core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon opnsense

unbound: Add support for native IPv6 prefix tracking in host overrides

Open n-thumann opened this issue 3 years ago • 5 comments

This PR add support for native tracking of dynamic IPv6 prefixes in Unbound host overrides. It allows one to be using SLAAC provide the clients with a network prefix, let them auto-configure on their own and only add the client's IID and the interface to track to Unbound.

It is similar to Unbounds DHCP Static Mapping, but without requiring DHCPv6. Personally, I don't run DHCPv6 in my network and hence cannot use the static mappings and would also like to avoid cross-dependencies between DHCPv6 and Unbound.

With this patch applied you can optionally add an interface to track to an AAAA record: Screenshot of Editing host override

The table also shows the interface, LAN in this example, because it's configured as a Track Interface of WAN. Screenshot of host overrides

The host overrides as seen above result in the following host_entries.conf (see last two lines):

root@OPNsense:~ # cat /var/unbound/host_entries.conf
[... snip ...]
local-data-ptr: "2003:[redacted]:5076:9bff:fe04:e801 OPNsense.localdomain"
local-data: "OPNsense.localdomain AAAA 2003:[redacted]:5076:9bff:fe04:e801"
local-data: "OPNsense AAAA 2003:[redacted]:5076:9bff:fe04:e801"
local-data: "OPNsense.localdomain AAAA fe80::5076:9bff:fe04:e801"
local-data: "OPNsense AAAA fe80::5076:9bff:fe04:e801"
local-data-ptr: "1.1.1.1 some-a-host.domain"
local-data: "some-a-host.domain IN A 1.1.1.1"
local-data-ptr: "2606:4700:4700::1111 some-aaaa-host.domain"
local-data: "some-aaaa-host.domain IN AAAA 2606:4700:4700::1111"
local-data-ptr: "2003:[redacted]::1337 tracked-prefix-host.domain"
local-data: "tracked-prefix-host.domain IN AAAA 2003:[redacted]::1337"

n-thumann avatar Feb 13 '22 21:02 n-thumann

To be honest, I'm not really a fan of trying to glue more interface address dependancies in the unbound code as it's usually quite flaky and prone to errors.

If we have an option to cleanly feed this to unbound without the need of a restart (loosely coupled), it might be different, but at the moment I don't think we should try to merge this. @swhite2 is doing some more work around Unbound, parking this with him for now to see if we can come up with a design change at some point for these dynamic types.

AdSchellevis avatar Feb 14 '22 07:02 AdSchellevis

If we have an option to cleanly feed this to unbound without the need of a restart (loosely coupled), it might be different, but at the moment I don't think we should try to merge this. @swhite2 is doing some more work around Unbound, parking this with him for now to see if we can come up with a design change at some point for these dynamic types.

Agreed. This especially pertains to a requirement for dynamic types in the mvc model.

swhite2 avatar Feb 14 '22 11:02 swhite2

Thanks for your feedback!

To be honest, I'm not really a fan of trying to glue more interface address dependancies in the unbound code as it's usually quite flaky and prone to errors.

For that reason I used the same logic as in https://github.com/opnsense/core/blob/0b453ea98dc21d5c8f7ab2946e4867b5cd4528ba/src/etc/inc/plugins.inc.d/unbound.inc#L474, because if it works at that point, we can probably assume that it works in this patch as well.

If we have an option to cleanly feed this to unbound without the need of a restart (loosely coupled), it might be different [...]

I definitely agree that this should be the ultimate goal! But given the fact that the problem in general has been around for quite some time (e.g. https://github.com/opnsense/core/issues/2544#issuecomment-405078997 or https://github.com/opnsense/core/issues/3657#issuecomment-560150755), this may be a good solution in the meantime. Also, it doesn't require any additional restarts of Unbound, because it's already being restarted when the upstream prefix changes to update its own DNS record.

n-thumann avatar Feb 14 '22 22:02 n-thumann

The problem with adding more similar problems that are already in there makes it eventually harder to fix the real problem (which is the entanglement of the service). I do agree that similar constructs do exist within the same module, but that doesn't mean we should increase the maintenance problem which someone will have to fix at some point in time.

As @fichtner already noted, it's also not certain we are trying to fix the right thing here. (I only looked at the technical implications so far)

AdSchellevis avatar Feb 15 '22 07:02 AdSchellevis

BTW: If you need prefix-aware DNS-hosts you could just use dnsmasq. It has native support for this (see --dynamic-host feature). It's just lacking a GUI option in OPNsense right now so maybe it would be wiser to put more energy into the dnsmasq UI for this particular use-case.

froogl avatar Mar 12 '22 20:03 froogl

Hi,

what is a good and easy workaround, as a replacement for this PR? So how do I create a host override with a Dynamic Prefix in Unbound?

I face the same problem that I have a new prefix every day.

TheOfficialMrBlah avatar Dec 27 '22 20:12 TheOfficialMrBlah

closing, currently not a core priority and doesn't fit unbound's architecture very well.

AdSchellevis avatar Jun 28 '23 07:06 AdSchellevis