"Proper" Config For DNS pfSense and PI Hole

mervincm · May 4, 2019, 5:56 PM

@gcu_greyarea said in "Proper" Config For DNS pfSense and PI Hole:

Also, if you use unbound you won't need to specify DNS servers in Pfsense.

Thanks for pointing that out, I removed them from my configuration and edited the top post.

mervincm · May 4, 2019, 6:14 PM

@tman222 said in "Proper" Config For DNS pfSense and PI Hole:

I see you have added Cloudflare's DNS servers but don't have "DNS Query Forwarding" enabled. Are you planning on resolving your own DNS resolver or forwarding all your DNS queries to Cloudflare?

Regarding Pi-Hole and IoT, I would actually recommend passing IoT DNS traffic through Pi-Hole as well. While it's true that there is no benefit in terms of ad blocking for these devices, Pi-Hole is useful for more than just ad-blocking - it can become general DNS Filter on your network (e.g. similar to pfBlockerNG). Unless you trust all your IoT and Smart Home devices it might be interesting to monitor what hosts they are trying to talk and how often. >

Makes sense, I removed the Cloudflare DNS from my configuration, and edited the top post. thanks!
I followed this advice and learned indeed how much DNS activity some devices create that I was not aware of. I have a Fingbox that is the #3 creator of DNS traffic in the entire network. A great amount of it seems to be a reverse lookup of my internal IP addresses, This seems reasonable.

BigSnicker · Jul 22, 2019, 1:43 PM

@mervincm said in "Proper" Config For DNS pfSense and PI Hole:

-pi.hole graphs should resolve client to IP correctly so that lists like Top Clients correctly have the hostnames, not the IP addresses.

Just to confirm.... did you get that functionality working?

I think I've implemented everything you've got here, but can't manage to get hostnames to resolve (on pihole lists) across different subnets.

mervincm · Jul 22, 2019, 3:18 PM

Yes this works as described |-left aligned paragraph

BigSnicker · Jul 22, 2019, 11:01 PM

Thanks.... found the problem, I'd reinstalled pihole and forgot to uncheck the required variables.

Works great now, thanks for capturing all of that.

If anyone tries to do this on Synology.. some good practices here: https://github.com/chriscrowe/docker-pihole-unbound

BigSnicker · Jul 25, 2019, 5:49 AM

Any chance you've got this working in IPv6 and figured out how to get pfsense hostnames to resolve in pihole the way they do for IPv4?

Particularly if using a tracked interface for addressing?

mervincm · Jul 25, 2019, 3:46 PM

@BigSnicker I do not use ip6.

mcbuckets · Jul 25, 2019, 5:08 PM

@BigSnicker I also can’t get the hostnames to show up in Pihole. What setting did you uncheck during install to fix this?

BigSnicker · Jul 26, 2019, 8:28 PM

@mcbuckets In IPv4 the way to do that was to first populate all of the hostnames as static leases outside of the DHCP address range and having them registered (and routable) at the DHCP server level:

DHCP Registration is enabled
DHCP Static Mapping created for each permanent device on my LAN network. These Static Mappings exist if the device actually uses DHCP, or if it is hardcoded.

And then uncheck the following two settings in pi-hole:

never forward non-FQDN is not checked
never forward reverse lookups for private IP ranges is not checked

That should really do it for you.

Unless you also want that happening in IPv6 (i.e. DNS6).. which seems to be a WHOLE other thing. lol

BigSnicker · Jul 26, 2019, 9:03 PM

FYI, after doing some research on how to get hostnames resolved in IPv6, it looks like the best option is to put in a host override in the DNS resolver.

DNS Resolver -> General Settings -> Host override

There's a thread discussing the options here.