Tried moving from Dnsmasq to KEA - DNS issues

[pseudonym3k]

Home user here with a nearly default install of OPNsense.

Simple home network of one WAN, one LAN, one Wireless AP.

My ISP does not provide IPv6 and I don't have any IPv6 or DHCPv6 configuration anywhere that I am aware of.

Unbound is disabled.

Four DNS servers in System->Settings->General. NO boxes marked under Networking.

Dnsmasq has been working well for some time. I could stay with it, but I want delete lease support, so in another post it was suggested I consider using KEA as delete lease is/will be supported there.

The KEA DHCPv4 setup is simple: LAN, changed default lease to 3600 (for testing), one subnet 192.168.1.1/24 (OPNsense LAN is 192.168.1.1), one DHCP pool range (192.168.1.230-192.168.1.250), UNmark match client ID so I can use MAC address, and added all devices with reserved IPs. They're all lower than that pool range and the same as in Dnsmasq. I tried with and without marking the box for Auto Collect Option Data, no difference. It looks correct, populated to 192.168.1.1 for Routers (gateway), DNS, and NTP.

I disable Dnsmasq and enable KEA. All clients immediately cease to find any sites by DNS name. Internet access is still good. I can ping, tracert, etc. any site by IPv4 address, just not by DNS names.

I disable KEA and enable Dnsmasq and all sites are immediately found by DNS name again.

At first I thought perhaps DNS wasn't being served because KEA hadn't yet picked up any leases. So I released and renewed my windows laptop lease (which is reserved) and KEA showed the lease correctly to the same IP. But the laptop still couldn't reach any sites by DNS name. After enabling Dnsmasq again, the laptop could find all sites by DNS without me having to do anything further.

(I have tried different browsers on the laptop, and also different PCs, both wireless and wired. It is the same, DNS names working immediately with Dnsmasq, stop working immediately with KEA.)

Other than INFO messages, only these two WARNING messages in KEA logs are repeating every half hour:

   DHCP4_RESERVATIONS_LOOKUP_FIRST_ENABLED Multi-threading is enabled and host reservations lookup is always performed first.
   DHCPSRV_MT_DISABLED_QUEUE_CONTROL disabling dhcp queue control when multi-threading is enabled.

Firewall live log looks the same whether Dnsmasq or KEA is enabled. It shows DNS queries to port 53 as pass on both LAN (Default allow LAN to any rule) and WAN (let out anything from firewall host itself (force gw)). For LAN the DNS server is 192.168.1.1 (OPNsense) and WAN is one of the four in my system settings list.

It almost seems like all is working except the DNS "answer" is somehow not getting back to the client when KEA is enabled?

I've been searching the 'net and the only issues I've been able to find with KEA and DNS have been solved and connected to AdGuardHome, Unbound, PiHole, IPv6... and I'm not using any of those.

Thank you for help.

[OPNenthu]

Unbound is disabled.

At first I thought perhaps DNS wasn't being served because KEA hadn't yet picked up any leases.

DNS is not being served when you disable Dnsmasq because there is no DNS built into Kea.

Dsnmasq is a combined DHCP+DNS solution, but Kea is strictly DHCP.  You need to bring your own DNS (same as with the old ISC) and this is where Unbound comes in.

A Kea user might be able to confirm this (I don't know if these only work with ISC) but I think you'll need to enable at least one setting in Unbound:

- Register ISC DHCP4 Leases
- Register DHCP Static Mappings (optional)

https://docs.opnsense.org/manual/unbound.html

Or, you can enter the static ones manually in Unbound as 'Overrides.'

[vimage22]

By "DNS name", do you mean local hostname? And you are using ping to test? Running "ipconfig /all", have you confirmed the client is using the local ip of the router for DNS?

I use Unbound and Kea only. To guarantee local hostname resolution (IPv4 and 6), I add a reservation for only the machines I need to resolve. Then, I just restart the Unbound service once and it works.

"Register ISC DHCP4 Leases" is disabled, as well as the ISC service. Attached are the Unbound settings.

[pseudonym3k]

DNS is not being served when you disable Dnsmasq because there is no DNS built into Kea.

That's a deal breaker for me then, for unknown reason Unbound isn't stable in my config and that's why it's disabled. (Have whole thread here about it.) I'll stay with Dnsmasq. Thank you, had no idea.

[OPNenthu]

I didn't realize what it was for until now, but it looks like Kea recently got DDNS support: https://docs.opnsense.org/manual/kea.html#ddns-agent

In case you ever want to retry with Unbound, it looks like the gap between Kea and the old ISC is starting to close.

[nero355]

That's a deal breaker for me then, for unknown reason Unbound isn't stable in my config and that's why it's disabled. (Have whole thread here about it.)

Just fix this bug :

Unbound, PiHole... and I'm not using any of those.

By using this : https://docs.pi-hole.net/guides/dns/unbound/

;)


A life without Pi-Hole combined with Unbound on my network is not worth living at all !!! :P

Thank you, had no idea.

It's all a matter of reading https://docs.opnsense.org/manual/dhcp.html before making any huge changes to your OPNsense.

[pseudonym3k]

It's all a matter of reading

Your comment is not nice and not necessary in a helpful context. Please be kind.

FWIW I do read the docs, and I absolutely don't understand everything there. There's a lot that doesn't apply to me, and it's possible I won't understand there's something there that does. I thought this forum exists to provide help when needed and so I asked and got my answer.

I found videos for setting up KEA with one LAN and one subnet, a few minutes and simple. And while some of them also showed how to set up Unbound to work with KEA, none that I watched stated it (or another DNS solution) was a requirement with KEA.

[Patrick M. Hausen]

You need a DHCP (well, most of the time) server and a DNS server for your network to work. Essentially these are two separate services that at first have nothing in common.

DHCP tells client systems about their network environment. How to number themselves, how to reach the Internet, what DNS servers to use.
DNS tells a client an IP address for a name. At least that's the primary use.

- DHCP can be run locally or not at all (configure everything manually).
- If run locally you can use Kea, ISC (deprecated, but still working) or DNSmasq for that job.
- DNS can be run locally or not at all.
- If not at all you can point your clients to e.g. 8.8.8.8 or 1.1.1.1 via DHCP and "Internet" will work without any problems.
- If run locally you can use Unbound, DNSmasq or BIND (plugin) for that job.
- DNSmasq for both DHCP and DNS is tightly integrated but some (including me) don't like the architecture and still prefer Kea for DHCP.
- If you use Kea for DHCP you can go with no local DNS at all (8.8.8.8) or use Unbound or ... use DNSmasq for DNS only while using Kea for DHCP.
- Or use BIND. Or use ADGuard Home while forwarding to an upstream DoT service, which some (few) users here on the forum seem to do.
- Or ...

Admittedly us network professionals sometimes take that knowledge for granted but making sense out of that puzzle is still up to you. Bring a separate DNS filtering solution like PiHole (on a separate device) or AdGuard Home (on OPNsense) into the mix and complexity again increases.

So familiarise yourself with the fundamental protocols ("jobs") and subsystems on OPNsense and try to pick the best solution.

Canonical well established alternatives are:

- Kea & Unbound
- DNSmasq for both

Start from one of those, then consider a filtering plugin, upstream encryption or not, etc. But only after you have the fundamentals well understood and working.

HTH,
Patrick

[pseudonym3k]

Thanks. At a high level I understand the practical functions of each- as they apply to my practical use of the internet.

I do realize I grabbed OPNsense, an appliance meant for large enterprises, as my choice for a small no make that tiny home network. I did that because I'm disgusted with the direction consumer routers have gone and taking all control of what comes in and goes out. I ran DD-WRT for years (and Dnsmasq) and quite comfortable with how it functions for me, without knowing specific components or what does what. (Including a delete lease option which I'm aware can't be ported to OPNsense which prompted the entire suggestion for me to consider KEA.)

I had trouble with Unbound and disabled it, moved my DNS servers into System Settings, and voila it's all good. I thought that was enough no matter what I used for DHCP. Quite honestly, at almost 85 years old, I'm not likely to get much more knowledgable nor am I really interested. If it's no longer allowed to post here for help because of that, then I'll find something else.

[Patrick M. Hausen]

Please, I was honestly trying to help.

So if you run Kea, and do not run Unbound, and do not have any DNS settings, then probably ...

- your OPNsense gets DNS servers from your ISP
- Kea is handing out those to clients

Which is fine. Internet will work. Much in the same way like with a consumer router. Only local DNS resolution of client names and IP addresses won't, because obviously (I hope) your ISP DNS server does not know about their customers' internal clients.

So your decision is if you can live with that situation or if you absolutely need local name resolution. Local service discovery can be achieved by mDNS which many devices support out of the box, anyway. Like finding your printer from your desktop/laptop machine etc.

If you need local resolution, reconsider adding Unbound but do not use block lists in Unbound. Large block lists are a frequent cause of Unbound hangs/crashes and there are better suited dedicated filtering solutions for that. If you just enable Unbound according to the docs and distribute your OPNsense IP address as a DNS server to clients via Kea, everything should definitely "just work". I use this setup in multiple corporate locations, there is nothing inherently unstable about Unbound. The odd name is geek humor: "Unbound" is a replacement for the "BIND" nameserver. "BIND" again is an acryonym: "Berkeley Internet Name Domain" server.

BTW: I am turning 58 in May. Still a young man from your point of view but definitely not a twenty-something with high testosterone levely and quick fingers at the keyboard. We are really all trying to help. Sometimes we might call for a quick reality check. No bad intentions.

[pseudonym3k]

I *do* have my DNS servers in System->Settings->General. See 5th line of my OP. And it didn't work. It appears all DNS queries are headed out through OPNsense as they had been, but nothing was grabbing the reply. At least, that's how it appears from my observation. I have no way of knowing what is actually happening.

I appreciate the help, but honestly I asked a question, I got the (I presume) right answer. Not sure why the bashing is continuing. Because I was honest and said "I had no idea" I guess.

[Patrick M. Hausen]

I *do* have my DNS servers in System->Settings->General. See 5th line of my OP.

Kea by default gives clients the OPNsense IP address in the respective network as their DNS server. If you do not run a DNS service, you need to instead send the same servers you configured in "General" to your clients.

Open the subnet configuration in Kea, activate the advanced settings, set DNS servers.

There used to be a lot of "magic" defaults in OPNsense which frequently worked and sometimes backfired. So IIRC with ISC the DHCP server would have given the clients the addresses from "General" if nothing more specific was explicitly configured.

Professionals like myself frequently complained about intransparent "magic" scattered over different parts of the UI. The development team seems to agree so with the more modern successors to ISC there is less of that.

HTH,
Patrick

[pseudonym3k]

Kea by default gives clients the OPNsense IP address in the respective network as their DNS server. If you do not run a DNS service, you need to instead send the same servers you configured in "General" to your clients. Open the subnet configuration in Kea, activate the advanced settings, set DNS servers.

I have OPNsense handling all DNS (and NTP, FWIW) for all of my clients. I do want them to get 192.168.1.1 for DNS server and not do their own thing.

It's really not necessary for me to move to KEA. It was a suggestion in another thread so I could have the supported delete lease button. I have a script to do that in Dnsmasq. Yes it's not the recommended approach but so far I haven't seen any side effects in my little house. It's just a bit more effort to SSH in and run the script compared to having a nice delete button that does it the correct way.

[Patrick M. Hausen]

I have OPNsense handling all DNS (and NTP, FWIW) for all of my clients. I do want them to get 192.168.1.1 for DNS server and not do their own thing.

In that case if you want to run Kea for DHCP you really should combine it with Unbound for DNS. Or stick to DNSmasq for DHCP and DNS.

[nero355]

It's all a matter of reading

Your comment is not nice and not necessary in a helpful context. Please be kind.

When you cut it off like that then yes, but the whole sentence is simply to steer you to the right place with the right information, because this :

I found videos for setting up KEA with one LAN and one subnet, a few minutes and simple. And while some of them also showed how to set up Unbound to work with KEA, none that I watched stated it (or another DNS solution) was a requirement with KEA.

Is the whole problem these days : YouTubers who think they know everything telling people half the story because they also don't understand what they are doing exactly!

And when something goes wrong no one turns to them : They turn to the forums!
And when they do turn to them then they often get no reply at all...

But the main reason I posted that is because it's simply the truth :
Read.
Read a lot.
Read multiple times even if you have to!

Before I did my first FreeBSD install somewhere in 2004/2005/2006 the FreeBSD Handbook became my best friend after reading all of it three times and then certain sections again after installing FreeBSD :)

- If run locally you can use Kea, ISC (deprecated, but still working) or DNSmasq for that job.

I would mention those three in a different order :

- If run locally you can use ISC (deprecated, but still working) or KEA or DNSmasq for that job.

To avoid people thinking KEA is deprecated too like someone did a while ago here on the forum :)

So familiarise yourself with the fundamental protocols ("jobs") and subsystems on OPNsense and try to pick the best solution.

That's the most important part IMHO for anyone starting out with any kind of software :)