pihole on unraid not blocking ads with pfsense
-
Hi All,
I have pihole as a docker on my unraid box. Pfsense is running as a vm on unraid. I cannot get pihole to block ads. I see queries going through but no blocking. DNS resolver is enabled under all of these (with dnssec, dhcp registration, and static dhcp checked). I've tried the following.
- In general setup, pihole as the dns server (pihole configured for cloudflare)
- In general setup, pihole as the dns server, and also under dhcp server pihole as the dns (pihole configured for cloudflare)
- pihole pointing to ip of pfsense and pfsense dns in general setup pointing to pihole
- pfsense having cloudflare as dns under general and dhcp server dns pointing to pihole
- under dns resolver, dns forwarding mode enabled; it worked at first then blocked everything
I'm at a loss at this point on what to do. Does anyone have any suggestions? I don't want to use pfblockeringng as pfsense is running under a vm and don't want to tax it.
-
@mlaustin Hard to believe that pihole is not blocking ads. You should see in /var/log/pihole.log entries from gravity.list blocking adservice.google.com.
Are you saying that you see pihole resolving adservice.google.com in /var/log/pihole.log when you google?
-
I'm saying that it is almost as if it is not working properly. When I manually set my computers DNS to pihole, it works. Through pfsense, it does not. When I say working, I guess I am referring to it is not blocking any DNS searches as it is my only DNS server on the network using Cloudflare. Perhaps that was not the right way to say it.
-
@mlaustin Your pihole isn't working because your DNS Resolver isn't asking it. Resolver talks to the root hosts directly. It doesn't forward DNS requests by default. You either need to disable DNS Resolver and instead enable DNS Forwarder, or modify your DNS Resolver config to make it act as a forwarder via DNS Query Forwarding - Enable Forwarding Mode. Then make sure your pihole IP address is the only DNS server listed under System - General Setup - DNS Server Settings.
-
@mlaustin said in pihole on unraid not blocking ads with pfsense:
I'm saying that it is almost as if it is not working properly. When I manually set my computers DNS to pihole, it works. Through pfsense, it does not. When I say working, I guess I am referring to it is not blocking any DNS searches as it is my only DNS server on the network using Cloudflare. Perhaps that was not the right way to say it.
Why not just setup Cloudflare on the pihole host? I only use pfSense dns resolver as conditional forwarding to local domain name.
-
@kom said in pihole on unraid not blocking ads with pfsense:
@mlaustin Your pihole isn't working because your DNS Resolver isn't asking it. Resolver talks to the root hosts directly. It doesn't forward DNS requests by default. You either need to disable DNS Resolver and instead enable DNS Forwarder, or modify your DNS Resolver config to make it act as a forwarder via DNS Query Forwarding - Enable Forwarding Mode. Then make sure your pihole IP address is the only DNS server listed under System - General Setup - DNS Server Settings.
I had enable forwarding mode checked, and pihole worked for a bit. Then I was not able to resolve any domains after some time period (less than couple of hours). In general setup under DNS, I had the pihole IP and the 127.x.x.x address (disable dns forwarding is unchecked in general setup). Could that have caused DNS queries to show web sites as not being able to be reached?
-
I don't know why you would need 127.0.0.1 in General Settings - DNS Servers. I would also block DNS at the LAN level and redirect all DNS traffic to pfSense.
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense
I don't have a quick answer as to why your lookups fail after time. Check your logs when it starts acting up.
-
I actually recently setup pi-hole as well and it's working great together with pfSense. I run pfSense on a baremetal 1U server, but pi-hole is running inside a Linux VM on Proxmox on my network. Here's how I have things setup:
Clients (generate DNS request) --> pi-hole (blocks or forwards DNS request) --> pfSense (returns IP if cached or forwards DNS request) --> upstream DNS (resolves DNS request).
Inside pi-hole I have the upstream DNS server set as pfSense and I have DNSSEC and DNS caching disabled (since pfSense caches DNS requests and latency between pi-hole and pfsense is negligible, i.e. < 1ms). Inside pfSense, under general setup, I have 127.0.0.1 and upstream DNS servers set. I also have some NAT redirection rules set up to make sure that no devices can bypass pi-hole (e.g. some IoT devices can have hard coded DNS settings).
Overall, this setup is performing well and I'm now slowly rolling it out to my entire network of devices.
-
So I seem to have this working now. In general setup, I checked the box for disable dns forwarder, which removed the dns server entry of 127.0.0.1. DNS Resolver is enabled with DNSSEC and DNS Query Forwarding. Pihole is set with Cloudflare as the DNS servers. And pfSense is set with Pihole as the DNS server and the only server. Thanks for everyone's help.
-
I thought I'd give an update. For the most part, this setup has been working. However I am getting some domains blocked. When I go into pihole via command line to whitelist, pihole says the domain is not blocked. So pfsense must be blocking it. Also wanted to mention that pfsense is not giving pihole's IP address to my clients. The clients show the router and dns server as the same IP address vs pfsense as the router and pihole as the dns. What could be the problem?
-
@mlaustin said in pihole on unraid not blocking ads with pfsense:
I thought I'd give an update. For the most part, this setup has been working. However I am getting some domains blocked. When I go into pihole via command line to whitelist, pihole says the domain is not blocked. So pfsense must be blocking it. Also wanted to mention that pfsense is not giving pihole's IP address to my clients. The clients show the router and dns server as the same IP address vs pfsense as the router and pihole as the dns. What could be the problem?
I suspect the answer is very simple. Whatever device is providing DHCP on your network needs to also be providing clients your pihole server's IP as the DNS server to use. DHCP tells clients what IP address to take, where to ask for DNS services and what gateway to use. Sounds like your DHCP setup is missing the DNS part or else is giving out an IP that is not your pihole server.
But may I ask another question? Why go to all the hassle of using pihole and having to fight with DNS? Just put an ad block plugin on your browsers. I use uBlock Origin on Chrome and I see zero adds of any type on web sites I visit, and I don't have to monkey around with DNS. There are also uBlock Origin clients for other browsers. Same with YouTube videos. I have a YouTube ad blocker and never see any ads on YouTube (nor Facebook). Maybe if your browsing is primarily from mobile devices instead of PCs, then pihole might be needed (as the ad block clients for mobile devices are sparse). I personally detest using a mobile device for general web browsing (the screen is too small and you have to scroll most web sites for 10 miles to see all the content).
If you still want to use pihole, then you need to make sure that server's IP address is handed to all clients in your network for them to use as the DNS server. Typically that is handled by properly configuring whatever is providing DHCP on your network. Of course you can also manually assign the DNS server IP address.
-
I have been running pihole for quite some time... This is how I set it up... I have pihole running on on an actual pi In my dmz network 192.168.3/24
All clients point to pihole directly via setting dhcpd on pfsense to hand this out. pihole then forwards to pfsense.. Pfsense then "RESOLVES" using dnssec.
This allows me if I want to just ask pfsense IP directly for something if I don't want to be be blocked by piholes list. If I want a device to not use pihole, i just setup that device to use pfsense for dns.
On pihole I just set it to foward PTRs for rfc1918, ie uncheck
"Never forward reverse lookups for private IP ranges"This requires min config on both unbound and pihole. No need to setup any conditional forwards, still get to "resolve" and use dnssec per setting on unbound. And also host overrides set on unbound work, etc.
-
@bmeeks said in pihole on unraid not blocking ads with pfsense:
@mlaustin said in pihole on unraid not blocking ads with pfsense:
I thought I'd give an update. For the most part, this setup has been working. However I am getting some domains blocked. When I go into pihole via command line to whitelist, pihole says the domain is not blocked. So pfsense must be blocking it. Also wanted to mention that pfsense is not giving pihole's IP address to my clients. The clients show the router and dns server as the same IP address vs pfsense as the router and pihole as the dns. What could be the problem?
I suspect the answer is very simple. Whatever device is providing DHCP on your network needs to also be providing clients your pihole server's IP as the DNS server to use. DHCP tells clients what IP address to take, where to ask for DNS services and what gateway to use. Sounds like your DHCP setup is missing the DNS part or else is giving out an IP that is not your pihole server.
But may I ask another question? Why go to all the hassle of using pihole and having to fight with DNS? Just put an ad block plugin on your browsers. I use uBlock Origin on Chrome and I see zero adds of any type on web sites I visit, and I don't have to monkey around with DNS. There are also uBlock Origin clients for other browsers. Same with YouTube videos. I have a YouTube ad blocker and never see any ads on YouTube (nor Facebook). Maybe if your browsing is primarily from mobile devices instead of PCs, then pihole might be needed (as the ad block clients for mobile devices are sparse). I personally detest using a mobile device for general web browsing (the screen is too small and you have to scroll most web sites for 10 miles to see all the content).
If you still want to use pihole, then you need to make sure that server's IP address is handed to all clients in your network for them to use as the DNS server. Typically that is handled by properly configuring whatever is providing DHCP on your network. Of course you can also manually assign the DNS server IP address.
pfSense is providing DHCP, so it should be handing out pihole's IP address.
-
@mlaustin said in pihole on unraid not blocking ads with pfsense:
pfSense is providing DHCP, so it should be handing out pihole's IP address.
OK, but make sure that within the DHCP settings in pfSense you have specifically specified your pihole server's IP address for DNS. The default for pfSense will be to send the firewall's address to clients for use as the DNS server. Configure your settings as @johnpoz suggested. You don't have to have pihole on bare metal or in a DMZ, though. Just make sure within the pfSense DHCP settings for all of your local firewall interfaces that pfSense is configured to tell your network clients to use pihole for DNS.
-
Thanks for the quick responses. Ok, I did uncheck the box the @johnpoz suggested within pihole. I did not have the pihole IP under DNS servers within DHCP as it states below it will use the default servers under general setup, which is where I have pihole specified. So I assumed it would issue that out as the DHCP. By adding the DNS in DHCP, the pihole address is now delivered on refresh. And instantly sites that were not working are working. So hopefully I have resolved this issue.
Let me ask a follow up question to some other settings. Do I still need to have pihole as the only listed DNS server under general setup? Or can I remove it now that it is in DHCP setting and just use backup DNS servers there (or can leave it as well as add backup servers)? Also within that same area, can I now check this box "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" which will add the localhost 127.0.0.1 as a DNS server? One more thing, within DNS resolver do I still need to check "Enable Forwarding Mode"?
-
You would not have pihole setup anywhere in pfsense other then in the dhcpd handing out to clients. Pfsense ONLY points to itself which resolves (out of the box config).
Pihole FORWARDS to pfsense IP, which then resolves.
clients ONLY ask pihole, pihole ONLY forwards to pfsense. Pfsense then resolves anything it gets asks.. Pihole will not forward to pfsense stuff that it blocks.
-
@johnpoz said in pihole on unraid not blocking ads with pfsense:
You would not have pihole setup anywhere in pfsense other then in the dhcpd handing out to clients. Pfsense ONLY points to itself which resolves (out of the box config).
Pihole FORWARDS to pfsense IP, which then resolves.
clients ONLY ask pihole, pihole ONLY forwards to pfsense. Pfsense then resolves anything it gets asks.. Pihole will not forward to pfsense stuff that it blocks.
I want to make sure I understand this correctly. Because in phole, I have the DNS servers set for cloudflare. I don't have any DNS servers setup in pfsense other than pihole. So should I then remove the DNS servers from phole and put cloudflare as DNS in pfsense? Then I'm guessing I would put pfSense's IP address in pihole. So it goes something like this, DHCP DNS -> pihole -> pfsense -> pfSense DNS.
-
You essentially have two options:
A. Use pfSense as a DNS Resolver:
- No need to add any Additional DNS Servers under General Setup in pfSense
- Under DNS Resolver settings in pfSense, make sure DNSSEC is enabled and forwarding mode is disabled (unchecked)
- Pi-hole needs to be setup to forward its DNS traffic to pfSense.
- If you have DNS mappings (Host Overrides) in pfSense you'll want to uncheck "Never forward reverse lookups for private IP ranges" under Pi-hole's DNS settings.
- Make sure your clients DNS points to Pi-Hole
B. Use pfSense as the DNS Forwarder to Cloudflare (i.e. Cloudflare is the DNS Resolver):
- Add the IP's of Cloudflare's DNS servers under General Setup in pfSense.
- Under DNS Resolver settings in pfSense, you can disable DNSSEC if you want (because pfSense is now just forwarding requests and not resolving them) and make sure that forwarding mode is enabled (checked).
- to 5) remain the same.
One other thing you can also think about doing is setting up NAT Redirection rules to make sure that DNS traffic that is not bound for Pi-hole is then redirected to go through Pi-hole (so nothing can circumvent it). This is useful in situations where devices may have their DNS server settings hard coded - I've seen some IoT devices behave like this.
Hope this helps.
-
Thanks. Both scenarios worked out. I will use scenario A.
-
@johnpoz said in pihole on unraid not blocking ads with pfsense:
I have been running pihole for quite some time... This is how I set it up... I have pihole running on on an actual pi In my dmz network 192.168.3/24
All clients point to pihole directly via setting dhcpd on pfsense to hand this out. pihole then forwards to pfsense.. Pfsense then "RESOLVES" using dnssec.
This allows me if I want to just ask pfsense IP directly for something if I don't want to be be blocked by piholes list. If I want a device to not use pihole, i just setup that device to use pfsense for dns.
On pihole I just set it to foward PTRs for rfc1918, ie uncheck
"Never forward reverse lookups for private IP ranges"This requires min config on both unbound and pihole. No need to setup any conditional forwards, still get to "resolve" and use dnssec per setting on unbound. And also host overrides set on unbound work, etc.
John would you one day be able to do a step by step on how you got it working like that sounds perfect with what i am wanting to do. I sometimes find pfsense quite complicated 90% of the time.