DNSMasq add-on


Yesterday I setup Remote Acces for Home Assistant by using Duckdns.org everything went just perfect. I can access HA if I type in the Duckdns.org link.
Because I couldn’t acces H.A. locally anymore I installed the add-on DNS Masq but for some reason I got stuck here.
I’m using the following config, but if I type in the local IP address in my local network with or without port 8123 I receive the message that the Page cannot be displayed.
Or do I need to make additional settings in my Router?

forwards: []
  - host: xxx.duckdns.org
1 Like

You will need to set your home assistant host as the primary DNS server for your network.
In general, if there is already a DNS server entry already there for your ISP, I’d also suggest putting it as the sole entry of the defaults section of your config, at least until you have home assistant access working normally and can confirm that the rest of your web access is working normally

Hi Freelancer,

Many thanks for your reply, but I’m afraid I don’t know what you exactly mean.
You, mention that I need to set my Home Assistant as the Primary DNS Server.

  • Where do I set this up in my Router or in the Config file from DNSMasq? or Both?

If I look at my router Settings I see there are no additional DNS servers setup in my DHCP server configuration.
Running the Ipconfig /all from the command prompt I see that the DNS server from my ISP provider are being used.
Next If I place the IP-Address of my H.A. in the DNS settings of my Router and also fill in this IP-Address in the DNSMasq Config file under Defaults then I still can make no connection on it’s local IP-Address.

Unfortunately the documentation from DNSMasq is also not quite clear for me.

Sorry, I should have been more specific :blush:
You want your router to be telling all the devices on your network to ask your Home Assistant computer for DNS information. Usually you set this in the same config page on your router as things like the router’s own IP address, Subnet Mask, Search Domains and so on.
Most routers will either have a field for “Primary DNS” and “Secondary DNS”, or there will be a multi line text field for DNS that lets you set multiple servers either comma separated or one per line.

You want Home Assistant’s IP as the first (or primary) one, and your ISP’s DNS server’s IP address as the second. That way if your Home Assistant is down for any reason, yours devices can still get to the internet.

This seems odd to me. Do you mean there is only one DNS server from your ISP, but only one (so no secondaries)?

So you don’t want to put Home Assistant’s IP address in defaults, you want your ISP’s DNS server/s. Defaults is where DNSmasq goes looking if there isn’t a item in the host section for the domain it has been asked for. If it’s own IP is there, then it will ask itself in a loop for the answer, realise it doesn’t have the answer, go to its defaults list and ask the first IP in there for the answer. Which would be itself. And around and around it goes. There is probably logic in the program to stop it endlessly looping in this situation, but you can see why you wouldn’t want Home Assistant’s IP there.

So just your ISP’s DNS IP in the defaults section for now.
The bit you have in your hosts section above is fine, as long as that is your Home Assistant’s IP

You aren’t alone here. I’ve been using DNSmasq for years outside Home Assistant and it still finds ways to surprise me :joy:

When this all works, you still will need to use the duckdns URL to connect to Home Assistant, as your SSL certificate that secures the connection will only produce a valid connection if you start it with the domain name in the certificate.
When you are on your home network, however, when you connect to that domain name, you will be connecting directly to your Home Assistant, not going out to the internet and back again as you are without this DNS setup.

You can verify this using a DNS lookup utility. If you’re on a Mac for example, or Linux with the dns-utils package installed, you should be able to enter

nslookup xxx.duckdns.org

in a terminal, and it should return your Home Assistant IP address.

Not sure what utility to use on Windows for this, sorry!

1 Like

Hi Freelancer,

Many thanks for your extensive reply.

Within my router there was no Primary or Secondary DNS IP-Address mentioned,
After placing the local IP-Address of my Home Assistant as Primary DNS server and the DNS of my provider as Secondary DNS Server.
I can now use the local IP-address from my Home Assistant for accessing H.A. within my LAN.
I need to use the following link HTTPS: //:8123
But I always receive a message that the website is not secure and HTTPS is crossed out!?!?
If I’m using the xxx.duckdns.org link than I don’t receive this message.

Next if I use nslookup xxx.duckdns.org from the Windows command prompt than the name of the Server is unknown but the local IP-addres of my Home Assistant is found.

So I think something is wrong with the validity of the certifcate

If you access home assistant at, it is normal to get certificate errors, because the SSL certificate is only for https://xxx.duckdns.org
This is expected, as SSL certificates with HTTPS are designed to work with domain names, not IP addresses

It sounds like your nslookup results are saying the local DNS is working, but could you copy-paste the text of the command? (Or a screenshot)

Basically with this working, when you type in https://xxx.duckdns.org, your browser asks your router what IP address is associated with that domain name. The router asks the dns server, which replies with “”.
Your browser then connects to “” and sales for the site “xxx.duckdns.org” over HTTPS.
Home assistant then sends the encrypted website info with the public key for your SSL certificate. Your browser then uses that key to decrypt the website info. If the domain name in the public key is different than the website it asked for, however, then it looks like someone has intercepted your request and replaced the site with some this else.
Which is why you get a https error when you type the IP address in the web browser. The public key works to decrypt the data, but it doesn’t match the website name you asked for.

So long as nslookup’s results are your local IP address, then this is all working perfectly, and you don’t need it access home assistant via the IP address anymore

Ok, thank you for explaining that makes sense.
Here’s the screenshot :slight_smile:


Huh, that’s not quite right… would you mind running netsh interface ip show config and posting the output? It seems like nslookup knows where the dns server IP address is, but can’t connect…
Oh, the DNSmasq add on is currently running, right?

Correct the DNSmasq is currently on.
here’s the output after running the netsh command.

C:\Users\Arievs>netsh interface ip show config

Configuration for interface "LAN-verbinding* 2"
    DHCP enabled:                         Yes
    InterfaceMetric:                      25
    DNS servers configured through DHCP:  None
    Register with which suffix:           Primary only
    WINS servers configured through DHCP: None

Configuration for interface "LAN-verbinding* 3"
    DHCP enabled:                         Yes
    InterfaceMetric:                      25
    DNS servers configured through DHCP:  None
    Register with which suffix:           Primary only
    WINS servers configured through DHCP: None

Configuration for interface "Wi-Fi"
    DHCP enabled:                         Yes
    IP Address:                 
    Subnet Prefix:               (mask
    Default Gateway:            
    Gateway Metric:                       0
    InterfaceMetric:                      35
    DNS servers configured through DHCP:
    Register with which suffix:           Primary only
    WINS servers configured through DHCP: None

Configuration for interface "Loopback Pseudo-Interface 1"
    DHCP enabled:                         No
    IP Address:                 
    Subnet Prefix:               (mask
    InterfaceMetric:                      75
    Statically Configured DNS Servers:    None
    Register with which suffix:           Primary only
    Statically Configured WINS Servers:   None

Ok, so that is all fine, so your windows computer and router are both configured right…

On your home assistant system, if you can access a terminal, can you run netstat -lntu And see if there is a entry for port 53?

(If you are using the terminal & ssh addon, you’ll need to turn off protection mode for this. Remember to turn it back on afterwards)

I only see it mentioned for TCP6 and UDP6

Hi all,

I think for some reasons something is still not quite working ok, I think it has something to do with my DNS but I’m not sure.
As I mentioned earlier I can access my H.A, if I am using the duckdns.org link and I also can access it internally with it’s local IP-address.
But it seems that every other day my H.A, is not accesible when I’am using the duckdsn.org link.
In the loggings I see that my WAN IP-address is banned!
At first I thought it was caused by entering the password wrongly (Threshold is set on 3 times)
This morning I had the same phenomenon but now the log tells me it happened in the middle of the night?

So after deleting the IP-Bans.yaml from the Config Directory and restart H.A. it is accesible again, but probably not for long.

Could it be that a device internally in my network is causing this?