@futurebird what I thought was maybe kinda easy (playing in my homelab after the firewall fire) is assigning an intranet domain name in pf/opnsense and then configuring unbound to save/serve local devices as <hostname>.<intranet>... Since it's local DNS server it doesn't have to be a purchased TLD for the intranet part