Core: Old DHCP addresses are not removed in Unbound configuration

Created on 27 Sep 2019 · 14Comments · Source: opnsense/core

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

[X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
[X] I have searched the existing issues and I'm convinced that mine is new.

Describe the bug

In OPNSense 19.7 (and 19.1), If a client renews it's DHCP lease, and is given a different address, all addresses remain active in Unbound if client registration has been enabled. This breaks name resolution, as only one of the IP addresses corresponds correctly to the client.

To Reproduce
Steps to reproduce the behavior:

Enable "Register DHCP leases" in the dhcp config.
Wait for a client to renew and get a different IP address. In my case, it's pretty quick to reproduce by restarting lxc containers bridged into the LAN.
Run dig @<opnsense IP or hostname> <hostname of client>.
Note multiple entries in the response.

Expected behavior
I expected only the most recently assigned IP address to be resolved.

Additional context
I believe that the problem may be in the cached DHCP leases and not in unbound, as https://github.com/opnsense/core/blob/ad7d6df09c65eed207d4e02a47a20821c40d7a9a/src/opnsense/scripts/dns/unbound_dhcpd.py#L107 opens the configuration in write and not append mode.

Environment

OPNsense 19.7.

bug

Source

deviantintegral

All 14 comments

Also to add register dhcp leases takes a long time to register on Unbound, you need to restart the DNS service to update the dhcp leases on Unbound DNS.

rudiservo on 9 Jan 2020

@deviantintegral @rudiservo can you try https://github.com/opnsense/core/commit/96396f782e90c7ce9debf0f8e719598c33d21306 ?

Use the following to install, next restart unbound.

opnsense-patch 96396f7

AdSchellevis on 24 Feb 2020

@AdSchellevis giving you a heads up tomorrow if that's ok

rudiservo on 24 Feb 2020

👍1

Good afternoon, it didn’t help me. Unbound has stopped issuing any information to clients registered in DHCP.
For any request to local hosts I get:
Non-existent domain

DRON4eg on 25 Feb 2020

oops, missed a line in my commit https://github.com/opnsense/core/commit/f3adf835efce14a4148c5d1e563b57b08ef3606f should fix it (you can just opnsense-patch this on top)

You can check if it's running after a restart using ps fax | grep unbound_dhcpd.py, which should list a python3 process

AdSchellevis on 25 Feb 2020

It seems to work, but there was a glitch on the DNS request does not give ip instructions without a domain...
But I think this is a local system problem. :D

root@gw:~ # ps fax | grep unbound_dhcpd.py 16966 - Ss 0:00.62 /usr/local/bin/python3 /usr/local/opnsense/scripts/dns/unbound_dhcpd.py --domain ****** (python3.7) 49000 0 S+ 0:00.00 grep unbound_dhcpd.py

DRON4eg on 25 Feb 2020

The content should be the same as it was indeed, the glitch might be related to something else. You could inspect the unbound log to see if there's any notion of an issue in it (or dropping addresses which you don't expect, the new version adds more logging)

AdSchellevis on 25 Feb 2020

👍1

As I already wrote, the individual problem of my system :(
Thank you for the patch (it solved the problem of DNS and DHCP communication) and for trying to help not related to this issue.

DRON4eg on 25 Feb 2020

👍1

Yes, this looks to be working for me. I've not run into this recently as the lxc networking issues I had before were due to a faulty network driver, and I've since swapped NICs. But, manually changing the MAC address and renewing shows the new IP in the resolver. Thanks!

deviantintegral on 25 Feb 2020

@DRON4eg @deviantintegral thanks for confirming, let's consider this issue closed then.

AdSchellevis on 25 Feb 2020

@AdSchellevis After switching to OPNsense 20.1.2, the problem resumed, the patch you made was not included in the rezl?

DRON4eg on 13 Mar 2020

if I remember right, not yet, maybe in the next.

AdSchellevis on 13 Mar 2020

@AdSchellevis if you believe the changelog on github it should be enabled ((