Good morning, recent PFSense user here busy configuring OPNSense 25.7.2 to meet my needs. One of these needs is to map a hostname 'mqtt' to a specific server 'glencoe'. In other words I have configured a number of IoT hosts to publish messages to a host named 'mqtt' and in my case, the actual host is 'glencoe'. (I set this up when I was moving the MQTT broker between hosts and didn't want to have to edit settings on each host that publishes.) In Dnsmasq -> Leases I've set the Lease Type for 'glencoe' to static.
I'm using Dnsmasq + Unbound for DHCP and DNS. I've gone to the Unbound -> Overrides page and in Hosts made the following settings:
- Host - glencoe
- Domain - localdomain
- Type - A (IPV4 address)
- TTL = 300
- IP address - 10.20.8.221
In the Aliases section
- Host Override glencoe.localdomain (automatically populated)
- host - mqtt
- Domain - localdomain
When I click "Apply" I see the log message
2025-09-04T12:15:30-05:00 | Warning | unbound | PTR record already exists for mqtt.localdomain(10.20.8.221)
I'm sure that hints at what I've mis-configured but I'm equally sure I don't understand what it means. Any suggestions for what I've got wrong are most welcome.
Thanks!
Edit: Just to note, after making these changes, queries to 'mqtt' are not resolved.
That's just a warning. A reverse entry already exists for IP address 10.20.8.221 and it's probably glencoe.localdomain. So Unbound cannot add another PTR record. That's just informational.
IMHO OPNsense should not try to create PTR records for host aliases. Doesn't make sense. An IP address always has exactly one PTR entry.
Thanks for the reply.
Any suggestion for fixing the unbound alias issue?
best,
Edit: I've worked around this by renaming the host in https://opnsense/ui/dnsmasq/settings#hosts to 'mqtt'. I would like that to be temporary if possible.
There is no issue. The warning can be ignored. I have dozens of aliases in Unbound and they all work.
Apologies for not being clear. I cannot see how to direct traffic for the alias 'mqtt' to the host 'glencoe'.
I have temporarily fixed that to manage the MQTT issue by renaming that host (in Dnsmasq) as 'mqtt' but that breaks everything else that looks for `glencoe' (such as backups and monitoring.)
best,
If mqtt is a DNS alias for glencoe then "ping mqtt" and "ping glencoe" will both result in the same IP address. So any connection e.g. by a browser will end on the same system. There is no "directing of traffic" in DNS. Same IP address, same target host.
QuoteIf mqtt is a DNS alias for glencoe then "ping mqtt" and "ping glencoe" will both result in the same IP address.
Yes, exactly what I want. I have not been able to achieve that with the settings listed in the first post.
best,
But what *do* you get instead?
Check /var/unbound/host_entries.conf
You might want to change that "localdomain" to something with at least one dot in it like "mydomain.lan". I am not sure it is the cause of your problem but it will lead to problems with certificates should you want to use them later. Any hostname should have at least two dots in it. Like e.g. "glencoe.mydomain.lan".
Thanks for sticking with me on this. I will look into that and get back to you in a bit.
QuoteYou might want to change that "localdomain" to something with at least one dot in it like "mydomain.lan".
Just this morning I noticed that OPNSense web pages show me logged in as "root@OPNsense.internal". That has me wondering if I have a conflict between "localdomain" and "internal". I guess I need to look up where that is set and determine what I need to use for the domain on my home LAN. Thanks for bringing that up. And as a long time Linux user, I think I should not be using "root" for my day to day login.
best,
Here are the contents of /var/unbound/host_entries.conf
hbarta@OPNsense:~ $ cat /var/unbound/host_entries.conf
local-zone: "internal" transparent
local-data-ptr: "127.0.0.1 localhost"
local-data: "localhost A 127.0.0.1"
local-data: "localhost.internal A 127.0.0.1"
local-data-ptr: "::1 localhost"
local-data: "localhost AAAA ::1"
local-data: "localhost.internal AAAA ::1"
local-data: "OPNsense.internal A 10.20.0.1"
local-data: "OPNsense A 10.20.0.1"
local-data-ptr: "10.10.0.1 OPNsense.internal"
local-data: "OPNsense.internal A 10.10.0.1"
local-data: "OPNsense A 10.10.0.1"
local-data-ptr: "2601:249:1a7f:7b2e:e251:d8ff:fe19:1495 OPNsense.internal"
local-data: "OPNsense.internal AAAA 2601:249:1a7f:7b2e:e251:d8ff:fe19:1495"
local-data: "OPNsense AAAA 2601:249:1a7f:7b2e:e251:d8ff:fe19:1495"
local-data-ptr: "10.20.13.10 xxxx.localdomain"
local-data: "xxxx.localdomain IN A 10.20.13.10"
hbarta@OPNsense:~ $ ping -c1 10.20.13.10
PING 10.20.13.10 (10.20.13.10): 56 data bytes
64 bytes from 10.20.13.10: icmp_seq=0 ttl=64 time=0.299 ms
--- 10.20.13.10 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.299/0.299/0.299/0.000 ms
hbarta@OPNsense:~ $ ping -c1 xxxx.localdomain
ping: cannot resolve xxxx.localdomain: Name does not resolve
hbarta@OPNsense:~ $ ping -c1 xxxx
ping: cannot resolve xxxx: Name does not resolve
hbarta@OPNsense:~ $
Note that at present I want the name 'xxxx' to resolve to 10.20.13.10 (which is the host 'glencoe') I'm doing something else with 'mqtt' at the moment to keep my home automation working.
Settings for https://10.10.0.1/ui/unbound/overrides are now: enabled:checked, Host:xxxx, Domain:localdomain, Type:A, IP address:10.20.13.10.
best,
The DNS overrides for DHCP reservations over the subnet defaults currently do not work, at least for Kea, see this (https://github.com/opnsense/core/issues/9207).
I just accomplished this by going to the host reservation in DNSMASQ, and under the DNS section of the host setup putting in a CNAME Record of MQTT.PSHARKAUBURN.LAN. So now my DHCP reservation of SERVER (SERVER.PSHARKAUBURN.LAN) has an automatic CNAME entry of 'MQTT.PSHARKAUBURN.LAN' pointed to it.
I didn't do anything in unbound to make this work regarding the SERVER -> MQTT stuff. I HAD previously done the setup related to using DNSMASQ + UNBOUND together, where UNBOUND is forwarding DNS lookups for PSHARKAUBURN.LAN -> 127.0.0.1:53053 which is what port I put DNSMASQ DNS listening on.
Pic Attached
Quote from: psharkauburn on September 14, 2025, 07:52:42 PMI just accomplished this by going to the host reservation in DNSMASQ, and under the DNS section of the host setup putting in a CNAME Record ...
Yes, that does what I want - thanks!
I guess I missed toe Dnsmasq override feature when making static assignments.
Quote from: meyergru on September 14, 2025, 05:17:42 PMThe DNS overrides for DHCP reservations over the subnet defaults currently do not work, at least for Kea, see this (https://github.com/opnsense/core/issues/9207).
I guess it does not work for Dnsmasq+Unbound either (or I misunderstand what the override feature in Unbound is intended to do.)
I do not know enough about this to determine if this is a bug or if my expectation or configuration are wrong. But I'm happy to have found a solution.
best,