DNS and pi-hole



  • How is the DNS request handled by pfSense if using pi-hole (https://pi-hole.net)?

    Currently I having the following settings for DNS in pfSense:

    DNS server(s)

    • 127.0.0.1
    • 192.168.1.10 (pi-hole)
    • 8.8.8.8 (Google public DNS)
    • 8.8.4.4 (Google public DNS)

    The idea was, if pi-hole is down the name resolution will be done by a Google public DNS server.

    My question is now, will the fastest DNS response be used by pfSense or is the order of the list respected?


  • Rebel Alliance Global Moderator

    Why would pfsense point to pihole??

    If you want your network to use pihole - then have your clients ask pihole.  Pihole then should in turn forward to pfsense so you can use the resolver and resolve all your local hosts.  Or are you going to just forward off your pihole to the public internet?  And use pihole for dhcp and let it be able to resolve all your local devices?

    If so then pfsense should just point to pihole and not itself and pihole should forward to where ever you want.

    I use pihole, all my clients point to it 192.168.3.10, it then fowards to pfsense that uses the resolver so I can lookup up local devices via pfsense dns, and can resolve anything outside.  Pihole just doesn't hand that to clients if any of the records are in the black lists.  And you get the pretty graphs ;)  And listing of what clients are asking for and how much.


  • Moderator

    @john.wayne1:

    My question is now, will the fastest DNS response be used by pfSense or is the order of the list respected?

    Or just use the pfSense package - pfBlockerNG w/DNSBL (utilizing Unbound Resolver) and no need to offload this to another network device.

    https://forum.pfsense.org/index.php?topic=102470.0



  • I don't want to manually set set the IP of pi-hole as DNS for every client, this is why I use pfSense (as gateway) for it.

    I don't need the graph per client, I just want the ads to be blocked ;)

    pi-hole has "Upstream DNS Servers" set which resolves the requests.

    I can disable the option "DNS Forwarder" and will get the following (without 127.0.0.1) if it's easier to understand.

    DNS server(s) on pfSense

    • 192.168.1.10 (pi-hole)
    • 8.8.8.8 (Google public DNS)
    • 8.8.4.4 (Google public DNS)

    (Upstream) DNS server(s) on pi-hole

    • 8.8.8.8 (Google public DNS)
    • 8.8.4.4 (Google public DNS)

    I just want every client to use the DNS set from pfSense 192.168.1.10 and if it's not down for some reason to use the Google public DNS, as simple as that ;)



  • @BBcan177:

    Or just use the pfSense package - pfBlockerNG w/DNSBL (utilizing Unbound Resolver) and no need to offload this to another network device.

    Are the blocking lists of pi-hole compatible with pfBlockerNG?



  • May be I need some setup using "DNS Query Forwarding" and the activated option

    "Query DNS servers sequentially"
    If this option is set, pfSense DNS Forwarder (dnsmasq) will query the DNS servers sequentially in the order specified (System - General Setup - DNS Servers), rather than all at once in parallel.

    it seems this describes best what I want to achieve :)


  • Moderator

    @john.wayne1:

    @BBcan177:

    Or just use the pfSense package - pfBlockerNG w/DNSBL (utilizing Unbound Resolver) and no need to offload this to another network device.

    Are the blocking lists of pi-hole compatible with pfBlockerNG?

    Yes and more.



  • @john.wayne1:

    Are the blocking lists of pi-hole compatible with pfBlockerNG?

    @BBcan177:

    Yes and more.

    Well, is there some good tutorial to get pfBlockerNG running the same as pi-hole? As it seems not as easy to setup as pi-hole ;)

    Do I need to add the lists manually on the DNSBL Feed or on the DNSBL EasyList?


  • Moderator

    The package is more than just an AD blocker.  ;)

    See the following:
    https://forum.pfsense.org/index.php?topic=102470.30

    More help available in the pfBlockerNG forum.



  • @BBcan177:

    The package is more than just an AD blocker.  ;)

    See the following:
    https://forum.pfsense.org/index.php?topic=102470.30

    More help available in the pfBlockerNG forum.

    Thx, I will give it a try.

    Yes, it's too overloaded for an AD blocker only and I hope it won't fill my RAM ;)



  • I settled on a two layer approach for the time being at least.  All clients use pi-hole for DNS, pihole uses pfSense and pfSense has google and my ISP's DNS set.  I've had the pi-hole for a bit longer than pfSense so I've got some customization done already.

    As I find time I'm gonna get pfBlockerNG to start taking over the DNS duties of the pi-hole.  But for now it's working nicely letting pi-hole be a first line of filtering which is where I was before I got the pfSense system up and running.


  • Rebel Alliance Global Moderator

    While its quite possible that pfblocker can do what pihole does - pihole provides you simple easy interface to watch how many queries your network as a whole is doing, who the top asker is.  What is being asked for the most be it something that is allowed or something that is blocked.

    "I don't want to manually set set the IP of pi-hole as DNS for every client"

    Who said you would do that?  That would be handed out by your dhcp server, be it pfsense, your pihole box or some other dhcp server.  I would agree you would normally never set dns manually on your clients.

    If you don't want the graphs and information that pihole provides - then sure duplicate it out of pfblocker.  The nice thing of pihole is that it is specifically designed to block ads - and they do all the work on which lists to use to block said ads, etc.

    Not saying you can not do it with pfblocker - not saying you can not do it with just unbound.  I have a cron that loads in stuff to not resolve into unbound for clients of unbound.. There are always multiple ways to skin the cat.  But the OP asked about using pihole with pfsense.

    In that case then best bet is to have all your clients ask pihole for dns.  Then either forward to dns if you want a resolver, or you want pfsense to handle your local records.  Or jsut have pihole forward to something else upstream as a resolver or forwarder.  dns.watch has been added to pihole as of recently and is a open resolver that anyone can use vs just a forwarder.