Messages

FQDN is definitely better than nothing, though it doesn't help with grouping devices.

This has always been misnamed and maybe that can be addressed by renaming the Dnsmasq field.

But then again may be firewall alias support is coming to Dnsmasq... https://github.com/opnsense/core/pull/8791 making this even more complicated. ;)


Cheers,
Franco

Was that PR made in response to this feature request, or was this already about to happen? Either way, that's exciting!

Unfortunately, the limitation of IP addresses staying in the alias forever would kill the usefulness of this feature for me. To me, the whole point of doing it this way is so that I can create groups of devices, and change rules for the whole group at once, without having to worry about things like changing IP addresses.

If I get rid of a particular device, and another one that shouldn't be in the group gets assigned the old one's IP address, rules that shouldn't be applied will be. To me, that's just a ticking time bomb.

Interestingly, dnsmasq's add_to_ipset() function has a parameter to make it remove entries rather than add them, but it's always set to 0. I wonder how much work it would be to make it auto-remove expired entries.

I was looking into how https://github.com/opnsense/core/pull/8791 works on the Dnsmasq side, and it looks to me like the latest (unreleased) Dnsmasq code will no longer build on FreeBSD (starting with commit 98189ff988).

I'm sure this was unintentional, but I wanted to make sure you guys were aware. I sent an email to the Dnsmasq mailing list about this: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2025q2/018194.html

At first, I didn't realize that Dnsmasq and the firewall config had separate "alias" concepts. I wasted a decent amount of time trying to figure out why my NAT rule that referenced a particular alias wasn't working when I assigned that alias to a host in Dnsmasq.

I think the help text for assigning aliases in Dnsmasq should clarify what exactly an alias is in this context, and that it's separate from firewall aliases.

What I would really like to see is the feature that I thought existed. I want to be able to add devices to a firewall Hosts alias from the same place that I configure everything else about the device.

That would be significantly more than just a convenience feature. Especially as it can provide both DHCP and DNS, Dnsmasq should be able to be the Source of Truth about each physical device's hostname and IP address. If I want to change a device's IP address, I should not have to update all of its firewall rules or alias assignments manually.

Right now, if I want to create a firewall rule for a particular device, I have to either reference it by IP address or manually create a Hosts alias that references the IP address. With this feature, I could create an alias for the device that would automatically follow whatever IP address Dnsmasq is giving the device.

Ultimately, it would be ideal if there was some kind of universal alias feature (maybe with a different name) that could be used not only for firewall rules, but also Unbound access lists and anywhere else where you'd need to refer to a particular IP address.

Overall, Dnsmasq has been great, thanks for all of your hard work.