Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?
-
@Raffi_ That was actually the first setup that I ran and I moved on to this :)
-
@abesh And we're still talking about brown or red entries? I saw all brown on your screen shot.
And to be clear, you had the same exact issue with that original setup which prompted you to try something else or were you trying to address something else? In my experience there might be a couple of devices which do not use pi-hole. How many exactly are you noticing?
-
@Raffi_ Yeah, let me wait and observe a bit.
-
@abesh said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:
Pihole thinks it is coming from pfSense and not the device itself.
@Raffi_ said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:
Have you tried my original suggestion of allowing pfsense to run unbound and then point pi-hole to it?
I don't expect, that this makes any difference on the pihole seeing requests coming from pfSense.(?)
@abesh
If you want to see the origin client IPs, you have put the pihole into a separated network segment on a different interface, so that you can get rid of the masquerading rule. -
@viragomann That makes a lot of sense. Thank you :)
-
@viragomann Would I get anything else other than local domain name resolution for forwarded queries if I move the pihole to a different subnet ? If not I would just like to keep it as is :)
-
@abesh
There is no benefit else, I can think of at the moment. -
@viragomann Thank you so much !!!
-
@abesh said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:
How do I configure pfSense so that it also send the device hostnames when forwarding the request ?
It will never send the hostname. I was not able to figure out how to send the requesting IP. I do not think it is possible because pfSense is "proxying" the request. Even hosts requesting from wrong DNS servers on different subnets show up as pfSense.
DoH is mostly blocked with pfBlocker and DoT is blocked by blocking 853. Not perfect. -
@AndyRH Apparently possible in OPNSense so should also be possible in pfSense. I need to go through this post in detail when I have a bit of time : https://forum.opnsense.org/index.php?topic=34907.0
-
@abesh not exactly sure what your seeing and what you expect..
If I redirect dns queries to my pihole I see who did the query.
My pc i9-win.home.arpa is 192.168.9.100
This works when your pihole is on a different network than your client.. If the client is on the same network as your pihole your most likely going to run into issues with answer coming from different IP than where the client sent the traffic. Unless you forward to loopback and have unbound query the pihole, this will look like it came from pfsense IP vs the client.
You might be able to use
send-client-subnet:
In your unbound config.. But not sure if that has been enabled in the unbound on pfsense.. I would have to do some testing.
Your best option if you want to forward direct to pihole, and see what source IP asked for something, is put your pihole on a different vlan than your clients.
-
Likely not relevant, but I use Pihole as the LAN DNS and forward to pfSense where it also hits pfBlocker and Unbound (Resolver).
-
@provels that is the better way to do it if you ask me.. That is what I do as well.. Clients ask pihole, pihole asks unbound on pfsense, unbound resolves.
-
@johnpoz Not to trash pfB, but I love the simplicity, efficiency, and ease of management of Pihole, especially when I see numbers like this from a minuscule VM.
-
@provels yeah not meaning to trash pfb either, I use it for my aliases and its great, but been using pihole long time, and yeah the eye candy is nice, etc. etc..
-
I agree with you guys, pi-hole pointing to pfsense unbound is my preferred setup too and what I suggested.
I'm so glad my friend got me to try out a pi-hole setup. Once you do, there is really no going back to pfblocker. They both are great tools, but the limitation of having to enter individual IP address for bypassing is a pretty big deal breaker on pfblocker. I used to be able to define a range or subnets which can bypass it via the custom resolver options, but that doesn't seems to work anymore. I'm sure I'm missing something but the fact that I had a hard time trying to find what I'm missing is enough to say pi-hole is the clear winner in that respect. I also love that I can turn it off for x amount of time for testing purposes. The visuals are for sure nice too.
-
@Raffi_ said in Redirected all DNS to pihole using pfSense. Pihole still showing some hosts as not using the DNS ?:
They both are great tools, but the limitation of having to enter individual IP address for bypassing is a pretty big deal breaker on pfblocker. I used to be able to define a range or subnets which can bypass it[ . . . ]
If LAN hosts are bypassing local network policy entirely, one might not be thinking about and/or doing it right. I can't think of a single use case where granular domain/address (including subnet) control isn't preferable to simply bypassing DNSBL/IP filtering altogether—which is definitely well-within pfB's capabilites. That one hasn't personally figured out how to configure one or the other the way they desire says nothing about the objective limitations of either software, except maybe user-friendliness.
Pi-hole is the clear winner in whatever aspect/s you've determined to be the case for you personally.
-
What about DoT or DoH ?
-
@JonathanLee If you're responding to me, both can be mitigated to the extent possible wih port filtering (DoT), NAT (DoH and DoT), and block lists (DoH and DoT).
And that has nothing to do with Pi-hole versus pfB. No DNS forwarder or resolver on its own can do anything about either.
-
@cyberconsultants I have a huge list I use to block them
