Get around DNS restart and still have client register?
-
@gertjan said in Get around DNS restart and still have client register?:
Its actually not bad at all as an implementation.
It actually is the worst possible way of doing it: https://redmine.pfsense.org/issues/5413
-
@thiasaef said in Get around DNS restart and still have client register?:
@gertjan said in Get around DNS restart and still have client register?:
Its actually not bad at all as an implementation.
It actually is the worst possible way of doing it: https://redmine.pfsense.org/issues/5413
That "worse" implementation can be undone.
There :
and done.
Doing what the redmine proposes :
Should be changed to something like this:
$unbound_cmd .= "unbound-control local_data {$host['fqdn']} {$type} {$host['ipaddr']}";is a no go because command line parameters are only read during startup.
Ok, Netgate could re write (fork) unbound. But unbound it's as big as bind, it's still a big project.A far better method could be : use unbond-control (very comparable with the rndc tool from bind) : it can change in memory 'cache' items on the fly, during unbound execution.
Or, as I said earlier : adding a python extension (like pfBlockerNG-devel did) that consults the DHCP leases list every 60 seconds or so, extract new leases, remove expired leases.
It surprises me that it hasn't been done yet.
Btw : unbound was written with a stand alone device in mind, that needs a resolver, as forwarding is something of the past. A resolver also open the DNSSEC door.
unbound was never meant to be used ( my impression) on a router firewall that also has a DHCP server, with the DHCP clients on the LANs lease info put into the local DNS system.
Every decent router firewall has (should have) such a functionality. -
@gertjan said in Get around DNS restart and still have client register?:
A far better method could be : use unbond-control
You do realize that the Redmine Ticket suggests exactly that?
-
I circle back to the original problem here. Interrupt free DNS.
I went for this route:
- Pi-Hole in a VM in DietPi
- Forwarders in Pi-Hole for my local domains pointing to pfSense
- Changed DHCP option to point at the Pi-Hole
Got local name resolution for registered devices and a rather pretty GUI to check whats been going down in the name resolution swamp.
The subject on Unbound restarts seems a
potato 
-
@iorx said in Get around DNS restart and still have client register?:
I circle back to the original problem here. Interrupt free DNS.
I went for this route:
- Pi-Hole in a VM in DietPi
Nice workaround
I use Pi-Hole too on a Debian VM (instead of pfBlockerNG)
Do you use the PI-Hole as DHCP server now , instead of pfSense or ??- Forwarders in Pi-Hole for my local domains pointing to pfSense
Why ???
What local domains do you need to have resolved on the pfSense , if everything uses the PI-Hole ?
- Changed DHCP option to point at the Pi-Hole
I suppose you mean the DHCP DNS option , handed out to clients ?
Got local name resolution for registered devices and a rather pretty GUI to check whats been going down in the name resolution swamp.
The subject on Unbound restarts seems a
potato 
Do you have multivlan (IP-Net) DHCP scopes on the pihole or ?
/Bingo
-
@bingo600 said in Get around DNS restart and still have client register?:
@iorx said in Get around DNS restart and still have client register?:
I circle back to the original problem here. Interrupt free DNS.
I went for this route:
- Pi-Hole in a VM in DietPi
Nice workaround
I use Pi-Hole too on a Debian VM (instead of pfBlockerNG)
Do you use the PI-Hole as DHCP server now , instead of pfSense or ??No, pfSense is still DHCP server.
- Forwarders in Pi-Hole for my local domains pointing to pfSense
Why ???
Got a couple of VLANs. work, kids, iot and guest. These domains are forwarded to pfSense to find hosts there.
Also got like 5 VPN-tunnels and overrides in pfSense Unbound to query DNS server on the other side of those.What local domains do you need to have resolved on the pfSense , if everything uses the PI-Hole ?
You're probably right here. pfSense it self doesn't need to resolve hostnames in all subnets/tunnels. Haven't decided yet if I'm going to populate PiHole with overrides or keep them in pfSense.
- Changed DHCP option to point at the Pi-Hole
I suppose you mean the DHCP DNS option , handed out to clients ?
Correct! Bad wording here.Got local name resolution for registered devices and a rather pretty GUI to check whats been going down in the name resolution swamp.
The subject on Unbound restarts seems a
potato Do you have multivlan (IP-Net) DHCP scopes on the pihole or ?
Yes to VLANs. No to DHCP in Pi-hole , haven't checked out that feature yet. Pretty new to Pi-hole, looks interesting, will investigate.
/Bingo
Brgs, iorx
-
My solution is similar to @bingo600
DHCP server is on pfsense. Handles LAN IOT and Guest networks
Bind9 is on my internal linux server.
I use the dynamic dns updates section of the DHCP server to update the Bind9 server using the rndc-key. Use a host override in unbound to point my local networks to the internal Bind9 server.
I use pfblocker and for me this gives internal name resolution on all the pfblocker reports. -
@dlfergurd Simple enough workarounds, but completely hopeless/stupid that this is necessary, for a feature that has worked in standard products for almost 20 years now.
Worse still - it has no priority to get fixed i pfSense…. -
https://redmine.pfsense.org/issues/5413
But I read this thread correctly? To me it looks like a solution has been delivered there, tested and committed? -
@iorx said in Get around DNS restart and still have client register?:
https://redmine.pfsense.org/issues/5413
But I read this thread correctly? To me it looks like a solution has been delivered there, tested and committed?Yeah, I thought that as well until i read the thread carefully - including inspecting the dates on posts.
The proposed code based on the high level code has never been adopted beyond a proposal. The proposed fix thread then stopped once that happened (more than a years ago).
The reason we misread the thread is because someone suggests you just disable DHCP registrations, and another poster confirms that fix works well. But he’s not talking about the code, he’s talking about the workaround to disable DHCP registrations.So it’s still a dead end…..
