DHCP off - should managed DNS still work?

Maybe it’s a silly question, so bear with a newbie

So I think I have observed the following:
With this setting, the DNS gets updated:

config:
  bridge.external_interfaces: enxa0cec8eb764c
  dns.domain: space.lab
  dns.mode: managed
  dns.search: space.lab
  dns.zone.forward: space.lab
  dns.zone.reverse.ipv4: space.lab
  ipv4.address: 10.0.1.201/24
  ipv4.dhcp: "true"
  ipv4.dhcp.expiry: 1h
  ipv4.dhcp.gateway: 10.0.1.1
  ipv4.dhcp.ranges: 10.0.1.150-10.0.1.250
  ipv4.firewall: "false"
  ipv4.nat: "false"
description: ""
name: lxcbr0
type: bridge
used_by:
- /1.0/profiles/dns-box
- /1.0/profiles/space.lab
- /1.0/instances/dns-box
- /1.0/instances/foo
- /1.0/instances/foo3
- /1.0/instances/unknown1
managed: true
status: Created
locations:
- none

(This is confirmed by running dig from the container “dns-box”)

However, the DNS records don’t get updated if I turn DHCP to “false” and instead use my local DHCP server.

I reckon this is probably expected behaviour, but why though? Or could I get DNS to do it’s thing somehow even though I’m not using the lxd DHCP server?

Yeah, the DNS records are effectively learned and maintained by dnsmasq, then LXD parses the dnsmasq lease files to get all the relevant records and expose that through the new network zones feature.

Ah, I see, thanks!

For the last hours I’ve been amazed at how bad my iptables skills are, until I stumbled upon the line “DHCP uses packet filters and these tie into the IP stack before the firewall.”

If I wanted to instead go with this:

dns.mode: dynamic

Then what would be a good place to start reading?

Edit: not sure about that statement above tbh - somehow, my UDP packets seem to arrive just fine when I test with netcat. Ebtables however solved it for me - now the DHCP broadcast is contained.