- Set dnsmasq as your opnsense DNS server. (Or, if you really want to continue using Unbound, you can set Query Forwarding in Unbound to forward lookups for specific wildcard domains to dnsmasq internally.)
- In Firewall > Aliases, create an empty alias such as
hosts_from_dns
. Set the type toExternal (Advanced)
with bothIPv4
andIPv6
. - Add a custom config file for dnsmasq in
/usr/local/etc/dnsmasq.conf.d/dnsmasq-ipset.conf
# Add the response for certain A/AAAA lookups to an opnsense alias
ipset=/facebook.com/instagram.com/cdninstagram.com/fbcdn.net/googlevideo.com/hosts_from_dns
# Uncomment these if Unbound is still your primary DNS server; otherwise you'll have a loop
#no-resolv
#server=8.8.8.8
- Restart dnsmasq.
Run a test DNS query, then check the contents of the new table (Firewall > Diagnostics > Aliases > hosts_from_dns) to see it populate. You can use this alias (hosts_from_dns) in firewall rules.
(Despite the config option being named “ipset”, dnsmasq will use BSD pf tables or nftables depending on the OS.)
Edit: Updated steps to clarify that the type should be “External (Advanced)” and commented out the Unbound loop mitigation by default. Removed the mitigation for the Aliases Resolver Interval.