Yeah I didn’t even check if it was available or not it just seemed like such an obvious feature. Apparently it’s been requested by Meraki for a while and they have been working on it.
Had to juggle around some nonstandard ports, since each site needed it’s own, but nbd. Although I suppose if you’re Cisco, decisions like that need to be well considered if they’re not left up to the user.
This week has made me not want to ever be a network engineer
My dumbass thought networking would be fun when I first got into IT
You always enjoy networking until it crashes and randomly does not work and then you want to burn it all in a fire.
We had a 100G switch die in our lab a few weeks ago it was painful for a while
Did this today…
Does anyone know to get Dnsmasq to use the DHCP domain for resolving hosts instead of the system domain? It works that way in EdgeOS and I’d like to get it working like that here as well.
Example is:
Public domain is company.tld
. Gateway is configured as whatever.company.tld
.
I have DHCP running on VLAN3, with domain admin.company.tld
.
computer1
gets a lease. I want host computer1.admin.company.tld
to be fqdn for computer1, but instead, dnsmasq is using the system domain, so it’scomputer1.company.tld
without the subdomain.
I know it’s a setting somewhere but I forget what it is and it’s difficult to Google.
Is it difficult to open the man page and search for keywords?
What keyword would I search?
I mean, yeah I’ll look at the man page later, but just wondering if anyone knew off the top of their head.
DHCP, domain, search
This relevant?
If the address range is given as ip-address/network-size, then a
additional flag “local” may be supplied which has the effect of
adding --local declarations for forward and reverse DNS queries.
Eg. --domain=thekelleys.org.uk,192.168.0.0/24,local is
identical to --domain=thekelleys.org.uk,192.168.0.0/24
–local=/thekelleys.org.uk/ --local=/0.168.192.in-addr.arpa/ The
network size must be 8, 16 or 24 for this to be legal.
-S, --local,
–server=[/[]/[domain/]][[#][@|[#]]
Specify IP address of upstream servers directly. Setting this
flag does not suppress reading of /etc/resolv.conf, use --no-
resolv to do that. If one or more optional domains are given,
Also permitted is a -S flag which gives a domain but no IP
address; this tells dnsmasq that a domain is local and it may
answer queries from /etc/hosts or DHCP but should never forward
queries on that domain to any upstream servers. --local is a
synonym for --server to make configuration files clearer in this
case.
Tons of useful info, I should probably study this document again myself
It might be expand-hosts
without setting domain=
explicitly.
So the issue is that only static reservations behave the way I want. Transient leases expand according to the system’s domain and not the domain delivered by DHCP.
So the DHCP server is telling hosts they are in the company.tld instead of the admin.company.tld domain? Does setting --domain=admin.company.tld
accomplish what you’re after?
The resolver doesn’t tell hosts what requests to make, so the hosts must be making the wrong requests in the first place. And that would be based on the configuration they are given by the DHCP server.
I think it has to do with this:
--host-record=<name>[,<name>....],[<IPv4-address>],[<IPv6-address>][,<TTL>]
Add A, AAAA and PTR records to the DNS. This adds one or more names to the DNS with associated IPv4 (A) and IPv6 (AAAA) records. A name may appear in more than one --host-record and therefore be assigned more than one address. Only the first address creates a PTR record linking the address to the name. This is the same rule as is used reading hosts-files. --host-record options are considered to be read before host-files, so a name appearing there inhibits PTR-record creation if it appears in hosts-file also. Unlike hosts-files, names are not expanded, even when --expand-hosts is in effect
Relevant part:
Unlike hosts-files, names are not expanded, even when --expand-hosts is in effect
Unfortunately, OPNsense does not appear to provide any direct access to the dnsmasq server. There is a dnsmasq.conf
in /usr/local/etc
but it’s just a copy of the sample file with every option commented out. There is a text field to add additional options, but it says that it will be deprecated…
Anyway, I have set the domain for each vlan, and that is what works with the static reservations. I can set the domain in the general config, but then all vlans would have the same domain which is not what I want. Each vlan has it’s own subdomain.
I was incorrect earlier when I mentioned that EdgeOS behaves differently. My memory was just of static reservations. I think this is an issue with dnsmasq. It just appears to handle resolving leases differently from static reservations for whatever reason.
The command line flags correspond to the config file options iirc.
I would check what queries are actually being sent over the wire because it seems most likely to me that it has nothing to do with the DNS server, rather the DHCP server being is misconfigured and handing out the wrong domains to hosts. If you need to configure different domains for different vlans, then you can specify domain=admin.company.tld,10.0.0.0/24
to apply this to the address range on a specific vlan
The hosts are picking up the correct domains. Querying the expanded fqdn from another system is where the issue is. Static reservations expand as intended, but pool leases do not. I believe this is by design as described under --host-record
.
It’s just unfortunate as I’d prefer to let certain things have dynamic IP assignments while being able to access them via fqdn based on their subnet.
I have several extra.
Cleaned the pool today
xeon-freebsd ➜ ~ zpool list -v
NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT
system 168G 11.2G 157G - - 3% 6% 1.00x ONLINE -
mirror 168G 11.2G 157G - - 3% 6%
gpt/system-S21NNSBFC33884B - - - - - - -
gpt/system-S21NNSAG106810R - - - - - - -
tank 21.8T 9.35T 12.4T - - 12% 42% 1.00x ONLINE -
mirror 2.72T 1.79T 947G - - 18% 65%
gpt/red-2659 - - - - - - -
gpt/red-0D0U - - - - - - -
mirror 2.72T 1.81T 926G - - 20% 66%
gpt/red-7230 - - - - - - -
gpt/red-7VJN - - - - - - -
mirror 2.72T 1.83T 911G - - 21% 67%
gpt/red-2405 - - - - - - -
gpt/red-8459 - - - - - - -
mirror 2.72T 1.31T 1.41T - - 15% 48%
gpt/red-TEK2 - - - - - - -
gpt/red-7F2N - - - - - - -
mirror 2.72T 1.24T 1.48T - - 14% 45%
gpt/red-023L - - - - - - -
gpt/red-WPAU - - - - - - -
mirror 2.72T 1.23T 1.49T - - 12% 45%
gpt/red-SUF9 - - - - - - -
gpt/red-633N - - - - - - -
mirror 2.72T 68.4G 2.65T - - 0% 2%
gpt/red-SCUT - - - - - - -
gpt/red-C78K - - - - - - -
mirror 2.72T 67.4G 2.65T - - 0% 2%
gpt/red-1T8J - - - - - - -
gpt/red-5AYR - - - - - - -
spare - - - - - -
gpt/red-9PEN - - - - - - -
gpt/red-P782 - - - - - - -
I still have some system datasets on tank that need to move to a recursive boot environment on the system pool, then I can finally export tank and reimport it with the correct name, “storage”
I’ve taken to naming the system pool “system” and the storage pool “storage” rather than the conventional zroot and tank. Call me a rebel…
Success
xeon-freebsd ➜ ~ zpool list
NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT
storage 21.8T 9.32T 12.4T - - 11% 42% 1.00x ONLINE -
system 168G 47.0G 121G - - 3% 27% 1.00x ONLINE -
I still have some ‘tank’s that need to turn into ‘pool1’
Solid journalism