pihole on unraid not blocking ads with pfsense



  • Hi All,

    I have pihole as a docker on my unraid box. Pfsense is running as a vm on unraid. I cannot get pihole to block ads. I see queries going through but no blocking. DNS resolver is enabled under all of these (with dnssec, dhcp registration, and static dhcp checked). I've tried the following.

    1. In general setup, pihole as the dns server (pihole configured for cloudflare)
    2. In general setup, pihole as the dns server, and also under dhcp server pihole as the dns (pihole configured for cloudflare)
    3. pihole pointing to ip of pfsense and pfsense dns in general setup pointing to pihole
    4. pfsense having cloudflare as dns under general and dhcp server dns pointing to pihole
    5. under dns resolver, dns forwarding mode enabled; it worked at first then blocked everything

    I'm at a loss at this point on what to do. Does anyone have any suggestions? I don't want to use pfblockeringng as pfsense is running under a vm and don't want to tax it.



  • @mlaustin Hard to believe that pihole is not blocking ads. You should see in /var/log/pihole.log entries from gravity.list blocking adservice.google.com.

    Are you saying that you see pihole resolving adservice.google.com in /var/log/pihole.log when you google?



  • I'm saying that it is almost as if it is not working properly. When I manually set my computers DNS to pihole, it works. Through pfsense, it does not. When I say working, I guess I am referring to it is not blocking any DNS searches as it is my only DNS server on the network using Cloudflare. Perhaps that was not the right way to say it.



  • @mlaustin Your pihole isn't working because your DNS Resolver isn't asking it. Resolver talks to the root hosts directly. It doesn't forward DNS requests by default. You either need to disable DNS Resolver and instead enable DNS Forwarder, or modify your DNS Resolver config to make it act as a forwarder via DNS Query Forwarding - Enable Forwarding Mode. Then make sure your pihole IP address is the only DNS server listed under System - General Setup - DNS Server Settings.



  • @mlaustin said in pihole on unraid not blocking ads with pfsense:

    I'm saying that it is almost as if it is not working properly. When I manually set my computers DNS to pihole, it works. Through pfsense, it does not. When I say working, I guess I am referring to it is not blocking any DNS searches as it is my only DNS server on the network using Cloudflare. Perhaps that was not the right way to say it.

    Why not just setup Cloudflare on the pihole host? I only use pfSense dns resolver as conditional forwarding to local domain name.



  • @kom said in pihole on unraid not blocking ads with pfsense:

    @mlaustin Your pihole isn't working because your DNS Resolver isn't asking it. Resolver talks to the root hosts directly. It doesn't forward DNS requests by default. You either need to disable DNS Resolver and instead enable DNS Forwarder, or modify your DNS Resolver config to make it act as a forwarder via DNS Query Forwarding - Enable Forwarding Mode. Then make sure your pihole IP address is the only DNS server listed under System - General Setup - DNS Server Settings.

    I had enable forwarding mode checked, and pihole worked for a bit. Then I was not able to resolve any domains after some time period (less than couple of hours). In general setup under DNS, I had the pihole IP and the 127.x.x.x address (disable dns forwarding is unchecked in general setup). Could that have caused DNS queries to show web sites as not being able to be reached?



  • I don't know why you would need 127.0.0.1 in General Settings - DNS Servers. I would also block DNS at the LAN level and redirect all DNS traffic to pfSense.

    https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

    I don't have a quick answer as to why your lookups fail after time. Check your logs when it starts acting up.



  • I actually recently setup pi-hole as well and it's working great together with pfSense. I run pfSense on a baremetal 1U server, but pi-hole is running inside a Linux VM on Proxmox on my network. Here's how I have things setup:

    Clients (generate DNS request) --> pi-hole (blocks or forwards DNS request) --> pfSense (returns IP if cached or forwards DNS request) --> upstream DNS (resolves DNS request).

    Inside pi-hole I have the upstream DNS server set as pfSense and I have DNSSEC and DNS caching disabled (since pfSense caches DNS requests and latency between pi-hole and pfsense is negligible, i.e. < 1ms). Inside pfSense, under general setup, I have 127.0.0.1 and upstream DNS servers set. I also have some NAT redirection rules set up to make sure that no devices can bypass pi-hole (e.g. some IoT devices can have hard coded DNS settings).

    Overall, this setup is performing well and I'm now slowly rolling it out to my entire network of devices.



  • So I seem to have this working now. In general setup, I checked the box for disable dns forwarder, which removed the dns server entry of 127.0.0.1. DNS Resolver is enabled with DNSSEC and DNS Query Forwarding. Pihole is set with Cloudflare as the DNS servers. And pfSense is set with Pihole as the DNS server and the only server. Thanks for everyone's help.



  • I thought I'd give an update. For the most part, this setup has been working. However I am getting some domains blocked. When I go into pihole via command line to whitelist, pihole says the domain is not blocked. So pfsense must be blocking it. Also wanted to mention that pfsense is not giving pihole's IP address to my clients. The clients show the router and dns server as the same IP address vs pfsense as the router and pihole as the dns. What could be the problem?



  • @mlaustin said in pihole on unraid not blocking ads with pfsense:

    I thought I'd give an update. For the most part, this setup has been working. However I am getting some domains blocked. When I go into pihole via command line to whitelist, pihole says the domain is not blocked. So pfsense must be blocking it. Also wanted to mention that pfsense is not giving pihole's IP address to my clients. The clients show the router and dns server as the same IP address vs pfsense as the router and pihole as the dns. What could be the problem?

    I suspect the answer is very simple. Whatever device is providing DHCP on your network needs to also be providing clients your pihole server's IP as the DNS server to use. DHCP tells clients what IP address to take, where to ask for DNS services and what gateway to use. Sounds like your DHCP setup is missing the DNS part or else is giving out an IP that is not your pihole server.

    But may I ask another question? Why go to all the hassle of using pihole and having to fight with DNS? Just put an ad block plugin on your browsers. I use uBlock Origin on Chrome and I see zero adds of any type on web sites I visit, and I don't have to monkey around with DNS. There are also uBlock Origin clients for other browsers. Same with YouTube videos. I have a YouTube ad blocker and never see any ads on YouTube (nor Facebook). Maybe if your browsing is primarily from mobile devices instead of PCs, then pihole might be needed (as the ad block clients for mobile devices are sparse). I personally detest using a mobile device for general web browsing (the screen is too small and you have to scroll most web sites for 10 miles to see all the content).

    If you still want to use pihole, then you need to make sure that server's IP address is handed to all clients in your network for them to use as the DNS server. Typically that is handled by properly configuring whatever is providing DHCP on your network. Of course you can also manually assign the DNS server IP address.


  • LAYER 8 Global Moderator

    I have been running pihole for quite some time... This is how I set it up... I have pihole running on on an actual pi In my dmz network 192.168.3/24

    All clients point to pihole directly via setting dhcpd on pfsense to hand this out. pihole then forwards to pfsense.. Pfsense then "RESOLVES" using dnssec.

    This allows me if I want to just ask pfsense IP directly for something if I don't want to be be blocked by piholes list. If I want a device to not use pihole, i just setup that device to use pfsense for dns.

    On pihole I just set it to foward PTRs for rfc1918, ie uncheck
    "Never forward reverse lookups for private IP ranges"

    This requires min config on both unbound and pihole. No need to setup any conditional forwards, still get to "resolve" and use dnssec per setting on unbound. And also host overrides set on unbound work, etc.



  • @bmeeks said in pihole on unraid not blocking ads with pfsense:

    @mlaustin said in pihole on unraid not blocking ads with pfsense:

    I thought I'd give an update. For the most part, this setup has been working. However I am getting some domains blocked. When I go into pihole via command line to whitelist, pihole says the domain is not blocked. So pfsense must be blocking it. Also wanted to mention that pfsense is not giving pihole's IP address to my clients. The clients show the router and dns server as the same IP address vs pfsense as the router and pihole as the dns. What could be the problem?

    I suspect the answer is very simple. Whatever device is providing DHCP on your network needs to also be providing clients your pihole server's IP as the DNS server to use. DHCP tells clients what IP address to take, where to ask for DNS services and what gateway to use. Sounds like your DHCP setup is missing the DNS part or else is giving out an IP that is not your pihole server.

    But may I ask another question? Why go to all the hassle of using pihole and having to fight with DNS? Just put an ad block plugin on your browsers. I use uBlock Origin on Chrome and I see zero adds of any type on web sites I visit, and I don't have to monkey around with DNS. There are also uBlock Origin clients for other browsers. Same with YouTube videos. I have a YouTube ad blocker and never see any ads on YouTube (nor Facebook). Maybe if your browsing is primarily from mobile devices instead of PCs, then pihole might be needed (as the ad block clients for mobile devices are sparse). I personally detest using a mobile device for general web browsing (the screen is too small and you have to scroll most web sites for 10 miles to see all the content).

    If you still want to use pihole, then you need to make sure that server's IP address is handed to all clients in your network for them to use as the DNS server. Typically that is handled by properly configuring whatever is providing DHCP on your network. Of course you can also manually assign the DNS server IP address.

    pfSense is providing DHCP, so it should be handing out pihole's IP address.



  • @mlaustin said in pihole on unraid not blocking ads with pfsense:

    pfSense is providing DHCP, so it should be handing out pihole's IP address.

    OK, but make sure that within the DHCP settings in pfSense you have specifically specified your pihole server's IP address for DNS. The default for pfSense will be to send the firewall's address to clients for use as the DNS server. Configure your settings as @johnpoz suggested. You don't have to have pihole on bare metal or in a DMZ, though. Just make sure within the pfSense DHCP settings for all of your local firewall interfaces that pfSense is configured to tell your network clients to use pihole for DNS.



  • Thanks for the quick responses. Ok, I did uncheck the box the @johnpoz suggested within pihole. I did not have the pihole IP under DNS servers within DHCP as it states below it will use the default servers under general setup, which is where I have pihole specified. So I assumed it would issue that out as the DHCP. By adding the DNS in DHCP, the pihole address is now delivered on refresh. And instantly sites that were not working are working. So hopefully I have resolved this issue.

    Let me ask a follow up question to some other settings. Do I still need to have pihole as the only listed DNS server under general setup? Or can I remove it now that it is in DHCP setting and just use backup DNS servers there (or can leave it as well as add backup servers)? Also within that same area, can I now check this box "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" which will add the localhost 127.0.0.1 as a DNS server? One more thing, within DNS resolver do I still need to check "Enable Forwarding Mode"?


  • LAYER 8 Global Moderator

    You would not have pihole setup anywhere in pfsense other then in the dhcpd handing out to clients. Pfsense ONLY points to itself which resolves (out of the box config).

    Pihole FORWARDS to pfsense IP, which then resolves.

    clients ONLY ask pihole, pihole ONLY forwards to pfsense. Pfsense then resolves anything it gets asks.. Pihole will not forward to pfsense stuff that it blocks.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    You would not have pihole setup anywhere in pfsense other then in the dhcpd handing out to clients. Pfsense ONLY points to itself which resolves (out of the box config).

    Pihole FORWARDS to pfsense IP, which then resolves.

    clients ONLY ask pihole, pihole ONLY forwards to pfsense. Pfsense then resolves anything it gets asks.. Pihole will not forward to pfsense stuff that it blocks.

    I want to make sure I understand this correctly. Because in phole, I have the DNS servers set for cloudflare. I don't have any DNS servers setup in pfsense other than pihole. So should I then remove the DNS servers from phole and put cloudflare as DNS in pfsense? Then I'm guessing I would put pfSense's IP address in pihole. So it goes something like this, DHCP DNS -> pihole -> pfsense -> pfSense DNS.



  • @mlaustin

    You essentially have two options:

    A. Use pfSense as a DNS Resolver:

    1. No need to add any Additional DNS Servers under General Setup in pfSense
    2. Under DNS Resolver settings in pfSense, make sure DNSSEC is enabled and forwarding mode is disabled (unchecked)
    3. Pi-hole needs to be setup to forward its DNS traffic to pfSense.
    4. If you have DNS mappings (Host Overrides) in pfSense you'll want to uncheck "Never forward reverse lookups for private IP ranges" under Pi-hole's DNS settings.
    5. Make sure your clients DNS points to Pi-Hole

    B. Use pfSense as the DNS Forwarder to Cloudflare (i.e. Cloudflare is the DNS Resolver):

    1. Add the IP's of Cloudflare's DNS servers under General Setup in pfSense.
    2. Under DNS Resolver settings in pfSense, you can disable DNSSEC if you want (because pfSense is now just forwarding requests and not resolving them) and make sure that forwarding mode is enabled (checked).
    3. to 5) remain the same.

    One other thing you can also think about doing is setting up NAT Redirection rules to make sure that DNS traffic that is not bound for Pi-hole is then redirected to go through Pi-hole (so nothing can circumvent it). This is useful in situations where devices may have their DNS server settings hard coded - I've seen some IoT devices behave like this.

    Hope this helps.



  • @tman222

    Thanks. Both scenarios worked out. I will use scenario A.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    I have been running pihole for quite some time... This is how I set it up... I have pihole running on on an actual pi In my dmz network 192.168.3/24

    All clients point to pihole directly via setting dhcpd on pfsense to hand this out. pihole then forwards to pfsense.. Pfsense then "RESOLVES" using dnssec.

    This allows me if I want to just ask pfsense IP directly for something if I don't want to be be blocked by piholes list. If I want a device to not use pihole, i just setup that device to use pfsense for dns.

    On pihole I just set it to foward PTRs for rfc1918, ie uncheck
    "Never forward reverse lookups for private IP ranges"

    This requires min config on both unbound and pihole. No need to setup any conditional forwards, still get to "resolve" and use dnssec per setting on unbound. And also host overrides set on unbound work, etc.

    John would you one day be able to do a step by step on how you got it working like that sounds perfect with what i am wanting to do. I sometimes find pfsense quite complicated 90% of the time.


  • LAYER 8 Global Moderator

    I kind of just did, when I told you how I have it setup.. Didn't I.. What step is missing there ;)



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    I kind of just did, when I told you how I have it setup.. Didn't I.. What step is missing there ;)

    Nevermind thanks anyway.


  • LAYER 8 Global Moderator

    Do you need a picture on how to setup dhcp to point to the pihole IP? Do you need picture on how to setup pihole to point to pfsense IP? Just a bit confused to what other info you would need?



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    Do you need a picture on how to setup dhcp to point to the pihole IP? Do you need picture on how to setup pihole to point to pfsense IP? Just a bit confused to what other info you would need?

    Not really a picture tho it might help. I know you told us what you have set up I just wouldn't know how to set it up this way. I was hoping you could give a run down and the setting you did to achieve this.


  • LAYER 8 Global Moderator

    Again - already did..

    You set dhcp server in pfsense to point to pihole IP.
    You set pihole to forward to pfsense IP..

    What else is there to know?

    Clients now ask pihole, stuff that is not blocked gets forwarded to pfsense. It answers for local stuff, and resolves public stuff and answers back to pihole, which sends it back to client.

    One thing I would do is let pihole do PTR.. So uncheck
    "Never forward reverse lookups for private IP ranges"



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    Again - already did..

    You set dhcp server in pfsense to point to pihole IP.
    You set pihole to forward to pfsense IP..

    What else is there to know?

    Clients now ask pihole, stuff that is not blocked gets forwarded to pfsense. It answers for local stuff back to pihole, which sends it back to client.

    One thing I would do is let pihole do PTR.. So uncheck
    "Never forward reverse lookups for private IP ranges"

    So

    SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)
    now on pihole
    Upstream DNS Servers
    points to pfsense 10.0.0.1

    Never forward non-FQDNs
    Never forward reverse lookups for private IP ranges
    Use DNSSEC
    All ticked?

    Can't seem to find PTR in the dns options unless Never forward reverse lookups for private IP ranges is it?


  • LAYER 8 Global Moderator

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)

    No where did I say anything about that??

    You don't do anything to unbound, or pfsense other than change the IP that gets handed to clients in the dhcp server settings.

    never forward non-fqdn - checked!
    never private - unchecked
    use dnssec - uncheck, its POINTLESS on a forwarder.. Pointless!! Unbound will do your dnssec for you out of the box.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)

    No where did I say anything about that??

    You don't do anything to unbound, or pfsense other than change the IP that gets handed to clients in the dhcp server settings.

    Sorry you are correct I miss read. Is there others correct?



  • @johnpoz So

    Services>DHCP >Server>LAN>Servers

    DNS servers = 10.0.0.22?


  • LAYER 8 Global Moderator

    Exactly..

    Now was that hard ;)

    See my edit on the checkboxes.. The only thing pfsense should point to for dns is itself, 127.0.0.1.. Unbound out of the box will resolve and use dnssec.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    Exactly..

    Now was that hard ;)

    Thank you.

    last few questions if you don't mind.

    in resolver

    DNSSEC is ticked
    is any of the others ticked at all?
    DNS Query Forwarding etc..

    also in General Setup do you tick or untick
    DNS Server Override
    Disable DNS Forwarder

    Now I know you never said anything about General Setup just don't wont wrong set up in here.

    which dns do yuo use john? ive been using quad9


  • LAYER 8 Global Moderator

    If unbound is resolving you have little reason to allow for dhcp of pfsense wan to set dns for pfsense..

    So unchecked..

    If you check disable forward/resolver - how would pfpsense resolve anything for itself? Since that just removes pointing to 127.0.0.1 for pfsense.

    In unbound, no forwarding is not check.. It resolves out of the box. Yes you would leave dnssec checked if you want it checking for that. That is up to you.. As to other settings in unbound.. I personally use cache prefetch and serve ttl 0, but those have nothing to do with who is asking be it pihole or normal clients, etc. I also set min TTL of 3600.. Only because I despise these 60 second some sites use for ttl.. Have seen zero issues with doing that, but I wouldn't suggest you do anything like that unless you fully understand what it means.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    If unbound is resolving you have little reason to allow for dhcp of pfsense wan to set dns for pfsense..

    So unchecked..

    If you check disable forward/resolver - how would pfpsense resolve anything for itself? Since that just removes pointing to 127.0.0.1 for pfsense.

    In unbound, no forwarding is not check.. It resolves out of the box. Yes you would leave dnssec checked if you want it checking for that. That is up to you.. As to other settings in unbound.. I personally use cache prefetch and serve ttl 0, but those have nothing to do with who is asking be it pihole or normal clients, etc. I also set min TTL of 3600.. Only because I despise these 60 second some sites use for ttl.. Have seen zero issues with doing that, but I wouldn't suggest you do anything like that unless you fully understand what it means.

    Thanks and yes i don't understand what that means so ill leave that be.

    As for dns i want to use i add that in General Setup? I think ive had it wrongly set up for years i had it in the dhcp part ☹



  • Also you said you can bypass pihole if i wanted to do that for 10.0.0.20 and 10.0.0.22 would that be in pfsense or pihole settings


  • LAYER 8 Global Moderator

    You would do that on the client :) via a dig or nslookup calling out pfsense IP.

    Or sure if you don't want client X using pihole, then setup dhcp reservation for them and have it just ask pfsense directly via dhcp settings. Or you could do on the client directly via static settings.


  • LAYER 8 Global Moderator

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    As for dns i want to use i add that in General Setup?

    No... You don't put anything in general setup on pfsense.. Pfsense only ever needs to talk ask itself.. Nothing goes in general setup on pfsense. That is the whole point of unbound resolving.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    As for dns i want to use i add that in General Setup?

    No... You don't put anything in general setup on pfsense.. Pfsense only ever needs to talk ask itself.. Nothing goes in general setup on pfsense. That is the whole point of unbound resolving.

    Where would you put dns? (9.9.9.9 ? im lost now.)

    @johnpoz said in pihole on unraid not blocking ads with pfsense:

    You would do that on the client :) via a dig or nslookup calling out pfsense IP.

    Or sure if you don't want client X using pihole, then setup dhcp reservation for them and have it just ask pfsense directly via dhcp settings. Or you could do on the client directly via static settings.

    Hmmm? sounds very complicated, ill leave that for another day.


  • LAYER 8 Global Moderator

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    Where would you put dns? (9.9.9.9 ? im lost now.)

    You wouldn't!!! what would be the freaking point of that?

    So you want clients to ask pihole, and then pihole to ask pfsense (Only for local stuff) and then forward to 9.9.9.9?? Sure you could do that... If your going to do, might as well just take pfsense out of the equation and let pihole be your dhcp so it can resolve your local clients and take pfsense out of it for dns/dhcp.

    But now your forwarding - not resolvoing.



  • @johnpoz said in pihole on unraid not blocking ads with pfsense:

    @X2LR said in pihole on unraid not blocking ads with pfsense:

    Where would you put dns? (9.9.9.9 ? im lost now.)

    You wouldn't!!! what would be the freaking point of that?

    okay i don't understand this at all than.

    this is what i thought would happen.

    Quad 9 would be my dns
    Pihole would just remove ads and block sites.

    I am clearly misunderstanding this big time.


  • LAYER 8 Global Moderator

    Se my edit... If all you want is quad9 as your dns.. Just have pihole forward to it.. Why would you need pfsense in the mix..

    Nowhere in my discussion of how I am setup did I ever mention pfsense not resolving.. No external name services are needed, or desired if you ask me. If you want pfsense to forward to quad9, then sure you can do that - but you don't need dnssec check on unbound than... If you forward - dnssec is POINTLESS!! Only a resolver can do anything with dnssec.


Log in to reply