Mastodawn

OPNSense's 26.1 release bumps radvd to include PREF64 support, which I've been anxiously expecting.

It also moves isc-dhcp to a plugin, pointing towards either Kea or dnsmasq.

So, that's the push I needed to finally move to Kea.

But, Kea in OPNSense doesn't have DHCP lease DNS registration tied in. Kea does support that with RFC 2136 registration, but it's not available directly in the OPNSense config.

So, the net effect is that Hugo is now completely revamping the home network DHCP and DNS setup, moving it from the OPNSense gateway to the couple of little mini PCs with Adguard + unbound + Knot for DNS, with HA Kea for DHCPv4.

And then I'll finish the OPNSense upgrade 😂

Oh hey; where did this yak and shears come from?

Show thread

Hugo Slabbert ⚠️Feb 1

kea is up with active/standby HA, and pools and options moved;

leases imported to keep a few things consistent across the move;

ISC dhcpd disabled and dhcrelay configured on opnsense;

DHCP scopes handing out the new Adguard endpoints for DNS;

kea is registering forward & reverse DNS with knot;

unbound is configured with stubs pointing at knot for the relevant zones;

Once we've got a critical mass of some DNS internal records registered to knot from DHCP renewals, I'll cut over AdGuard to point to unbound, to basically let things flow through the new paths.

Getting there!

Show thread

Keenan Tims Feb 1

@hugo Kinda surprised they're deprecating ISC without this feature tbh. It's been blocking me from moving to Kea too. ISTR there was another thing too. It might have just been that it wasn't possible to run Kea on some interfaces and ISC on others simultaneously. I probably have room on the home assistant k8s box to run DNS, I guess (which is alongside the opnsense VM). I don't really have any other 'reliable' machines to put it on. I don't really *want* to though. This is like table stakes basic stuff.

Accept a dependency on my public internet DNS and put it there maybe? Hmm.

Show thread

Keenan Tims Feb 1

@hugo Turns out I don't know my own infra. I am already running pdns-auth for k8s ExternalDNS. And already using RFC2136 from ISC DHCP. lol.

Unfortunately while Kea fully supports this, there's not even a knob to enable the kea-dhcp-ddns daemon in OpnSense (and accepting manual configuration). The only way to use it would be to manually edit the service template to enable the daemon and use manual config. But that won't survive upgrades, so eh... I want to keep all critical network infra inside OpnSense.

I will stick to legacy ISC for now.

Show thread

Hugo Slabbert ⚠️Feb 1

@ktims yea, exactly that.

It's a bit funny that they don't have support for Kea ddns.

I've been moving some key services off to a couple of mini PCs over the last while, so that's a workable enough plan for my environment. But it would be nice if OPNSense supported RFC 2136 ddns for Kea. Perhaps it's something they'll roadmap for the future.

Show thread

Keenan Tims

@hugo Someone did a pretty well fleshed out PR for full config generation support. But interest from the core devs in accepting it is lukewarm at best.

Kea: Add DHCP-DDNS Support by ruifung · Pull Request #9401 · opnsense/core

This PR adds full support for enabling and configuring the Kea DHCP-DDNS server. This will enable Kea to perform Dynamic DNS updates over RFC2136 for both IPv4 and IPv6. Are there any docs changes ...

GitHub