Dnsmasq DNS

Dnsmasq is a lightweight, easy to configure, DNS forwarder, which can be used to answer to dns queries from your network.

Similar functionality is also provided by “Unbound DNS”, our standard enabled forward/resolver service.

In some cases people prefer to use dnsmasq or combine it with our default enabled resolver (Unbound).


Since OPNsense 17.7 Unbound has been our standard DNS service, the main reason for Dnsmasq being shipped in our product is for compatibility. Although there are some use-cases that require Dnsmasq specifically, most users better opt for Unbound.

General settings

Most settings are pretty straightforward here when the service is enabled, it should just start forwarding dns requests when received from the network.


Enable our DNS Forwarder

Listen Port

The port used for responding to DNS queries, when empty the standard (53) will be used.

Network Interfaces

The interfaces to listen on, when using dynamic interfaces it’s not recommended to bind to addresses from these interfaces. [All] is the standard, in which case you can limit access using the firewall.

Bind Mode / strict binding

When network interfaces are provided, only bind to the interfaces containing the IP addresses selected above, rather than binding to all interfaces and discarding queries to other addresses. This option does not work with IPv6. If set, Dnsmasq will not bind to IPv6 addresses.


Validate DNS replies and cache DNSSEC data.

Register ISC DHCP4 Leases

Register dhcp leases in Dnsmasq, so that their hostnames can be resolved. (IPv4 only)

DHCP Domain Override

When set use the domain name specified here instead of the system domain for registering addresses.

Register ISC DHCP Static Mappings

Register static dhcp addresses as well.

Query DNS servers sequentially

If this option is set, Dnsmasq will query the DNS servers sequentially in the order specified (System: General Setup: DNS Servers), rather than all at once in parallel.

Require domain

If this option is set, Dnsmasq will not forward A or AAAA queries for plain names, without dots or domain parts, to upstream name servers. If the name is not known from /etc/hosts or DHCP then a “not found” answer is returned.

Do not forward private reverse lookups

If this option is set, Dnsmasq will not forward reverse DNS lookups (PTR) for private addresses (RFC 1918) to upstream name servers. Any entries in the Domain Overrides section forwarding private “n.n.n.in-addr.arpa” names to a specific server are still forwarded. If the IP to name is not known from /etc/hosts, DHCP or a specific domain override then a “not found” answer is immediately returned.

Log Queries

Send the results of dns queries to the log.

Host overrides

Here you define static hostnames, which allow you to reply a specific address when being asked, per entry the following options are available.


The hostname to register


The domain name to use

IP address

IP address of the host, can be an IPv4 (A record) or an IPv6 address (AAAA record)


Descriptive text for this host


Register alternative host + domain names for the same IP address

Domain Overrides

If a specific domain should be answered by a different DNS server, you can configure it here.


The domain name to use

IP address

IP address of the authoritative DNS server for this domain


Port number of the target dns server, leave blank for default (53)

Source IP

Source IP address for queries to the DNS server for the override domain. Leave blank unless your DNS server is accessed through a VPN tunnel.


Descriptive text for this entry

Advanced settings

To configure options that are not available in the gui one can add custom configuration files on the firewall itself. Files can be added in /usr/local/etc/dnsmasq.conf.d/, these should use as extension .conf (e.g. custom-options.conf). When more files are placed inside the directory, all will be included in alphabetical order.


It is the sole responsibility of the administrator which places a file in the extension directory to ensure that the configuration is valid.


This method replaces the Custom options settings in the Dnsmasq configuration, which was removed in version 21.1.