DNS and pi-hole
-
Why would pfsense point to pihole??
If you want your network to use pihole - then have your clients ask pihole. Pihole then should in turn forward to pfsense so you can use the resolver and resolve all your local hosts. Or are you going to just forward off your pihole to the public internet? And use pihole for dhcp and let it be able to resolve all your local devices?
If so then pfsense should just point to pihole and not itself and pihole should forward to where ever you want.
I use pihole, all my clients point to it 192.168.3.10, it then fowards to pfsense that uses the resolver so I can lookup up local devices via pfsense dns, and can resolve anything outside. Pihole just doesn't hand that to clients if any of the records are in the black lists. And you get the pretty graphs ;) And listing of what clients are asking for and how much.
-
My question is now, will the fastest DNS response be used by pfSense or is the order of the list respected?
Or just use the pfSense package - pfBlockerNG w/DNSBL (utilizing Unbound Resolver) and no need to offload this to another network device.
https://forum.pfsense.org/index.php?topic=102470.0
-
I don't want to manually set set the IP of pi-hole as DNS for every client, this is why I use pfSense (as gateway) for it.
I don't need the graph per client, I just want the ads to be blocked ;)
pi-hole has "Upstream DNS Servers" set which resolves the requests.
I can disable the option "DNS Forwarder" and will get the following (without 127.0.0.1) if it's easier to understand.
DNS server(s) on pfSense
- 192.168.1.10 (pi-hole)
- 8.8.8.8 (Google public DNS)
- 8.8.4.4 (Google public DNS)
(Upstream) DNS server(s) on pi-hole
- 8.8.8.8 (Google public DNS)
- 8.8.4.4 (Google public DNS)
I just want every client to use the DNS set from pfSense 192.168.1.10 and if it's not down for some reason to use the Google public DNS, as simple as that ;)
-
Or just use the pfSense package - pfBlockerNG w/DNSBL (utilizing Unbound Resolver) and no need to offload this to another network device.
Are the blocking lists of pi-hole compatible with pfBlockerNG?
-
May be I need some setup using "DNS Query Forwarding" and the activated option
"Query DNS servers sequentially"
If this option is set, pfSense DNS Forwarder (dnsmasq) will query the DNS servers sequentially in the order specified (System - General Setup - DNS Servers), rather than all at once in parallel.it seems this describes best what I want to achieve :)
-
Or just use the pfSense package - pfBlockerNG w/DNSBL (utilizing Unbound Resolver) and no need to offload this to another network device.
Are the blocking lists of pi-hole compatible with pfBlockerNG?
Yes and more.
-
Are the blocking lists of pi-hole compatible with pfBlockerNG?
Yes and more.
Well, is there some good tutorial to get pfBlockerNG running the same as pi-hole? As it seems not as easy to setup as pi-hole ;)
Do I need to add the lists manually on the DNSBL Feed or on the DNSBL EasyList?
-
The package is more than just an AD blocker. ;)
See the following:
https://forum.pfsense.org/index.php?topic=102470.30More help available in the pfBlockerNG forum.
-
The package is more than just an AD blocker. ;)
See the following:
https://forum.pfsense.org/index.php?topic=102470.30More help available in the pfBlockerNG forum.
Thx, I will give it a try.
Yes, it's too overloaded for an AD blocker only and I hope it won't fill my RAM ;)
-
I settled on a two layer approach for the time being at least. All clients use pi-hole for DNS, pihole uses pfSense and pfSense has google and my ISP's DNS set. I've had the pi-hole for a bit longer than pfSense so I've got some customization done already.
As I find time I'm gonna get pfBlockerNG to start taking over the DNS duties of the pi-hole. But for now it's working nicely letting pi-hole be a first line of filtering which is where I was before I got the pfSense system up and running.
-
While its quite possible that pfblocker can do what pihole does - pihole provides you simple easy interface to watch how many queries your network as a whole is doing, who the top asker is. What is being asked for the most be it something that is allowed or something that is blocked.
"I don't want to manually set set the IP of pi-hole as DNS for every client"
Who said you would do that? That would be handed out by your dhcp server, be it pfsense, your pihole box or some other dhcp server. I would agree you would normally never set dns manually on your clients.
If you don't want the graphs and information that pihole provides - then sure duplicate it out of pfblocker. The nice thing of pihole is that it is specifically designed to block ads - and they do all the work on which lists to use to block said ads, etc.
Not saying you can not do it with pfblocker - not saying you can not do it with just unbound. I have a cron that loads in stuff to not resolve into unbound for clients of unbound.. There are always multiple ways to skin the cat. But the OP asked about using pihole with pfsense.
In that case then best bet is to have all your clients ask pihole for dns. Then either forward to dns if you want a resolver, or you want pfsense to handle your local records. Or jsut have pihole forward to something else upstream as a resolver or forwarder. dns.watch has been added to pihole as of recently and is a open resolver that anyone can use vs just a forwarder.
-
I hop on this topic as I followed this guide (https://coygeek.com/docs/pihole-pfsense-redirect-netgate/) to block adds with pi-hole, but also want to use the pfsense DNS resolver.
On the pi-hole side everything works great. I am just unsure how to set up the DNS resolver in pfsense.
For the time being I had it in resolver mode.
After watching some YouTube videos about privacy concerns, I want to use DNS resolver in forwarding mode and send my queries encrypted to Quad9.I followed the guide above and applied the firewall rule as described.
Pfsense, Firewall, NAT, Port Forwarding Tab, Select Add (Up-arrow) Interface: LAN Protocol: TCP/UDP Source: Any Source port: Any Destination Address: Select Invert Match Select LAN Address Destination port: DNS (port 53) Redirect Target IP: 192.168.2.2 (Pihole IP) Redirect Target port: DNS (port 53) Description: Redirect rogue devices back to pihole Pfsense, Firewall, Rules, LAN tab, Drag the newly created rule Redirect rogue devices back to pihole to the top of the list It must be above the default rule of Allows all traffic on LAN network Save
In general setup I set Quad9's DNS-Servers.
In the DNS resolver options I set the network Interfaces from ALL to the the one Pi-hole is connected.
Outgoing interface is WAN.After checking my DNS with www.dnsleaktest.com, I was surprised that I see the DNS-Server from my ISP.
This raises some questions:
- what am I doing wrong?
- should I even worry about Quad 9 and just use resolver mode?
thanks for your thoughts....
-
@Freitag not sure what you have ended up with, but sounds like a loop.
If you want to use the resolver in forwarding mode, be it over dot or not - then set unbound up to forward to where you want to forward.
Have pihole forward to pfsense(unbound).
You should have a rule that allows pihole to talk to unbound before any redirection.
Also when you redirect, the redirection should be to loopback (127.0.0.1) on pfsense. Unless where your redirecting is on another network, you can run into the client not liking that it gets an answer from somewhere other than where it thought it was sending too..
I have gone over this many times.. But here it is again. If I have a client on network A, and it thinks its sending to say quad9, and it gets an answer from something else on network A, it will not like it..
Here I just dug up old thread and post..
https://forum.netgate.com/post/920206
Who do you want to forward to quad9, unbound (pfsense) or the pihole?
If you want to forward to say quad9, and also leverage pihole, and unbound for filtering.. And you also want to redirect say someone asking googledns or some other dns. Keeping in mind that if the client is trying to use dot or doh, redirection should fail, because the dns client should be validating that its a valid cert for where he believes he is forwarding.
Setup unbound to forward to who you want. Setup pihole to forward to unbound (pfsense)..
Rules.
Allow pihole to talk to pfsense IP on dns port (53)..
Redirect dns traffic to pihole IP.Keeping in mind that pihole needs to be on a different network, or you would have to use the outbound nat thing in the above linked post.
When pihole asks pfsense(unbound) unbound will forward to where you want to forward. If a client tries to talk to say googledns over 53 it will get redirected to pihole, using the outbound nat pihole will think its pfsense IP asking.. It will then forward to pfsense which will forward it.
Trying to redirect dot or doh is prob not going to work.. Unless you have setup to redirect to listen for both dot and doh.. But even if you do - if the client is sane, it would not accept any answers from a redirection of these because the cert would not be correct. One of the security features of dot or doh is validation of who your talking to, so the client should be validating this.
Your clients should be pointing to the pihole for dns. Any queries that get redirected from pfsense to your pihole will not show the actual clients IP..
-
thanks a lot @johnpoz for your input and the old thread. I will continues my research there.
I guess I get somewhere in a loop and will review all settings and rules.
I did set unbound to forward to Quad9 and pihole is set to forward to unbound.
Pi-hole has its own network, so I guess it is not the problem maker.What I also need to look into, is the redirection to loopback you mentioned.
Not sure I get that right.Cheers