Text only | Text with Images

OPNsense Forum

English Forums => 26.1, 26,4 Series => Topic started by: besalope on June 18, 2026, 08:41:29 PM

Title: DNSMasq - Am I missing something?
Post by: besalope on June 18, 2026, 08:41:29 PM
I do not have an overly complex network setup.  I run two local subnets:  Home and Work.

Home
- Uses a pihole DNS server running on a separate Proxmox LXC
- Several less-trusted devices are pointed to a non-existant gateway to prevent external access in addition to firewall rules for multi-tiered restrictions.
- Sometimes setting a DNS blackhole for Quest VR devices that still need local network access

Work
- Uses 1.1.1.3 as DNS server

In using the ISC DHCP v4 configurations (and equivalent) for the past 4 years, I have not had issues with this setup.  However, I started to look into DNSMasq due to the intended migration and for the life of me cannot identify how to setup separate DNS severs per subnet (or client) much less a gateway blackhole.

Am I missing something?  Or are we taking a decades step back in configuration control by moving to DNSMasq?

I also checked OpenWRT and have seen similar configuration issues, so this is not an Opnsense implementation limitation but rather DNSMasq limitations.
Title: Re: DNSMasq - Am I missing something?
Post by: Monviech (Cedrik) on June 18, 2026, 08:44:15 PM
Create a tag in dnsmasq, attach it to a host reservation, set the same tag on a DHCP option with the dns server you desire.

Full flexibility.

Using tags is explained here:
https://docs.opnsense.org/manual/dnsmasq.html#dhcp-tags
Title: Re: DNSMasq - Am I missing something?
Post by: dseven on June 18, 2026, 08:53:25 PM
Beat me to it... but I was going to point out that tags can be set at the DHCP range scope too...

Oh, and terminology kindof matters here - you'd want to *match* (not set) the tag when creating the option.
Title: Re: DNSMasq - Am I missing something?
Post by: besalope on June 18, 2026, 11:25:08 PM
I do appreciatiate the attempts at help.

Thank you for the attempt at "tag" explation, I'm going with the alternative of locking the ISC DHCP 4 package and hoping this DNSMasq crap blows over with the next couple years before an upgrade fails that requires bare metal reinstall.

None of the "tag" based designations are intuitive.
Title: Re: DNSMasq - Am I missing something?
Post by: nero355 on June 19, 2026, 12:06:02 AM
Quote from: besalope on June 18, 2026, 11:25:08 PMhoping this DNSMasq crap blows over with the next couple years before an upgrade fails that requires bare metal reinstall.
Pi-Hole FTLDNS = DNSmasqd + Additional Features added by the Pi-Hole Developers ;)

And it's AWESOME!!!

I think you don't need the "tag based stuff" at all and can configure anything you want by adding stuff to the config files just like you can when using Pi-Hole as your DHCP Server so take a look at : https://linux.die.net/man/8/dnsmasq
Text only | Text with Images