Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pihole on unraid not blocking ads with pfsense

    Scheduled Pinned Locked Moved DHCP and DNS
    62 Posts 7 Posters 9.9k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz

      Se my edit... If all you want is quad9 as your dns.. Just have pihole forward to it.. Why would you need pfsense in the mix..

      Nowhere in my discussion of how I am setup did I ever mention pfsense not resolving.. No external name services are needed, or desired if you ask me. If you want pfsense to forward to quad9, then sure you can do that - but you don't need dnssec check on unbound than... If you forward - dnssec is POINTLESS!! Only a resolver can do anything with dnssec.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      x2rlX 1 Reply Last reply Reply Quote 0
      • x2rlX Offline
        x2rl @johnpoz
        last edited by

        @johnpoz So you don't need any dns if this is the case (3rd party) I would be using the dns my ISP serves me? Virgin media? Im sorry John im no where up to speed with you and im sure my question are frustrating you im sorry... I thought I knew what I was doing clearly not!

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          So it seems you do not understand what a resolver is vs a forwarder?

          Basic
          Resolver, walks down from roots looking for the authoritative ns for a domain.
          resolver
          roots - hey what is NS for .com
          .com NS - what is the NS for domain.com
          domain.com NS - hey what is the A record for www.domain.com

          Next time someone asks for host.domain.com, if the NS for domain.com is still cached, just ask ns domain.com for host.domain.com

          This is how resolving works.. No need for anything setup in pfsense, it knows who the roots are and can glean any other info from their for any other domain your looking for.

          Forwarder.
          Hey 1.2.3.4 (some NS) what is A record for www.domain.com

          If it does not have this cached already, then it can either resolve, or it might forward to something else.. You really have no idea what its doing. It could be resolver, it could be a forwarder you don't really know. All you know is you ask it for something, and you get an answer. Or you don't

          Does that help? Or does it just make things more confusing?

          Somepoint in the asking for dns there has to be a resolver.. Be it who your forwarding to, or somewhere upstream of who they forward too, etc. A resolver is what validates dnssec, forwarding to somewhere and asking for dnssec does nothing but add extra traffic for the query. If the resolver anywhere in you path is doing dnssec, and something doesn't pass dnssec then that info is not going to be passed downstream.

          example.. I ask quad9 for a record that fails dnssec..

          here see quad9 does dnssec validation - so if I ask it for a known record that fails dnssec I do not get an answer

          $ dig @9.9.9.9 www.dnssec-failed.org
          
          ; <<>> DiG 9.14.4 <<>> @9.9.9.9 www.dnssec-failed.org
          ; (1 server found)
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21744
          ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
          
          ;; OPT PSEUDOSECTION:
          ; EDNS: version: 0, flags:; udp: 4096
          ;; QUESTION SECTION:
          ;www.dnssec-failed.org.         IN      A
          
          ;; Query time: 176 msec
          ;; SERVER: 9.9.9.9#53(9.9.9.9)
          ;; WHEN: Mon Aug 12 08:09:43 Central Daylight Time 2019
          ;; MSG SIZE  rcvd: 50
          

          But if I ask something that doesn't do dnssec.. Say 4.2.2.2, or even quad9 different address - it gives me answer even though the dnssec fails, be it I ask for dnssec or not

          $ dig @9.9.9.10 www.dnssec-failed.org
          
          ; <<>> DiG 9.14.4 <<>> @9.9.9.10 www.dnssec-failed.org
          ; (1 server found)
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1233
          ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
          
          ;; OPT PSEUDOSECTION:
          ; EDNS: version: 0, flags:; udp: 4096
          ;; QUESTION SECTION:
          ;www.dnssec-failed.org.         IN      A
          
          ;; ANSWER SECTION:
          www.dnssec-failed.org.  7200    IN      A       68.87.109.242
          www.dnssec-failed.org.  7200    IN      A       69.252.193.191
          
          ;; Query time: 145 msec
          ;; SERVER: 9.9.9.10#53(9.9.9.10)
          ;; WHEN: Mon Aug 12 08:13:04 Central Daylight Time 2019
          ;; MSG SIZE  rcvd: 82
          

          9.9.9.10 is specific address by quad9 that does not do dnssec validation.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          x2rlX 1 Reply Last reply Reply Quote 1
          • x2rlX Offline
            x2rl @johnpoz
            last edited by

            @johnpoz wow thank you John. I understand it alot better now I think!

            So if my dns from my ISP is going into pfsense to be resolved when a domain is asked of it. what happens to the dns they send is it just killed of so to speak and pfsense takes over?

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              You mean if your isp dns hands out dns to pfsense.. It would be added added to pfsense dns listing.. And pfsense might ask them if unbound is not working for example.. Ie not running.

              Normally you should prob not let your isp dhcp hand you dns if your going to be using resolver.. There is little point to it, if you unbound is not working for some reason - you prob want to know about it!! DNS not working would be really big clue to check that unbound is running and working ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

              x2rlX 1 Reply Last reply Reply Quote 0
              • x2rlX Offline
                x2rl @johnpoz
                last edited by x2rl

                @johnpoz said in pihole on unraid not blocking ads with pfsense:

                You mean if your isp dns hands out dns to pfsense.. It would be added added to pfsense dns listing.. And pfsense might ask them if unbound is not working for example.. Ie not running.

                Normally you should prob not let your isp dhcp hand you dns if your going to be using resolver.. There is little point to it, if you unbound is not working for some reason - you prob want to know about it!! DNS not working would be really big clue to check that unbound is running and working ;)

                Thanks again just didn't want to run the dns Virgin provide but from the sound of it thats the not case thank you again for thw write up and help with pihole seems to be running fine now just wished it would show hostnames not ips but hey! its all good cheers

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  It will show hostnames.. You just need to make sure the hostnames are listed in unbound either via dhcp reservations and registration, or host overrides, or just plain dhcp registration, and you need to allow it to forward the rfc1918 PTRs..

                  Hostnames are found via PTR queries, out of the box pihole will not forward these - so you need to make sure that check box is checked, and unbound resolves them.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  x2rlX 2 Replies Last reply Reply Quote 1
                  • x2rlX Offline
                    x2rl @johnpoz
                    last edited by

                    @johnpoz said in pihole on unraid not blocking ads with pfsense:

                    It will show hostnames.. You just need to make sure the hostnames are listed in unbound either via dhcp reservations and registration, or host overrides, or just plain dhcp registration, and you need to allow it to forward the rfc1918 PTRs..

                    Hostnames are found via PTR queries, out of the box pihole will not forward these - so you need to make sure that check box is checked, and unbound resolves them.

                    John that makes close to zero sense to me mate don't worry ill google and see what i can come up with thanks again

                    1 Reply Last reply Reply Quote 0
                    • x2rlX Offline
                      x2rl @johnpoz
                      last edited by

                      @johnpoz Long time no see John and hopefully im now not as dumb as I was back than. But time will tell.

                      im just setting all this up again after moving and starting over with new gear and I can't seem to get PiHole to work with the settings I have.
                      If you have time will you just read over these to see how it looks please.

                      System>General Setup I have no dns names added and nothing checked
                      Services>DHCP Server>LAN I have the DNS servers as 10.0.0.222 (which is Pihole)
                      Services>DNS Resolver>General Setting nothing is checked other than server Enable

                      On pihole dns page I have the dns server pointing to Pfsense (10.0.0.1) and Never forward non-FQDNs is the only thing Checked.

                      Many Thanks

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        What is not working? Your PTR lookups?

                        If you query pfsense IP directly.. (10.0.0.1) does it resolve what your looking for - ie say google.com?

                        From any box on your network do a dig or nslookup using pfsense IP 10.0.0.1.. Does this work?

                        My pfsense IP is 192.168.9.253, so here are examples.

                        $ dig @192.168.9.253 www.google.com                                     
                                                                                                
                        ; <<>> DiG 9.16.1 <<>> @192.168.9.253 www.google.com                    
                        ; (1 server found)                                                      
                        ;; global options: +cmd                                                 
                        ;; Got answer:                                                          
                        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2153                
                        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1    
                                                                                                
                        ;; OPT PSEUDOSECTION:                                                   
                        ; EDNS: version: 0, flags:; udp: 4096                                   
                        ;; QUESTION SECTION:                                                    
                        ;www.google.com.                        IN      A                       
                                                                                                
                        ;; ANSWER SECTION:                                                      
                        www.google.com.         3238    IN      A       172.217.4.228           
                                                                                                
                        ;; Query time: 0 msec                                                   
                        ;; SERVER: 192.168.9.253#53(192.168.9.253)                              
                        ;; WHEN: Tue May 05 08:57:11 Central Daylight Time 2020                 
                        ;; MSG SIZE  rcvd: 59                                                   
                                                                                                
                        

                        Here is same command using nslookup

                        $ nslookup www.google.com 192.168.9.253       
                        Server:  sg4860.local.lan                     
                        Address:  192.168.9.253                       
                                                                      
                        Non-authoritative answer:                     
                        Name:    www.google.com                       
                        Addresses:  2607:f8b0:4009:801::2004          
                                  172.217.4.228                       
                        

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        x2rlX 1 Reply Last reply Reply Quote 0
                        • x2rlX Offline
                          x2rl @johnpoz
                          last edited by x2rl

                          @johnpoz Sorry didn't really say did I :/

                          Pihole shows nothing zero queries its like nothing is sent there.

                          nslookup www.google.com 10.0.0.1
                          Server:  pfSense.localdomain
                          Address:  10.0.0.1
                          
                          Non-authoritative answer:
                          Name:    www.google.com
                          Addresses:  2a00:1450:4009:81b::2004
                                    216.58.210.228
                          

                          Dig command didn't work on windows

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            dig is something you would have to add ;) Its not part of windows.. But its a great dns troubleshooting tool you can install it with the free bind software from isc, just install the tools if you wan to play with it.

                            Ok so your pfsense is resolving. So does pihole not resolve?

                            If you use pihole?

                            My box is set to use pihole normally, so simple nslookup returns that it used pihole.. 192.168.3.10 in my network

                            $ nslookup www.google.com
                            Server:  pi-hole.local.lan
                            Address:  192.168.3.10
                            
                            Non-authoritative answer:
                            Name:    www.google.com
                            Addresses:  2607:f8b0:4009:801::2004
                                      172.217.4.228
                            

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                            x2rlX 1 Reply Last reply Reply Quote 0
                            • x2rlX Offline
                              x2rl @johnpoz
                              last edited by x2rl

                              @johnpoz Well i thought setting pihole Ip on the dhcp server it would get rid of ads show on sites and block malware etc...

                              nslookup www.google.com 10.0.0.222
                              Server:  14619edbadac
                              Address:  10.0.0.222
                              
                              Non-authoritative answer:
                              Name:    www.google.com
                              Addresses:  2a00:1450:4009:81b::2004
                                        216.58.210.228
                              

                              Hmm after I run that pihole showed queries guess it is working? just thought there would of been lot more queries show from all the site the family use.

                              I'll check them tools out thanks.

                              Abit of topic here and pihole related do you know john if there is a way to show hostnames on pihole which is sent via pfsense?
                              Was reading this post about it

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator
                                last edited by johnpoz

                                why is your pihole coming back with 14619edbadac as a name??? WTF?

                                Well try doing a query for something that is blocked? say doubleclick.net should be on pretty much any blocklists your using

                                $ nslookup doubleclick.net
                                Server:  pi-hole.local.lan
                                Address:  192.168.3.10
                                
                                Name:    doubleclick.net
                                Addresses:  ::
                                          0.0.0.0
                                

                                Are you seeing queries from all your devices - just because you change your dhcp to point to pihole, doesn't mean that the clients got the new info yet. They will only get that once they renew their lease, etc.

                                Also what block lists are you using? If you validate pihole blocks stuff that should be blocked then its working. Its possible your clients browsers are using their own dns as well, freaking doh nonsense - and not using your local dns.

                                Also your machines and browsers will cache for the length of the ttl records... So if they looked up something.shouldbeblock.tld and cached it.. before you put in pihole, they would just use their cache vs asking pihole for the ip..

                                Also possible your clients are using ipv6 for their dns, and not pointing to pihole - and using ipv6 vs ipv4 to look up stuff

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                x2rlX 1 Reply Last reply Reply Quote 1
                                • x2rlX Offline
                                  x2rl @johnpoz
                                  last edited by

                                  @johnpoz could be because its in a docker! sorry forgot to say that! im running OMV and pi hole is in the docker

                                  nslookup doubleclick.net
                                  Server:  14619edbadac
                                  Address:  10.0.0.222
                                  
                                  Name:    doubleclick.net
                                  Addresses:  ::
                                            0.0.0.0
                                  

                                  Looks good?

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ Offline
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by johnpoz

                                    See my edit about your clients maybe using ipv6 for dns vs ipv4 that points to pihole.

                                    even if in a docker, your 10.0.0.222 should resolve to something valid, you would set that.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                    x2rlX 2 Replies Last reply Reply Quote 0
                                    • x2rlX Offline
                                      x2rl @johnpoz
                                      last edited by

                                      This post is deleted!
                                      1 Reply Last reply Reply Quote 0
                                      • x2rlX Offline
                                        x2rl @johnpoz
                                        last edited by x2rl

                                        @johnpoz Okay ipv6 is of and my IPS doesn't use it.

                                        I meant the weird name for the server it looks like a docker name lol

                                        Client	Requests	Frequency
                                        10.0.0.16	65	
                                        10.0.0.68	62	
                                        10.0.0.12	54	
                                        10.0.0.15	24	
                                        10.0.0.14	23	
                                        10.0.0.13	9	
                                        10.0.0.11	9	
                                        
                                        

                                        Seems to be working now just wish it would show the hostname not the IPs

                                        1 Reply Last reply Reply Quote 0
                                        • x2rlX Offline
                                          x2rl
                                          last edited by x2rl

                                          screencapture-10-0-0-222-admin-index-php-2020-05-05-15_30_42.jpg

                                          Yea shes working John Thanks again. Seems my setting was correct for once.

                                          Do you use the Conditional Forwarding option in Pihole John? if so how do you use it I put the IP and pfsense host name in there but its still not showing the hostnames.

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ Offline
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            @Mike34 said in pihole on unraid not blocking ads with pfsense:

                                            Conditional Forwarding option in Pihole John? if so how do you use it I put the IP and pfsense host name in there but its still not showing the hostnames.

                                            I don't use it.. pihole sends everything to pfsense. I maintain all hosts in pfsense.

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                            x2rlX 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.