Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver

    Scheduled Pinned Locked Moved DHCP and DNS
    19 Posts 4 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Mr. WasteM
      Mr. Waste
      last edited by Mr. Waste

      @johnpoz Here you go, hope this helps

      Its Internet Dns to Pfsense to PiHole to Internet.

      Thank You so MUCH!

      Untitled Diagram.png

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Didn't we already go over this.. This server at 10.0.9.69 is different than you previous pihole?

        How is that any different than your pihole 192.1.1.5?

        Do you want to send your query to 10.x or 192., btw is that a typo - why and the hell would you pihole be on a non rfc1918 address? You sure don't own 192.1.1 (BBN Communications (BBNP))

        You can not send traffic hitting pfsense wan on port 53 to both.. of these NS on your network.

        Who do you want to send to this 10.x server? And who do you want to send to this 192 (pihole) box? What are they looking for, just internet stuff - local domains? what?

        You have 1 dns server, pihole? Doesn't really matter what its running.

        And you want other vlans on your network to use it? Or what? You can for sure port forward on your lan something that might be trying to query for example 8.8.8.8 and send it to pfsense, which forwards to this other dns..

        Maybe I'm tired - but not understanding what exactly you want to happen... Who do you want to query this server? Why do you not just point them directly to what you want them to use for dns?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • Mr. WasteM
          Mr. Waste
          last edited by

          @johnpoz

          I have normal DNS queries coming from a house or small business that needs to be sent respond of a website page or loading YouTube videos. - (Normal Everyday DNS)
          I want Pfsense to use Pfblocker then forward the next query to Pi Hole to do more filtering. Pi Hole is on a different network then on Normal Lan Side. Add another Interface on Pfsense, Example. I want to make a rule to allow and pass the DNS to the other network while giving a response back. Pihole can go through the Normal Lan side of the other network or just go right threw the internet from the WAN of the Pfsense.

          I don't know how to use a rule and pass the DNS to the other network while ONLY letting that device have access to port 53 on the other network. - (From the Pfsense's Rules)

          Does this make any sense? or not explaining it enough.

          Thank You for your Help

          johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Mr. Waste
            last edited by johnpoz

            @Mr-Waste said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

            Pi Hole is on a different network then on Normal Lan Side

            Doesn't matter what network your pihole is on.. be it lan or your 100th vlan.. Pfsense can still talk it right? No port forwarded needed on your lan side networks.

            So you want wan side client to use unbound on pfsense (with pfblocker).. Then for that to go to pihole..

            But you want lan side clients to just use unbound of pfsense, but not get forwarded to pihole??

            So you only have the 1 dns on your local lan side network.. You changed the pihole IP from the 192 address to the 10 address? Or you have 2 different nameservers? The pihole and this other one on the 10 address?

            Or do you want wan to use unbound, forward to pihole? And then lan side clients to use unbound but get forwarded to some other name server? Which is not pihole? Or not use unbound at all and just get forwarded to this other NS?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @Mr. Waste
              last edited by Gertjan

              @Mr-Waste said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

              I want Pfsense to use Pfblocker then forward the next query to Pi Hole to do more filtering

              Just keep in mind :when you use pfBlockerNg-devel, it will need unbound to work as a resolver (== not forwarder).
              It's stated up front in the settings when you activate the DNSBL part.

              I can't say that you can't forward unbound, the 'resolver' but it will influence 'DNS' behaviour.
              What about keeping things simpler ?

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                @Gertjan said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

                it will need unbound to work as a resolver (== not forwarder).

                Ummm - no, why would you think that? You can use pfblocker while unbound forwards..

                It states.. "To Utilize, Unbound DNS Resolver must be enabled." be it unbound is set to resolve or forward has nothing to with it..

                I can see how the wording could be confusing.. But unbound is meant to be a resolver, that is its default state. But how unbound finds out something this is not local record, be it resolves or forwards has nothing to do with the workings of pfblocker.

                Unbound is the resolver for pfsense, pfblocker doesn't work with dnsmasq (the forwarder) in pfsense. But you can for sure use unbound in forwarder mode, and still use pfblocker.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @johnpoz
                  last edited by

                  @johnpoz said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

                  why would you think that?

                  I was reading :

                  8069a674-92f7-42e3-93b4-f5f3844fa54e-image.png

                  and agree (now) : the forwarding or resolver mode could be used.
                  I guess I mixed up resolver, Resolver and resolving.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Yeah.. to be honest the wording should take out the resolver part of the unbound name.. Yes unbound is a "resolver" but you can set it to forward. While the forwarder (dnsmasq) can not resolve - only forward.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • Mr. WasteM
                      Mr. Waste
                      last edited by Mr. Waste

                      @johnpoz said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

                      do you want wan to use unbound, forward to pihole? And then lan side clients to use unbound but get forwarded to some other name server?

                      @johnpoz

                      "So you only have the 1 dns on your local lan side network.. You changed the pihole IP from the 192 address to the 10 address?"

                      To be clear the 10 addresses are ONLY local on that subnet range. I decide to use the 10 network then 192 or others. Easier to remember. - Local ONLY

                      "Or you have 2 different nameservers? The pihole and this other one on the 10 address?"

                      Both network will only be using the 1 Pi Hole for Dns.
                      I need to know how to get a response back from the Pfsense being on a different network.

                      Example network for Pi Hole ONLY:
                      Pfsense Extra Interface Lan2: IP:10.0.9.2 (Getting a IP address from the other Router on this network)
                      Pi Hole: 10.0.9.69

                      Remember we have this too, but don't confuse your self here.
                      Pfsense Lan Interface: 10.0.8.1/24

                      Pfsense is being the Unbound Resolver for the 10.0.8.1/24 (Lan) network. (Samething-Pfblocker for block lists) Then, Passing the Traffic to Lan2 network. Pi Hole gets the request and sends it out threw either Network. I would think the network 10.0.9.1/24 (Lan2) because the 10.0.8.1/24 (Lan) it doesn't know there is a Gateway for the Internet traffic to get out. + thinking of normal device just requesting Normal DNS queries.

                      "Or do you want wan to use unbound, forward to pihole? And then lan side clients to use unbound but get forwarded to some other name server?"

                      Talking about Pfsense ONLY: 10.0.8.1/24 LAN
                      I will explain more, I want every device either threw the WAN of Pfsense itself or threw the Lan to send the requests to Pfsense Resolver then forward them to the other network Lan2 Pi Hole.

                      Lan2 10.0.9.1/24:
                      This other network will use Pi Hole for their requests of DNS.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        @Mr-Waste said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

                        I need to know how to get a response back from the Pfsense being on a different network

                        Huh?? Doesn't even make sense.. Pfsense is connected to both networks or all networks question right?? Do you have drawings of some other downstream routers in your network??

                        Lets say you have this...

                        setup.png

                        Forget the network IPs - there could be 3 there could be 3000 of them... Doesn't matter..

                        Your devices on each network.. Would point to pfsense IP on that network, in my drawing .1 on each network for DNS. Unless you want to point them direct to DNS like on the 10.10.10 I show..

                        The only thing that has to be allowed for is that 172.16.0 interface that network can talk 53 udp/tcp on that pfsense interface.. Whatever that vlan is called would be listed as vlanX address, on other network it would be vlanY address.

                        Now all you devices ask pfsense for DNS.. To the respective IPs of pfsense on that network - this is default what is handed out via dhcp..

                        Pfsense forwards this to your DNS..

                        To be honest all you have to do for your remote is allow that remote IP to your wan IP on 53 udp/tcp as well.. Unbound listening on your wan address.. Will also forward this traffic to your dns..

                        The only time you ever have to do any sort of port forwarding is if say a client on vlan X 192.168.0 in my drawing is trying to talk to 8.8.8.8 for dns.. This is when you would do a redirect (port forward).. Anything going to anything other than pfsense IP for dns, port forward it to loopback so unbound will see it and pretend its googledns..

                        I have no idea what you got into your head... But unless your wanting to intercept dns not set to talk to pfsense (default dhcp settings) then this works out of the box.. Nothing to do for any of it.. Other than set unbound to forward to your pihole/dns..

                        Do you have more routers in your network other than pfsense? Or is my drawing a representation of what you have? Forget what IP ranges I have on networks, or how many they are even... You could have 2, or 2000 - doesn't matter all works the same!!

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.