Welcome to the community!
The only thing Iâll add is you could possibly get around this issue through DNS. But a lot of things need to be in place to make it work right and when you throw IPv6 into the mix (required by Matter) it becomes a major PITA.
But itâs going to depend on the capabilities of your router and whether it has a DNS server built in like Unbound and that service can connect to your DHCP server. In that scenario, when a client registers for an IP address, the hostname and IP address are also registered with the DNS server and youâd then use the DNS name instead of the IP address in your Things.
If your router doesnât support that, you could go down the route @Pedro_Liberal describes and move the DHCP and DNS off your ISP provided gateway to something else. I personally use opnSense. pfSense is also popular. But these are really heavy weight with lots of capability but lots of complexity as a result. It would look something like:
Internet <--> ISP Gateway <--> opnSense <--> Wired connections <--> WiFi set to AP mode
But you could also set up PiHole or AdGuardHome as your local DNS server. I know for a fact that AdGuardHome has a built in DHCP server and suspect PiHole has the same. In this scenario youâd turn off your DHCP on your current router and let AdGuardHome/PiHole take on that role. These already have the DNS linked to DHCP leases so they will already know which IPs go with which hostnames.
The latter has the advantage that you can then implement network level ad/tracker/malicious blocking and parental controls (if you need that).
I personally run a combo of the two with opnSense providing DHCP and local DNS and AdGuardHome providing ad blocking. Dnsmasq registers IPv4 leases with Unbound. Unbound provides a second tier DNS lookup. This is where I configure 8.8.8.8, 1.1.1.1, etc. AdGuardHome uses Unbound as itâs upstream DNS server. So a DNS lookup from a client looks like:
nslookup google.com -> AdGuardHome (not on blocked list) -> Unbound (not local) -> 1.1.1.1 (returns IP address)
nslookup argus.koshak.lan -> AdGuardHome (not on blocked list) -> Unbound (loca) -> Dnsmasq (returns IP address)
nsloopup baddomain.com -> AdGuardHome (on blocked list, returns not found)
Iâm still working with this to make it work with IPv6 (Dnsmasq doesnât support assigning IPv6 addresses to MAC to itâs hard to identify clients). But the overall settings I use with opnSense are (Iâm only posting the DNS related stuff, there is more requires to set these up):
-
DNSMASQ
- enabled
- DNS port 53053 (donât use 5353 which has another purpose, donât use 53)
- do not forward to system defined DNS
- DHCP default domain (I use koshak.lan but set this up before .local became official)
- Register ISC Domain Mappings and Register static mappings (this is what @mstormi was talking about with assigning the mapping between MAC and address on the DHCP server)
- You can do those static IPv4 mappings under the âhostsâ tab
-
UNBOUND DNS
- enabled
- DNS port 5253 (donât use 5353, donât use 53)
- Register ISC Domain Mappings and Register static mappings
- Query Forwarding (this queries DNSMASQ for local addresses)
- domain âlanâ (as in âkoshak.lanâ, use what ever is the last part of your chosen domain), host 127.0.0.1, port 53053
- DNS over TLS (your preferred DNS servers)
-
AdGuardHome DNS
- Upstream DNS servers
127.0.0.1:5253
- Private DNS Lookup Servers
127.0.0.1:53053
- Use private reverse DNS servers enabled
- Enable reverse resolving of clientâs IP address
DHCP will serve out the IP address of the router with port 53 as the DNS server. So all DHCP clients will use 192.168.1.1:53 (or what ever your IP ranges are) which is where AdGuardHome is running.
AdGuardHome will first check to see if the domain is on the disallow list (there are tons of maintained lists of ad servers, trackers, malware, etc that can be automatically downloaded by AdGuardHome). If it passes the filters, it will query 127.0.0.1:5253 which is the UNBOUND server.
If the domain name ends in .lan UNBOUND will forward the query to 127.0.0.1:53053 to resolve local addresses. Note that DHCP will assign all its leasees to your default domain so if the DSN lookup is just a host name, your default local domain will be assumed.
If the domain name is anything else, UNBOUND will send the requests to your configured internet DNS servers (e.g. 1.1.1.1).
In AdGuardHome it is convenient to see hostnames instead of just IP addresses to identify clients. This is what those reverse lookups provide. If AdGuard does a reverse lookup using a BOGON (i.e. internal IP addresses which do not exist on the Internet, such as 192.168.1.23) it will query 127.0.0.1:53053 which is DNSMASQ, our DHCP server. Otherwise, it will send the query to UNBOUND which will forward it to the internet DNS servers.
Now this all kind of breaks down for IPv6 because clients do not usually register their hostname when they get an IPv6 lease, donât always use a leased IPv6 address, and often change their address. Iâm currently working through addressing that problem by forcing all DNS lookups to go through IPv4 so clients can be correctly tracked but havenât finished that (itâs one of the things that has taken away my OH support time recently, the boy turned 13, and I need to beef up my parental controls game).
Note, to do parental controls through AdGuardHome, you would set up the most strict controls by default. Then on a client by client basis you can relax those controls. However, that requires the reverse lookups to work, hence the IPv6 problems.
You should be able to do all of this with PiHole too. I use AdGuardHome because thereâs a plugin for opnSense and it has a way to block services (e.g. I can put a checkbox next to âFacebookâ and it will block all access to Facebook without needing to maintain it in the filter lists. PiHole didnât have that last time I looked at it.
With this configuration, Iâve removed all my overrides in AdGuard mapping my hostnames to their IP addresses (which is how I used to handle it). Eventually I might remove the static IP addresses from DNSMASQ too and let DHCP and DNS work the way they were always supposed to. However, that will explode the number of DNS queries (depending on the binding OH will make 100-200k dns requests a day) which can make it hard to track whatâs going on with the DNS queries I really care about.
I know this is way more than needed, but itâs what Iâve been working on this past few weeks so itâs all fresh. Maybe when I get the IPv6 stuff working Iâll post a full tutorial. I know a lot of folks use opnSense on the forum. And the general approach should apply to other systems like tangled, pfSense, etc.
