Dnsmasq not responding to some some DNS queries

[Lu]

I have a printer that makes DNS queries like any other device, mainly to reach machines on the LAN, but also to 3rd party services on the Internet. From what I can tell, Dnsmasq on OPNsense flat-out refuses to answer its DNS queries. I've done packet captures on the OPNsense device, to compare requests from my own machine with those of the printer's, and I don't know why they go unanswered. It waits and asks again with the search domain appended again, defensive-programming-style. I don't see anything blocking them when I watch the live view of the firewall when triggering queries from the printer.

Does anyone have any ideas about the cause, or what else I can do to diagnose it?

As a band-aid solution, I've had to configure it to use static IP addresses instead of names to get basic functionality, but that isn't sustainable.

[meyergru]

You could try to use Unbound to see if DNSmasq really is the culprit. Also, you can look at the firewall logs to see if the default catch all rule blocks the request.

Just as a reminder:

a. You need specific, manual rules that allow DNS requests (UDP port 53) to your firewall. There are only some services covered by automatic rules, like DHCP, but not DNS or NTP.
b. There is an initial, manual rule "allow any->any" for the first LAN interface only, that gets automatically created during first install.

Thus, if your devices are on different VLANs, this may already be an explanation (see b.). Or maybe, you deleted the initial "allow any" rule.
For good measure, I always create an "allow DNS on this firewall" as a floating rule.