dnsmasq and query forwarding

[tessus]

I'm running 25.1.7_4 and looked at the settings for Dnsmasq DNS & DHCP. My current Unbound DNS does not do query forwarding and I currently do not want to do that with dnsmasq either.

However, if I wanted to do so, how would I specify the upstream DNS servers? There is nothing to set in the options.
Also, there is no way to enable/disable query forwarding, so what does dnsmasq do? I don't see, whether it is active or not. Is it enabled or not? This all is very confusing.

These are the only options one can set for query forwarding:
You cannot view this attachment.

[Patrick M. Hausen]

DNSmasq always forwards, because it does not support recursion. I assume it uses the servers set in System > Settings > General, but I am not 100% sure. About the first sentence I am. Not forwarding is simply not an option. Only Unbound and BIND can do that.

[meyergru]

You can only selectively limit what DNSmasq forwards, i.e. private reverse lookups and with an upcoming patch (3b8e4a6, I think it is not yet in 25.1.7_4), also for the domains that have been used in DHCP ranges. Everything else will be asked from upstream servers.

As Patrick said, these are the ones from the system settings plus 127.0.0.1 as upstream servers, which could be Unbound, if you follow the recommendations in the docs. If you remove all system nameservers, then only 127.0.0.1 will be used.

[tessus]

Thanks for the replies.

Unfortunately this logic makes it impossible for me to replace unbound/isc with dnsmasq. Imagine my opnsense system specifies my pihole as the upstream dns. Then my pihole (which is set and used by all my clients) asks via conditional forwarding dnsmasq on opnsense for internal address resolution. If anything goes wrong here, and we all know that can happen and has happened in the past (due to bugs, misconfig, and whatnot), there's an infinite query loop.

As mentioned before, I need dnsmasq (as my current unbound) for internal address resolution only. If I cannot configure dnsmasq to do just that, I cannot use it.

This also means that I cannot migrate from ISC to dnsmasq (dhcp only), because I still need dnsmasq to do local address resolution. dnsmasq dhcp does not register the leases with Unbound but with dnsmasq only. So I still need Unbound which then asks dnsmasq, which then could still ask my pihole - there's the infinite loop again. The same is true, if I were to use 127.0.0.1 in an Unbound/dnsmasq or dnsmasq-only scenario.

I know that dns resolvers have a bunch of settings to mitigate such loops, but when I currently go through the stack and its options, nothing seems to apply.

It should be easy to add a GUI option to tell dnsmasq not to forward queries at all. I know that it is possible to configure dnsmasq not to forward queries. opnsense just needs to create an option for that.

[Monviech (Cedrik)]

It has been added but its not in a release yet.

You can patch it in from the opnsense shell with:

Code Select Expand

opnsense-patch https://github.com/opnsense/core/commit/220dbc7931e11c71587734ed9c1731abdf9eaff8
opnsense-patch https://github.com/opnsense/core/commit/3b8e4a6ab6f74c24eca3b34d8ae0370a4ce494b8(make sure you are on 25.1.7_4)
Read the links for descriptions of what is added.

[meyergru]

It should be easy to add a GUI option to tell dnsmasq not to forward queries at all. I know that it is possible to configure dnsmasq not to forward queries. opnsense just needs to create an option for that.

"Not at all" is somewhat relative:

The two patches @Monviech mentioned ought to make sure, that there will be no default upstream requests and also none for the DHCP range domain names. I have some host definitione with domain names that are not within my DHCP ranges (I use them for remote VPN IPs). When such domain names get appended by Windows via the DNS search list, then there will still be requests for something like "www.google.com.internal-vpn", which still get forwarded by DNSmasq to upstream servers, if they are configured.

[Monviech (Cedrik)]

You could just drop all domains into a custom override file, dnsmasq has a custom import folder.

Check how adblocking works:

https://github.com/hagezi/dns-blocklists/blob/main/dnsmasq/anti.piracy.txt

You can just throw that into the import folder and it will "block" all of these local domains. Same as if you need some custom ones yourself, just create a file like this.

[meyergru]

I know that, but I would have liked a GUI input with a plain list of domains to add with local=/domain/ definitions without any need to have either external (i.e. Unbound forward domains) or "internal" (i.e. DHCP range domains, like you implemented it) dependency - following your and Franco's approach to keep it to the tool itself and not integrate multiple tools to solve a specific application need.

You could still add that on top.

[Monviech (Cedrik)]

If you just want a HostnameField in the (advanced) general settings you can open an issue on github. Should be simple to add. Though we first need to discuss it like all additions.

[meyergru]

Done.

[stumper]

Should the two patches @Monviech mentioned also correct reverse lookups? In my case, following the configuration (Dnsmasq and Unbound) in the  doc, reverse lookups are failing still (forwards are now working tho).

[meyergru]

Did you do a custom forward in Unbound for "...168.192.in-addr.arpa" (or whatever you use) to DNSmasq? This is shown in the configuration examples.

Also, you will have to check "Do not forward private reverse lookups" in DNSmasq.

[stumper]

Yes, I have Dnsmasq DNS do not forward reverse + system dns servers (no dns servers are configured at system level) and Unbound custom forwards configured for each of my subnets.

What i have also observed is that the forward and reverse lookups work initially after service restarts or firewall reboot only for a short time, then I start receiving NXDOMAIN.

Pending your response, I'm thinking I may need to redo my configs from scratch to make sure I haven't misconfigured something since I have been trying to get this working over the past week (static and dynamic leases are working as expected, it's just the name resolution are not).

[meyergru]

There is a lot going on between Unbound and DNSmasq with DNS names and forwarding and with FQDN vs. plain names, because at times, they plan ping-pong if configured incorrectly. I had all kinds of strange things going on when that happened.

If you want to check that out, you can track this down to whether DNSmasq or Unbound is the culprit by using:

Code Select Expand

# nslookup
> set port=53053
> server 127.0.0.1

and only then start entering DNS names. By doing this, you ask DNSmasq directly. Unbound can only work with what it gets from DNSmasq for delegated domains. Also try out what happens, when you ask for names that do not exist. If DNSmasq returns REFUSED instead of NXDOMAIN, Unbound will deliver a SERVFAIL. That in turn may lead to timeouts, if system nameservers are configured.

Also, you can look at /var/etc/dnsmasq-hosts to see if your DHCP host entries are there, including their all aliases.

[meyergru]

Done.

Nice one, thank you, @Monviech: Your solution here is even better and it works, too (I just tried). I also updated the helper scripts to reflect the CSV structure change that goes along with it (hoping to see this change in an upcoming release).