DNSMasq - Am I missing something?

Started by besalope, June 18, 2026, 08:41:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 18, 2026, 08:41:29 PM
I do not have an overly complex network setup.  I run two local subnets:  Home and Work.

Home
- Uses a pihole DNS server running on a separate Proxmox LXC
- Several less-trusted devices are pointed to a non-existant gateway to prevent external access in addition to firewall rules for multi-tiered restrictions.
- Sometimes setting a DNS blackhole for Quest VR devices that still need local network access

Work
- Uses 1.1.1.3 as DNS server

In using the ISC DHCP v4 configurations (and equivalent) for the past 4 years, I have not had issues with this setup.  However, I started to look into DNSMasq due to the intended migration and for the life of me cannot identify how to setup separate DNS severs per subnet (or client) much less a gateway blackhole.

Am I missing something?  Or are we taking a decades step back in configuration control by moving to DNSMasq?

I also checked OpenWRT and have seen similar configuration issues, so this is not an Opnsense implementation limitation but rather DNSMasq limitations.
June 18, 2026, 08:44:15 PM #1
Create a tag in dnsmasq, attach it to a host reservation, set the same tag on a DHCP option with the dns server you desire.

Full flexibility.

Using tags is explained here:
https://docs.opnsense.org/manual/dnsmasq.html#dhcp-tags
Hardware:
DEC740
June 18, 2026, 08:53:25 PM #2
Beat me to it... but I was going to point out that tags can be set at the DHCP range scope too...

Oh, and terminology kindof matters here - you'd want to *match* (not set) the tag when creating the option.
June 18, 2026, 11:25:08 PM #3
I do appreciatiate the attempts at help.

Thank you for the attempt at "tag" explation, I'm going with the alternative of locking the ISC DHCP 4 package and hoping this DNSMasq crap blows over with the next couple years before an upgrade fails that requires bare metal reinstall.

None of the "tag" based designations are intuitive.
Today at 12:06:02 AM #4
Quote from: besalope on June 18, 2026, 11:25:08 PMhoping this DNSMasq crap blows over with the next couple years before an upgrade fails that requires bare metal reinstall.
Pi-Hole FTLDNS = DNSmasqd + Additional Features added by the Pi-Hole Developers ;)

And it's AWESOME!!!

I think you don't need the "tag based stuff" at all and can configure anything you want by adding stuff to the config files just like you can when using Pi-Hole as your DHCP Server so take a look at : https://linux.die.net/man/8/dnsmasq
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 11:24:29 AM #5
Quote from: besalope on June 18, 2026, 11:25:08 PMI'm going with the alternative of locking the ISC DHCP 4 package and hoping this DNSMasq crap blows over

Not sure what you mean by "blows over", but ISC DHCP is dead, and it's not coming back. If you want a supported solution going forward, your choices are dnsmasq or Kea.

Quote from: besalope on June 18, 2026, 11:25:08 PMNone of the "tag" based designations are intuitive.

I haven't fully tested this, but I think you should be able to do something along these lines (replace 0.0.0.1 with whatever "blackhole" means to you, but note that 0.0.0.0 has special meaning (this host) in dnsmasq)...

Create tags: blackhole_dns, blackhole_gw

Create options:

        Interface: Home
        Type: Set
        Option: dns-server [6]
        Value: 192.168.1.10      # PiHole

        Interface: Work
        Type: Set
        Option: dns-server [6]
        Value: 1.1.1.3

        Interface: Any
        Type: Set
        Option: router [3]
        Tag: blackhole_gw
        Value: 0.0.0.1

        Interface: Any
        Type: Set
        Option: dns-server [6]
        Tag: blackhole_dns
        Value: 0.0.0.1


Create hosts:

        Host: less_trusted_thing_1
        Hardware addresses: ...
        Tag [set]: blackhole_gw

        Host: quest_vr_thing_1
        Hardware addresses: ...
        Tag [set]: blackhole_dns
Today at 12:50:45 PM #6
Quote from: dseven on Today at 11:24:29 AM
Quote from: besalope on June 18, 2026, 11:25:08 PMI'm going with the alternative of locking the ISC DHCP 4 package and hoping this DNSMasq crap blows over

Not sure what you mean by "blows over", but ISC DHCP is dead, and it's not coming back. If you want a supported solution going forward, your choices are dnsmasq or Kea.

Quote from: besalope on June 18, 2026, 11:25:08 PMNone of the "tag" based designations are intuitive.

I haven't fully tested this, but I think you should be able to do something along these lines (replace 0.0.0.1 with whatever "blackhole" means to you, but note that 0.0.0.0 has special meaning (this host) in dnsmasq)...

Create tags: blackhole_dns, blackhole_gw

Create options:

        Interface: Home
        Type: Set
        Option: dns-server [6]
        Value: 192.168.1.10      # PiHole

        Interface: Work
        Type: Set
        Option: dns-server [6]
        Value: 1.1.1.3

        Interface: Any
        Type: Set
        Option: router [3]
        Tag: blackhole_gw
        Value: 0.0.0.1

        Interface: Any
        Type: Set
        Option: dns-server [6]
        Tag: blackhole_dns
        Value: 0.0.0.1


Create hosts:

        Host: less_trusted_thing_1
        Hardware addresses: ...
        Tag [set]: blackhole_gw

        Host: quest_vr_thing_1
        Hardware addresses: ...
        Tag [set]: blackhole_dns

THANK YOU dseven!  That set of examples helped connect the dots for me this morning and it appears to be working now.
Today at 03:32:48 PM #7 Last Edit: Today at 03:42:56 PM by besalope
Posting this in case anyone else needs the reference in the future when trying to wrap their heads around how DNSMasq handles static assignments vs dynamic ranges within a subnet.

Hosts:
  • .1-.89: Clients Static Reservation, use Pihole
  • .90-.99: Clients Static Reservation, use Cloudflare.  DNS-CloudFlare tag needs to be set on Host.
  • .100-.150: Clients Dynamic, use Pihole
  • .200-.253: Infrastructure/Proxmox Static Reservation, use Pihole


I found that while you can configure multiple static ranges on a subnet, the definition with the lowest Start Address will always override the others since we cannot define an End Address.  This means you cannot have a split DNS assignment within a subnet that is only managed by setting the Tag on the DHCP Range, variance from lowest Start Address Range definition MUST be set on the actual Host configuration itself.  The same thing applies to Blackhole Gateway/DNS, you can logically define a "range" but it must be applied on the Host configuration.

Works:
DHCP Range: LAN-Static-Pihole
  • Range Start: 192.168.157.1
  • Mode: Static
  • Domain Type: Range
  • Tag: DNS-Pihole

DHCP Range: LAN-Dynamic
  • Range Start: 192.168.157.100
  • Range End: 192.168.157.150
  • Mode: Nothing
  • Domain Type: Range
  • Tag: DNS-Pihole



Does not work:
DHCP Range: LAN-Static-Pihole
  • Range Start: 192.168.157.1
  • Mode: Static
  • Domain Type: Range
  • Tag: DNS-Pihole

DHCP Range: LAN-Static-CloudFlare - This is ignored
  • Range Start: 192.168.157.90
  • Mode: Static
  • Domain Type: Range
  • Tag: DNS-CloudFlare

DHCP Range: LAN-Static-Infrastructure - This is ignored
  • Range Start: 192.168.157.200
  • Mode: Static
  • Domain Type: Range
  • Tag: DNS-Pihole


DHCP Range: LAN-Dynamic
  • Range Start: 192.168.157.100
  • Range End: 192.168.157.150
  • Mode: Nothing
  • Domain Type: Range
  • Tag: DNS-Pihole
Print
Go Up Pages1
User actions