Need assistance with advanced DNS NAT redirect…



  • Wasn't sure wear to put this, either under NAT or DNS so I chose here…
    I have been using the https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense method of redirecting DNS on my network to pfsense. I have since added a new internal DNS server (pi-hole) and would like to keep the NAT redirect in place, but just can't wrap my head around what I need to do to make all DNS traffic redirect to the pi-hole.

    The problem I believe is that I have the pi-hole DNS server pointing to pfsense as it's upstream server. I wanted this as the pfsense DNS still hosts all DNS info for the local domain, including hosts from DHCP.

    pfsense <–> pi-hole <--> lan

    So adding the NAT redirect rule works, but it also forces the pi-hole DNS server to redirect it's upstream traffic to itself, so it can't get out. Is there a way to do the NAT rule, and exclude a host?


  • Banned

    Uhm, create an alias with your pfSense LAN IP and the RPi's IP, use it as destination with NOT checkbox checked, instead of using "LAN address".


  • Rebel Alliance Global Moderator

    I have recently started playing with pi-hole.

    I think your going about it the wrong way.  For starters not a fan of redirecting anything.. You either allow it or block it is the better way to do it if you ask me.

    What I did is setup pihole to use customer forwarder, set pihole to forward to pfsense.. So it can look up local, and look up anything public via asking pfsense which could be running resolver or forwarder.  Now just setup your devices to use pihole, via dhcp is the easy way.

    You will want to rem out bogus-priv in the pihole.conf

    Now your will forwarder anything you ask it to pfsense, pfsense will either know it because its your local stuff or get it from public and return it to pihole.  Now you get all your pihole stats and can lookup all your local stuff.

    You need to undo the bogus-priv setting or it will not be able to ask for rfc1918 ptrs..



  • @doktornotor:

    Uhm, create an alias with your pfSense LAN IP and the RPi's IP, use it as destination with NOT checkbox checked, instead of using "LAN address".

    Will try this… thank you.

    @johnpoz:

    What I did is setup pihole to use customer forwarder, set pihole to forward to pfsense.. So it can look up local, and look up anything public via asking pfsense which could be running resolver or forwarder.  Now just setup your devices to use pihole, via dhcp is the easy way.

    That's exactly how i have it setup. All clients are pointing to my pi-hole, but I like the NAT redirect rule in case I miss something, or if someone decides they want to try to use different DNS (teenagers, eh  :o)

    I do also use the block DNS rule, and have that working, so it mitigates the issue a bit; but I really like how the NAT redirect works.

    @johnpoz:

    You will want to rem out bogus-priv in the pihole.conf

    Now your will forwarder anything you ask it to pfsense, pfsense will either know it because its your local stuff or get it from public and return it to pihole.  Now you get all your pihole stats and can lookup all your local stuff.

    You need to undo the bogus-priv setting or it will not be able to ask for rfc1918 ptrs..

    I will look into this, thanks.


  • Rebel Alliance Global Moderator

    "but I really like how the NAT redirect works."

    Why??  If you block dns, your teenagers can try until they are blue in the face to use some other dns.. Just not going to work..  This is honest, sorry we do not allow that.. Redirection is oh you want to use 8.8.8.8 here is answer to your dns query to 8.8.8.8… Didn't tell you I sent it to opendns instead..

    If you want to use redirection you still can, but you can not have the thing your redirecting to use redirection.. You have a loop..