Unbound: dynamic hostname mapping/KEA & ISC cannot be enabled back

[hakuna]

Before: Client > OPNSense ISC > PiHole (mDNS) + Unbound Recursive DNS > out
Goal: Client > OPNSense (DHCP, Unbound Recursive DNS, mDNS ) > PiHole > out

How is it going:

DHCP

• KEA is being named as the replacement for ISC but it does not support Register DHCP mapping
• Dnsmasq does support Register DHCP mappings but it is under ISC/KEA DHCP section for when it is set as DNS not DHCP Server(????)
• Online and documentation points to ISC only support dynamic hostname mapping

https://docs.opnsense.org/manual/unbound.html

• Since I disabled ISC to try KEA and dnsmasq, I cannot enable it back, ISC DHCPv4 is literally empty
• I am stuck with KEA which doesn't work for what I need and neither does dnsmasq

DNS

• Surfing the internet is insane faster thanks to OPNSense running it instead of PiHoles (tiny VM)
• "Flush DNS Cache during reload" is disabled, but reloading Unbound cleans the cache and we are back to dial-up speed every single time(????)
• ping "s6.home.arpa" no longer works, I must move Unbound back to PiHole and manually set the local DNS there
• Official documentation does not mention Unbound runs as recursive DNS by default

I am in the process of setting up dual-stack so it makes more sense to move things to OPNSense.
But dynamic hostname mapping does not work, let alone manual one
ISC is gone, the only one that supports dynamic hostname mapping (I guess) can no longer be enabled on 26.1.1, it is gone.

I am stuck with IP only unless I move things back to Pi-Hole.

[Patrick M. Hausen]

To get ISC back install the plugin. Kea does support registration of static mappings in Unbound. Or go DNSmasq for DHCP and DNS.

[hakuna]

To get ISC back install the plugin. Kea does support registration of static mappings in Unbound. Or go DNSmasq for DHCP and DNS.

I had to:

• Disable Dnsmasq
• Enable Kea
• ISC options are back
• Disable Kea
• Enable ISC back

This cannot be right at all.

OPNSense documentation mention that Kea does not support registration mapping, it does not even have the option.
Dnsmasq for DHCP + DNS does not give me Recursive DNS.

[Patrick M. Hausen]

Kea does register static mappings as documented:

Currently it is not possible to register hostnames dynamically between KEA and Unbound, only static reservations will be synchronized on an Unbound service restart.

https://docs.opnsense.org/manual/kea.html

If you must have registration of dynamic mappings, your only choice is DNSmasq. For recursion you can either

- use Unbound as the client facing recursive server and forward the local domain to DNSmasq
- use DNSmasq as the client facing not recursive server and forward to unbound as upstream for recursion

I'd say which one to pick is a matter of taste.

But since I absolutely dislike DNSmasq and never register dynamic leases, anyway, I am happy with Kea and Unbound.

YMMV

[hakuna]

But since I absolutely dislike DNSmasq and never register dynamic leases, anyway, I am happy with Kea and Unbound.

YMMV

Got everything working dynamically:

• ISC DHCPv4 does its thing
• Unbound does its things: Recursive and "Register ISC DHCP4 Leases" and "Register DHCP Static Mappings"
• PiHole was the missing bit: Condition Forward: true,192.168.1.0/24,192.168.1.1,home.arpa

My tablet got a dynamic 192.168.1.82, I can now "dig s6.home.arpa" and get the response back.
I can also go to the browser and hit https://firewall01.home.arpa, that goes to OPNSense as it should.

I will leave as it is until Kea supports dynamic mapping or until OPNSense completely removes ISC.

Finally, I have been fighting this since 5PM, it is 10PM now lmao

Thank you so much :)

[hakuna]

EDIT: If anybody knows please let me know how to report bugs: Unbound does not respect: Flush DNS Cache during reload
Reloading the service is purging the cache every time.

[Patrick M. Hausen]

Open an issue on Github: https://github.com/opnsense/core/issues

[hakuna]

Open an issue on Github: https://github.com/opnsense/core/issues

Sweet, thank you Patrick.

[hakuna]

For future reference, this is an intended behaviour and the ticket was closed in 2021: https://github.com/opnsense/core/commit/4a1bc9f8b5e65651e85385ce0fc6969cd30b2c13

Unbound by design flushes the cache and reload the config on reload, there is an option to avoid that but.

[Patrick M. Hausen]

EDIT: If anybody knows please let me know how to report bugs: Unbound does not respect: Flush DNS Cache during reload
Reloading the service is purging the cache every time.

Even if you remove the check mark?

[franco]

I think it's working as described, but it doesn't work on reboots (by initial design).

We discussed it here https://github.com/opnsense/core/issues/9774

Cheers,
Franco

[nero355]

Surfing the internet is insane faster thanks to OPNSense running it instead of PiHoles (tiny VM)

I don't know what you are doing wrong but my setup :
- OPNsense KEA DHCP Server.
- Pi-Hole + Unbound that queries the Root DNS Servers as the DNS IP Address for the Clients.

Never let's me down! :)

When it comes to DNS Resolving speed there were multiple benchmarks that showed very little differences in the hardware used and even compared to DNS Servers that due to their larger "Client Pool" have a lot of addresses cached were not that faster than Pi-Hole + Unbound running on a simple Raspberry Pi 3B/3B+/4B at the time.

ping "s6.home.arpa" no longer works, I must move Unbound back to PiHole and manually set the local DNS there.

In my case everything is setup as following :
- Static DHCP IP Mappings based on MAC Address for ALL CLIENTS.
- Local DNS Records in Pi-Hole for all of them.

Works like a charm! :)

I am in the process of setting up dual-stack so it makes more sense to move things to OPNSense.

Dual-Stack in combination with Pi-Hole should not be an issue at all : What is your main issue at the moment ?

I absolutely dislike DNSmasq

Why ?!

Especially "boosted" by the Pi-Hole Team as their FTLDNS it's really nice to work with in general :)

[Patrick M. Hausen]

Why ?!

It's missing a sound architecture and does too many things in a single tool. Like systemd.

DHCP, DNS and RA are three completely separate services and I like to treat them as such. Kea, Unbound, radvd.

Also it's "alien" to the FreeBSD ecosystem. Why import a Linux centred single person project when there is standard software for the task. Similarly I do not understand why "we" import radvd. rtadvd has been a part of FreeBSD ever since IPv6 was introduced. I would pick that. Kea is the successor to ISC DHCPd. By ISC. Just use it.

If I were to decide I would use BIND instead of Unbound and implement proper dynamic updates via RFC 2137. Also provide in the UI only

- DHCP
- DNS
- RA

without even mentioning the products. Choice is not good in this firewall context. Choice means waisted effort on the development side.

Especially "boosted" by the Pi-Hole Team as their FTLDNS it's really nice to work with in general :)

[/quote]

Pihole is again Linux centred and you need a separate system. I run AdGuard Home on my OPNsense for filtering.

[nero355]

It's missing a sound architecture and does too many things in a single tool. Like systemd.

Not a fan of SystemD either, but it is what it is and some things are even kind of cool to use so that "softens the blow" a bit...

Also it's "alien" to the FreeBSD ecosystem.

Why import a Linux centred single person project when there is standard software for the task.

From what I have heard/read so far Simon Kelly is often supported by many other developers so it's not really a single person project.
And he is also not the "Lead Developer of OpenBSD" kind of guy if you know what I mean, so any input someone has is actually being looked at and communicated about :)

Also provide in the UI only

- DHCP
- DNS
- RA

without even mentioning the products. Choice is not good in this firewall context. Choice means waisted effort on the development side.

And probably a lot of Support workhours too so I fully agree with you on that one!

Pi-Hole is again Linux centred and you need a separate system. I run AdGuard Home on my OPNsense for filtering.

I feel like AdGuard is a total Pi-Hole ripoff and do not like pretty much everything about it.

Having my DNS seperated from OPNsense is not a big deal for me either.

And the guys that develop Pi-Hole are really cool to talk with too! :)

[Patrick M. Hausen]

I feel like AdGuard is a total Pi-Hole ripoff and do not like pretty much everything about it.

I love the UI. I love that it's written in Golang. I love that there is an official FreeBSD port (because the FreeBSD ports framework has good tooling for Go applications). I love the paid (but cheap) mobile IOS app. Performance and reliability - no complaints whatsoever.

Me do me - you do you 🙂