core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon opnsense

Unbound Host overrides not honored for DHCP registered IPs

Open speedmann opened this issue 3 years ago • 4 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

I have multiple VLANs with different Domain names configured in the DHCP Server. It looks like this:

VLAN 10: 192.168.110.0/24 with DHCP Domain clients.example.com VLAN 20: 192.168.120.0/24 with DHCP Domain servers.example.com

Unbound is configured to register those DHCP leases (which works perfectly fine).

I then create a Host override for service.example.com pointing to one of the IP Addresses registered as DHCP lease. Local DNS resulution fails and keeps looking up the real DNS entries (in this case, NXDOMAIN)

If Register DHCP leases is disabled, the override works as expected.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert) Unfortunately, i do not know if this ever worked any different, i just started using opnsense a few days ago

To Reproduce

Steps to reproduce the behavior:

  1. Go to DHCPv4 Settings
  2. Set custom Domain name
  3. Go to Unbound Settings
  4. Enable Register DHCP leases
  5. Add host override pointing to a DHCP IP
  6. Try resolving that override
  7. Fails to resolve
  8. Disable Register DHCP leases
  9. Try resolving again
  10. Resolves

ALTERNATIVE:

  1. Go to DHCPv4 Settings
  2. Set custom Domain name
  3. Go to Unbound Settings
  4. Enable Register DHCP leases
  5. Add host override pointing to a non DHCP Lease IP
  6. Try resolving that override
  7. Resolves
  8. Add host override pointing to a DHCP Lease IP
  9. Try resolving again
  10. Doesn't resolve

Expected behavior

Host overrides pointing to any ip (Included DHCP Leases) should resolve properly.

Describe alternatives you considered

Probably a solution would be not using the register DHCP lease option, but that sounds like a labour intensive workaround for bigger networks where name resolution is required...

Relevant log files resolver/latest.log when adding the override for an DHCP lease ip:

<165>1 2022-06-05T02:52:52+02:00 OPNsense.infra.example.com unbound 60368 - [meta sequenceId="53"] dhcpd entry changed service.example.com @ 192.168.120.145.
<165>1 2022-06-05T02:52:52+02:00 OPNsense.infra.example.com unbound 60368 - [meta sequenceId="54"] dhcpd entry changed proxy.server.example.com @ 192.168.120.145.

This does not happen when using an "unused"/non DHCP IP

Environment

 OPNsense 22.1.8_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1o  3 May 2022

speedmann avatar Jun 05 '22 00:06 speedmann

I expect the "Register DHCP leases" will override existing entries when pointing to the same address, the lease watcher responsible for tracking leases has no knowledge about anything else.

If that is the current behaviour, I expect it's doing what it's supposed to be doing. So if 192.168.120.145 is statically set to myhost.mydomain.tld and the lease handler registers service.example.com for the same ip, it will likely remove the first registration.

AdSchellevis avatar Jun 05 '22 09:06 AdSchellevis

If it would remove the registered DHCP lease, that would be annoying, but acceptable. Currently it's the other way around. The DHCP Lease keeps registered and the Host override does not work. Let me try with another example:

DHCP Lease, No Host override:

❯ dig proxy.server.example.com

; <<>> DiG 9.10.6 <<>> proxy.server.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65015
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;proxy.server.example.com.	IN	A

;; ANSWER SECTION:
proxy.server.example.com. 3600	IN	A	192.168.120.145

;; Query time: 2 msec
;; SERVER: 192.168.110.1#53(192.168.110.1)
;; WHEN: Sun Jun 05 11:49:42 CEST 2022
;; MSG SIZE  rcvd: 68

❯ dig service.example.com

; <<>> DiG 9.10.6 <<>> service.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53851
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;service.example.com.		IN	A

;; AUTHORITY SECTION:
example.com.		3561	IN	SOA	ns.icann.org. noc.dns.icann.org. 2022040442 7200 3600 1209600 3600

;; Query time: 3 msec
;; SERVER: 192.168.110.1#53(192.168.110.1)
;; WHEN: Sun Jun 05 11:50:13 CEST 2022
;; MSG SIZE  rcvd: 104

DHCP Lease, Host override to unused IP:

❯ dig proxy.server.example.com

; <<>> DiG 9.10.6 <<>> proxy.server.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57916
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;proxy.server.example.com.	IN	A

;; ANSWER SECTION:
proxy.server.example.com. 3600	IN	A	192.168.120.145

;; Query time: 3 msec
;; SERVER: 192.168.110.1#53(192.168.110.1)
;; WHEN: Sun Jun 05 11:51:11 CEST 2022
;; MSG SIZE  rcvd: 68

❯ dig service.example.com

; <<>> DiG 9.10.6 <<>> service.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3074
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;service.example.com.		IN	A

;; ANSWER SECTION:
service.example.com.	3600	IN	A	10.10.66.10

;; Query time: 2 msec
;; SERVER: 192.168.110.1#53(192.168.110.1)
;; WHEN: Sun Jun 05 11:51:30 CEST 2022
;; MSG SIZE  rcvd: 64

DHCP Lease, Host override to the "used" ip:

❯ dig proxy.server.example.com

; <<>> DiG 9.10.6 <<>> proxy.server.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10080
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;proxy.server.example.com.	IN	A

;; ANSWER SECTION:
proxy.server.example.com. 3600	IN	A	192.168.120.145

;; Query time: 3 msec
;; SERVER: 192.168.110.1#53(192.168.110.1)
;; WHEN: Sun Jun 05 11:52:27 CEST 2022
;; MSG SIZE  rcvd: 68

❯ dig service.example.com

; <<>> DiG 9.10.6 <<>> service.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59233
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;service.example.com.		IN	A

;; AUTHORITY SECTION:
example.com.		3600	IN	SOA	ns.icann.org. noc.dns.icann.org. 2022040442 7200 3600 1209600 3600

;; Query time: 529 msec
;; SERVER: 192.168.110.1#53(192.168.110.1)
;; WHEN: Sun Jun 05 11:52:39 CEST 2022
;; MSG SIZE  rcvd: 104

"Register DHCP Leases off" and Host override to a used IP:

❯ dig proxy.server.swapoff.de

; <<>> DiG 9.10.6 <<>> proxy.server.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59630
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;proxy.server.example.com.	IN	A

;; AUTHORITY SECTION:
swapoff.de.		3600	IN	SOA	ns1.example.com. hostmaster.example.com. 2022060401 10800 3600 604800 3600

;; Query time: 67 msec
;; SERVER: 192.168.110.1#53(192.168.110.1)
;; WHEN: Sun Jun 05 11:59:55 CEST 2022
;; MSG SIZE  rcvd: 115

❯ dig service.example.com

; <<>> DiG 9.10.6 <<>> service.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25930
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;service.example.com.		IN	A

;; ANSWER SECTION:
service.example.com.	3600	IN	A	192.168.120.145

;; Query time: 3 msec
;; SERVER: 192.168.110.1#53(192.168.110.1)
;; WHEN: Sun Jun 05 11:59:59 CEST 2022
;; MSG SIZE  rcvd: 64

So if you have an IP Address registered as an DHCP lease, currently it seems to be impossible to use this IP Address as the target of o Host override.

I hope we can agree that this should not be the desired behaviour. If for all means necessary, the host override should also override the DHCP lease registration and not this way around.

speedmann avatar Jun 05 '22 09:06 speedmann

So if you have an IP Address registered as an DHCP lease, currently it seems to be impossible to use this IP Address as the target of o Host override.

That is indeed the case, the "register dhcp leases" option takes ownership of the address in question.

I hope we can agree that this should not be the desired behaviour. If for all means necessary, the host override should also override the DHCP lease registration and not this way around.

Although functionally possible, but probably not super easy to implement as the dhcpd worker ( https://github.com/opnsense/core/blob/master/src/opnsense/scripts/dns/unbound_dhcpd.py) has no knowledge about anything else than leases received (and unbounds own administration).

Let's mark this ticket a feature request, in case someone wants to write a PR as proposal.

AdSchellevis avatar Jun 05 '22 12:06 AdSchellevis

can someone check additionaly that one: I've got these two, the behaviour doesn't look the same static entries for 10.21.31.82 (name worker) override unifi.ccintra.domain (internal domain) static entry for 10.21.31.185 (name checkmk) override checkmk.example.com (public domain)

the upper with the internal domain is working, the one with the override for the public domain not

katamadone avatar Jul 22 '22 06:07 katamadone

Hi,

I do not understand why this is considered as a feature. Now if servers are reqistered with DHCP there can not be any alternative names for same server.

I try to keep hardware name and service name separate. Registering name with DHCP would is nice, but it should not block override to work.

stuba avatar Nov 06 '22 18:11 stuba

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Dec 02 '22 00:12 OPNsense-bot

Hi,

I do not understand why this is considered as a feature. Now if servers are reqistered with DHCP there can not be any alternative names for same server.

I try to keep hardware name and service name separate. Registering name with DHCP would is nice, but it should not block override to work.

I'd second that. We use that even in the business version. We do have clients/server spawned automatically upon need. And with predifened cnames so the user has a chance to have remembarable names

katamadone avatar Dec 02 '22 08:12 katamadone

@katamadone if the registrations are easy to filter out (e.g. cnames are being removed for the same domain unintentionally), it might make sense to open a ticket describing the scenario in more detail. This ticket seems to be about a preference (which one comes first), which unfortunately is not easy to support and doesn't have a high priority on our end at the moment. The process to register dhcp leases has no knowledge about the rest of the environment and can only act upon what it receives (hostname+ address).

AdSchellevis avatar Dec 02 '22 09:12 AdSchellevis