"Proper" Config For DNS pfSense and PI Hole

gcu_greyarea

@tman222

You are correct that iot devices can utilise pihole, too. However, i have an internet radio and a samsung tv.
The radio alone was doing 80.000+ dns queries a day alone. This was messing up pihole stats for me.
The samsung tv was very chatty, too.
I also run unbound in forwarder mode with cloudflare. I use ssl/tls for outgoing requests on port 853 to stop my isp intercepting tls.
This has been working very well so far.

tman222

80,000 DNS queries per day from just one device does seems like an awful lot - that's almost 1 per second over a 24 hour period. Are they all legitimate look ups, or is the radio trying to talk to a e.g. tracking or ad server and just getting blocked (i.e. it's just trying to over and over to contact the server)?

I think in general it makes sense to route DNS traffic from IoT devices through Pi-hole at least initially to get a sense of the type of lookups that are being done. Once one is aware of the type of DNS traffic and it looks legitimate then the routing through Pi-hole could be turned off I suppose if there are issues with skewing of statistics, etc. I do concur with the OP's observations that IoT and Smart Home devices are exceptionally chatty.

mervincm

@gcu_greyarea said in "Proper" Config For DNS pfSense and PI Hole:

Also, if you use unbound you won't need to specify DNS servers in Pfsense.

Thanks for pointing that out, I removed them from my configuration and edited the top post.

mervincm

@tman222 said in "Proper" Config For DNS pfSense and PI Hole:

1. I see you have added Cloudflare's DNS servers but don't have "DNS Query Forwarding" enabled. Are you planning on resolving your own DNS resolver or forwarding all your DNS queries to Cloudflare?

2. Regarding Pi-Hole and IoT, I would actually recommend passing IoT DNS traffic through Pi-Hole as well. While it's true that there is no benefit in terms of ad blocking for these devices, Pi-Hole is useful for more than just ad-blocking - it can become general DNS Filter on your network (e.g. similar to pfBlockerNG). Unless you trust all your IoT and Smart Home devices it might be interesting to monitor what hosts they are trying to talk and how often. >

1. Makes sense, I removed the Cloudflare DNS from my configuration, and edited the top post. thanks!
2. I followed this advice and learned indeed how much DNS activity some devices create that I was not aware of. I have a Fingbox that is the #3 creator of DNS traffic in the entire network. A great amount of it seems to be a reverse lookup of my internal IP addresses, This seems reasonable.

BigSnicker

@mervincm said in "Proper" Config For DNS pfSense and PI Hole:

-pi.hole graphs should resolve client to IP correctly so that lists like Top Clients correctly have the hostnames, not the IP addresses.

Just to confirm.... did you get that functionality working?

I think I've implemented everything you've got here, but can't manage to get hostnames to resolve (on pihole lists) across different subnets.

mervincm

Yes this works as described |-left aligned paragraph

BigSnicker

Thanks.... found the problem, I'd reinstalled pihole and forgot to uncheck the required variables.

Works great now, thanks for capturing all of that.

If anyone tries to do this on Synology.. some good practices here: https://github.com/chriscrowe/docker-pihole-unbound

BigSnicker

Any chance you've got this working in IPv6 and figured out how to get pfsense hostnames to resolve in pihole the way they do for IPv4?

Particularly if using a tracked interface for addressing?

mervincm

@BigSnicker I do not use ip6.

mcbuckets

@BigSnicker I also can’t get the hostnames to show up in Pihole. What setting did you uncheck during install to fix this?

BigSnicker

@mcbuckets In IPv4 the way to do that was to first populate all of the hostnames as static leases outside of the DHCP address range and having them registered (and routable) at the DHCP server level:

DHCP Registration is enabled
DHCP Static Mapping created for each permanent device on my LAN network. These Static Mappings exist if the device actually uses DHCP, or if it is hardcoded.

And then uncheck the following two settings in pi-hole:

never forward non-FQDN is not checked
never forward reverse lookups for private IP ranges is not checked

That should really do it for you.

Unless you also want that happening in IPv6 (i.e. DNS6).. which seems to be a WHOLE other thing. lol

BigSnicker

FYI, after doing some research on how to get hostnames resolved in IPv6, it looks like the best option is to put in a host override in the DNS resolver.

DNS Resolver -> General Settings -> Host override

There's a thread discussing the options here.