr>
      <end_addr>192.168.60.199</end_addr>
      <constructor/>
      <mode/>
      <prefix_len/>
      <lease_time/>
      <domain>lab.internal</domain>
      <nosync>0</nosync>
      <ra_mode/>
      <ra_priority/>
      <ra_mtu/>
      <ra_interval/>
      <ra_router_lifetime/>
      <description/>
    </dhcp_ranges>
    <dhcp_options uuid="1b7d3a55-7c1f-46d4-9e77-a46659ec6401">
      <type>set</type>
      <option>42</option>
      <option6/>
      <interface>lan</interface>
      <tag/>
      <set_tag/>
      <value>192.168.1.1</value>
      <force>0</force>
      <description/>
    </dhcp_options>
    <dhcp_options uuid="e4aede3d-80de-4086-8420-b48f32574ae6">
      <type>set</type>
      <option>6</option>
      <option6/>
      <interface>opt2</interface>
      <tag/>
      <set_tag/>
      <value>1.1.1.1,1.0.0.1</value>
      <force>0</force>
      <description/>
    </dhcp_options>
    <dhcp_options uuid="b0793cb9-63ee-4e31-8209-6650cf05996e">
      <type>set</type>
      <option>42</option>
      <option6/>
      <interface>opt2</interface>
      <tag/>
      <set_tag/>
      <value>192.168.20.1</value>
      <force>0</force>
      <description/>
    </dhcp_options>
    <dhcp_options uuid="8937f768-6e35-4fe1-85dd-81818bcf84fe">
      <type>set</type>
      <option>42</option>
      <option6/>
      <interface>opt3</interface>
      <tag/>
      <set_tag/>
      <value>192.168.30.1</value>
      <force>0</force>
      <description/>
    </dhcp_options>
    <dhcp_options uuid="82f23a0b-3e23-4cdf-97cf-84411ba0d769">
      <type>set</type>
      <option>42</option>
      <option6/>
      <interface>opt4</interface>
      <tag/>
      <set_tag/>
      <value>192.168.40.1</value>
      <force>0</force>
      <description/>
    </dhcp_options>
    <dhcp_options uuid="52f318f0-ed93-49e1-b4ee-ade96582958a">
      <type>set</type>
      <option>42</option>
      <option6/>
      <interface>opt5</interface>
      <tag/>
      <set_tag/>
      <value>192.168.50.1</value>
      <force>0</force>
      <description/>
    </dhcp_options>
    <dhcp_options uuid="f31b62fb-76b5-45a7-94d2-94617261ff4b">
      <type>set</type>
      <option>42</option>
      <option6/>
      <interface>opt1</interface>
      <tag/>
      <set_tag/>
      <value>192.168.60.1</value>
      <force>0</force>
      <description/>
    </dhcp_options>
    <dhcp_options uuid="675d2222-af1c-4894-a9fc-3d4504a1521f">
      <type>set</type>
      <option>43</option>
      <option6/>
      <interface>lan</interface>
      <tag/>
      <set_tag/>
      <value>01:04:c0:a8:01:10</value>
      <force>0</force>
      <description>UniFi controller</description>
    </dhcp_options>
  </dnsmasq>
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x1GbE i225-v
May 20, 2025, 06:15:46 PM #28
Thanks I will import these tomorrow and see if I can replicate the issues.

If somebody else wants to try too, go ahead.
Hardware:
DEC740
May 20, 2025, 06:49:12 PM #29
Quote from: RutgerDiehard on May 20, 2025, 04:50:01 PMOne thing I have noticed though is that the timeouts only happen on Windows devices. I can run nslookup on a Macbook and on Linux and don't see any timeouts, just an instant response.

I just tried from a Raspberry Pi and I'm seeing the same kind of failures, although I can't rule out configuration issues on my end yet (TBD).

What I can say though is that 'dig' fails instantly with 'NXDOMAIN' whereas 'nslookup' (on both Linux and Windows) gives several timeouts before finally returning 'SERVFAIL'.
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x2.5GbE i226-v
Site 2 |  J4125 | 8GB | 256GB | 4x1GbE i225-v
Print
Go Up Pages 1 2 3 4 5
User actions