Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense in resolver mode and PIhole

    Scheduled Pinned Locked Moved
    DHCP and DNS
    2
    3
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DuleNZ
      last edited by

      Hello,

      I have configured pfsense DHCP to serve ip of Pihole, running on raspberry pi in my network, as a dns server.

      I have enabled dns resolver mode in pfsense

      In the Pihole I have added ip of the pfsense in the other dns server field.

      The idea is that clients on the network will contact Pihole for dns and that request will be then forwarded to unbound running on the pfsense box. result will be passed back
      to Pihole which will block all the ads and then send back ip to the client machine that issued the request in the first place

      I could have configured pihole to forward the dns request to unbound runing on the same raspberry pi (but on a diferent port than 53) but since we already have unbound in
      pfsense why not use it.

      The question now is if there is anything wrong with this approach? It does seem to work, but since I am not an expert in this, I could be creating problems that I am not aware of.

      Thank you

      1 Reply Last reply Reply Quote 0
      • D
        darcey
        last edited by darcey

        I am no expert but I took exactly your approach.
        I hand out pihole IP to desktop, phones and the like. Other 'trusted' hosts get the pfsense IP for DNS. Pihole's upstream DNS is set to pfsense (unbound). Guest network is permitted unfettered access to which ever external DNS host/protocol they wish.

        I then block access to external DNS, be it UDP/53, DoT or DoH (using pfblocker lists for the latter) for everything other than the firewall host.

        This seems to work well and any additional latency, if it exists, is not an issue for me. I prefer this arrangement over running, say, pfblocker's DNSBL. It seems more lightweight. I do use pfBlocker for IP blocking and blocklist management.

        1 Reply Last reply Reply Quote 1
        • D
          darcey
          last edited by darcey

          Just to add the DNS landscape is changing rapidly and it is becoming more difficult to maintain control over how your network's hosts are able to resolve names. See this thread!

          1 Reply Last reply Reply Quote 1
          • First post
            Last post