Pfsense in resolver mode and PIhole

DuleNZ

Hello,

I have configured pfsense DHCP to serve ip of Pihole, running on raspberry pi in my network, as a dns server.

I have enabled dns resolver mode in pfsense

In the Pihole I have added ip of the pfsense in the other dns server field.

The idea is that clients on the network will contact Pihole for dns and that request will be then forwarded to unbound running on the pfsense box. result will be passed back
to Pihole which will block all the ads and then send back ip to the client machine that issued the request in the first place

I could have configured pihole to forward the dns request to unbound runing on the same raspberry pi (but on a diferent port than 53) but since we already have unbound in
pfsense why not use it.

The question now is if there is anything wrong with this approach? It does seem to work, but since I am not an expert in this, I could be creating problems that I am not aware of.

Thank you

darcey

I am no expert but I took exactly your approach.
I hand out pihole IP to desktop, phones and the like. Other 'trusted' hosts get the pfsense IP for DNS. Pihole's upstream DNS is set to pfsense (unbound). Guest network is permitted unfettered access to which ever external DNS host/protocol they wish.

I then block access to external DNS, be it UDP/53, DoT or DoH (using pfblocker lists for the latter) for everything other than the firewall host.

This seems to work well and any additional latency, if it exists, is not an issue for me. I prefer this arrangement over running, say, pfblocker's DNSBL. It seems more lightweight. I do use pfBlocker for IP blocking and blocklist management.

darcey

Just to add the DNS landscape is changing rapidly and it is becoming more difficult to maintain control over how your network's hosts are able to resolve names. See this thread!