core
core copied to clipboard
opnsense
Ability to disable search domain entirely for specific DHCPv6 and/or DHCPv4 servers
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Is your feature request related to a problem? Please describe.
My FR is related to the problem that comes from having Kubernetes pods inherit the DNS settings from hosts that get an search-domain set, as it will result in unwanted behavior due to the default ndots of 5.
Describe the solution you like
I would like the ability to not set search domain at all in specific DHCP server settings for both v6 and v4. I think that when disabled, the correct behavior would be to not send search domains at all.
Describe alternatives you considered
I have considered to just reconfigure the hosts to not accept DNS from DHCP, but that's not the right choice to me.
Additional context
This was specifically painful before alpine 3.18 due to musl related DNS stub resolver thing
You will need to be a little more clear up front because DHCPv4 help text and code indicate it works as you expect:
https://github.com/opnsense/core/blob/02b6085023f9fa0a4b072d09da3c239bcf9bb985/src/www/services_dhcp_edit.php#L420
https://github.com/opnsense/core/blob/02b6085023f9fa0a4b072d09da3c239bcf9bb985/src/etc/inc/plugins.inc.d/dhcpd.inc#L739-L741
Don't mind looking into it but I also don't want to spend time verifying otherwise.
Cheers, Franco
Don't mind looking into it but I also don't want to spend time verifying otherwise.
The verification at https://github.com/opnsense/core/blob/02b6085023f9fa0a4b072d09da3c239bcf9bb985/src/www/services_dhcp.php#L235L237 says different, as it will not accept . for domain and I don't want domain nor search to be populated to nodes /etc/resolv.conf.
I've looked at domainsearchlist, you seem to be looking at domain. Again it would help to be clear.
I've looked at
domainsearchlist, you seem to be looking atdomain. Again it would help to be clear.
I think both need to be able to have a dot only, aka disable sending domain AND search domain. They however seem to go hand-in-hand, but the only thing I checked was that domain will not accept a dot.
domainsearchlist will also yield the same validation error as domain.
A valid domain search list must be specified. when set to a single dot.
Can you look at https://github.com/opnsense/core/issues/6529 and maybe see if you can implement it. It would be quicker just to look at proposed changes. I don't have a lot of time at the moment due to 23.10 being released next week.
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
Now that I'm back on the opnsense train, I have a need to fix this particular problem. :)
Nice. I’m back next week. Please ping me at the end of the week if I forget to merge your changes after a test drive and rechecking documentation.
I tried this out with opnsense-patch -V -a samip5 -r opnsense-core 797347c001bd3713d6ff7b7c1000b0033e1faf3d and it seems my changes were not enough, but my newer commit https://github.com/samip5/opnsense-core/commit/4bc96b912dfdaad75db3135083b00183d628b1d9 was.