Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pihole on unraid not blocking ads with pfsense

    Scheduled Pinned Locked Moved DHCP and DNS
    62 Posts 7 Posters 9.9k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • x2rlX Offline
      x2rl @johnpoz
      last edited by x2rl

      @johnpoz said in pihole on unraid not blocking ads with pfsense:

      Do you need a picture on how to setup dhcp to point to the pihole IP? Do you need picture on how to setup pihole to point to pfsense IP? Just a bit confused to what other info you would need?

      Not really a picture tho it might help. I know you told us what you have set up I just wouldn't know how to set it up this way. I was hoping you could give a run down and the setting you did to achieve this.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Again - already did..

        You set dhcp server in pfsense to point to pihole IP.
        You set pihole to forward to pfsense IP..

        What else is there to know?

        Clients now ask pihole, stuff that is not blocked gets forwarded to pfsense. It answers for local stuff, and resolves public stuff and answers back to pihole, which sends it back to client.

        One thing I would do is let pihole do PTR.. So uncheck
        "Never forward reverse lookups for private IP ranges"

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        x2rlX 1 Reply Last reply Reply Quote 0
        • x2rlX Offline
          x2rl @johnpoz
          last edited by

          @johnpoz said in pihole on unraid not blocking ads with pfsense:

          Again - already did..

          You set dhcp server in pfsense to point to pihole IP.
          You set pihole to forward to pfsense IP..

          What else is there to know?

          Clients now ask pihole, stuff that is not blocked gets forwarded to pfsense. It answers for local stuff back to pihole, which sends it back to client.

          One thing I would do is let pihole do PTR.. So uncheck
          "Never forward reverse lookups for private IP ranges"

          So

          SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)
          now on pihole
          Upstream DNS Servers
          points to pfsense 10.0.0.1

          Never forward non-FQDNs
          Never forward reverse lookups for private IP ranges
          Use DNSSEC
          All ticked?

          Can't seem to find PTR in the dns options unless Never forward reverse lookups for private IP ranges is it?

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            @X2LR said in pihole on unraid not blocking ads with pfsense:

            SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)

            No where did I say anything about that??

            You don't do anything to unbound, or pfsense other than change the IP that gets handed to clients in the dhcp server settings.

            never forward non-fqdn - checked!
            never private - unchecked
            use dnssec - uncheck, its POINTLESS on a forwarder.. Pointless!! Unbound will do your dnssec for you out of the box.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            x2rlX 2 Replies Last reply Reply Quote 1
            • x2rlX Offline
              x2rl @johnpoz
              last edited by johnpoz

              @johnpoz said in pihole on unraid not blocking ads with pfsense:

              @X2LR said in pihole on unraid not blocking ads with pfsense:

              SystemGeneral Setup DNS Servers 10.0.0.22 (which is my pihole)

              No where did I say anything about that??

              You don't do anything to unbound, or pfsense other than change the IP that gets handed to clients in the dhcp server settings.

              Sorry you are correct I miss read. Is there others correct?

              1 Reply Last reply Reply Quote 0
              • x2rlX Offline
                x2rl @johnpoz
                last edited by

                @johnpoz So

                Services>DHCP >Server>LAN>Servers

                DNS servers = 10.0.0.22?

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  Exactly..

                  Now was that hard ;)

                  See my edit on the checkboxes.. The only thing pfsense should point to for dns is itself, 127.0.0.1.. Unbound out of the box will resolve and use dnssec.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  x2rlX 1 Reply Last reply Reply Quote 0
                  • x2rlX Offline
                    x2rl @johnpoz
                    last edited by

                    @johnpoz said in pihole on unraid not blocking ads with pfsense:

                    Exactly..

                    Now was that hard ;)

                    Thank you.

                    last few questions if you don't mind.

                    in resolver

                    DNSSEC is ticked
                    is any of the others ticked at all?
                    DNS Query Forwarding etc..

                    also in General Setup do you tick or untick
                    DNS Server Override
                    Disable DNS Forwarder

                    Now I know you never said anything about General Setup just don't wont wrong set up in here.

                    which dns do yuo use john? ive been using quad9

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      If unbound is resolving you have little reason to allow for dhcp of pfsense wan to set dns for pfsense..

                      So unchecked..

                      If you check disable forward/resolver - how would pfpsense resolve anything for itself? Since that just removes pointing to 127.0.0.1 for pfsense.

                      In unbound, no forwarding is not check.. It resolves out of the box. Yes you would leave dnssec checked if you want it checking for that. That is up to you.. As to other settings in unbound.. I personally use cache prefetch and serve ttl 0, but those have nothing to do with who is asking be it pihole or normal clients, etc. I also set min TTL of 3600.. Only because I despise these 60 second some sites use for ttl.. Have seen zero issues with doing that, but I wouldn't suggest you do anything like that unless you fully understand what it means.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      x2rlX 1 Reply Last reply Reply Quote 1
                      • x2rlX Offline
                        x2rl @johnpoz
                        last edited by

                        @johnpoz said in pihole on unraid not blocking ads with pfsense:

                        If unbound is resolving you have little reason to allow for dhcp of pfsense wan to set dns for pfsense..

                        So unchecked..

                        If you check disable forward/resolver - how would pfpsense resolve anything for itself? Since that just removes pointing to 127.0.0.1 for pfsense.

                        In unbound, no forwarding is not check.. It resolves out of the box. Yes you would leave dnssec checked if you want it checking for that. That is up to you.. As to other settings in unbound.. I personally use cache prefetch and serve ttl 0, but those have nothing to do with who is asking be it pihole or normal clients, etc. I also set min TTL of 3600.. Only because I despise these 60 second some sites use for ttl.. Have seen zero issues with doing that, but I wouldn't suggest you do anything like that unless you fully understand what it means.

                        Thanks and yes i don't understand what that means so ill leave that be.

                        As for dns i want to use i add that in General Setup? I think ive had it wrongly set up for years i had it in the dhcp part ☹

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • x2rlX Offline
                          x2rl
                          last edited by

                          Also you said you can bypass pihole if i wanted to do that for 10.0.0.20 and 10.0.0.22 would that be in pfsense or pihole settings

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            You would do that on the client :) via a dig or nslookup calling out pfsense IP.

                            Or sure if you don't want client X using pihole, then setup dhcp reservation for them and have it just ask pfsense directly via dhcp settings. Or you could do on the client directly via static settings.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator @x2rl
                              last edited by

                              @X2LR said in pihole on unraid not blocking ads with pfsense:

                              As for dns i want to use i add that in General Setup?

                              No... You don't put anything in general setup on pfsense.. Pfsense only ever needs to talk ask itself.. Nothing goes in general setup on pfsense. That is the whole point of unbound resolving.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              x2rlX 1 Reply Last reply Reply Quote 0
                              • x2rlX Offline
                                x2rl @johnpoz
                                last edited by x2rl

                                @johnpoz said in pihole on unraid not blocking ads with pfsense:

                                @X2LR said in pihole on unraid not blocking ads with pfsense:

                                As for dns i want to use i add that in General Setup?

                                No... You don't put anything in general setup on pfsense.. Pfsense only ever needs to talk ask itself.. Nothing goes in general setup on pfsense. That is the whole point of unbound resolving.

                                Where would you put dns? (9.9.9.9 ? im lost now.)

                                @johnpoz said in pihole on unraid not blocking ads with pfsense:

                                You would do that on the client :) via a dig or nslookup calling out pfsense IP.

                                Or sure if you don't want client X using pihole, then setup dhcp reservation for them and have it just ask pfsense directly via dhcp settings. Or you could do on the client directly via static settings.

                                Hmmm? sounds very complicated, ill leave that for another day.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by johnpoz

                                  @X2LR said in pihole on unraid not blocking ads with pfsense:

                                  Where would you put dns? (9.9.9.9 ? im lost now.)

                                  You wouldn't!!! what would be the freaking point of that?

                                  So you want clients to ask pihole, and then pihole to ask pfsense (Only for local stuff) and then forward to 9.9.9.9?? Sure you could do that... If your going to do, might as well just take pfsense out of the equation and let pihole be your dhcp so it can resolve your local clients and take pfsense out of it for dns/dhcp.

                                  But now your forwarding - not resolvoing.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                  x2rlX 1 Reply Last reply Reply Quote 0
                                  • x2rlX Offline
                                    x2rl @johnpoz
                                    last edited by

                                    @johnpoz said in pihole on unraid not blocking ads with pfsense:

                                    @X2LR said in pihole on unraid not blocking ads with pfsense:

                                    Where would you put dns? (9.9.9.9 ? im lost now.)

                                    You wouldn't!!! what would be the freaking point of that?

                                    okay i don't understand this at all than.

                                    this is what i thought would happen.

                                    Quad 9 would be my dns
                                    Pihole would just remove ads and block sites.

                                    I am clearly misunderstanding this big time.

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ Offline
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by johnpoz

                                      Se my edit... If all you want is quad9 as your dns.. Just have pihole forward to it.. Why would you need pfsense in the mix..

                                      Nowhere in my discussion of how I am setup did I ever mention pfsense not resolving.. No external name services are needed, or desired if you ask me. If you want pfsense to forward to quad9, then sure you can do that - but you don't need dnssec check on unbound than... If you forward - dnssec is POINTLESS!! Only a resolver can do anything with dnssec.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                      x2rlX 1 Reply Last reply Reply Quote 0
                                      • x2rlX Offline
                                        x2rl @johnpoz
                                        last edited by

                                        @johnpoz So you don't need any dns if this is the case (3rd party) I would be using the dns my ISP serves me? Virgin media? Im sorry John im no where up to speed with you and im sure my question are frustrating you im sorry... I thought I knew what I was doing clearly not!

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ Offline
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by johnpoz

                                          So it seems you do not understand what a resolver is vs a forwarder?

                                          Basic
                                          Resolver, walks down from roots looking for the authoritative ns for a domain.
                                          resolver
                                          roots - hey what is NS for .com
                                          .com NS - what is the NS for domain.com
                                          domain.com NS - hey what is the A record for www.domain.com

                                          Next time someone asks for host.domain.com, if the NS for domain.com is still cached, just ask ns domain.com for host.domain.com

                                          This is how resolving works.. No need for anything setup in pfsense, it knows who the roots are and can glean any other info from their for any other domain your looking for.

                                          Forwarder.
                                          Hey 1.2.3.4 (some NS) what is A record for www.domain.com

                                          If it does not have this cached already, then it can either resolve, or it might forward to something else.. You really have no idea what its doing. It could be resolver, it could be a forwarder you don't really know. All you know is you ask it for something, and you get an answer. Or you don't

                                          Does that help? Or does it just make things more confusing?

                                          Somepoint in the asking for dns there has to be a resolver.. Be it who your forwarding to, or somewhere upstream of who they forward too, etc. A resolver is what validates dnssec, forwarding to somewhere and asking for dnssec does nothing but add extra traffic for the query. If the resolver anywhere in you path is doing dnssec, and something doesn't pass dnssec then that info is not going to be passed downstream.

                                          example.. I ask quad9 for a record that fails dnssec..

                                          here see quad9 does dnssec validation - so if I ask it for a known record that fails dnssec I do not get an answer

                                          $ dig @9.9.9.9 www.dnssec-failed.org
                                          
                                          ; <<>> DiG 9.14.4 <<>> @9.9.9.9 www.dnssec-failed.org
                                          ; (1 server found)
                                          ;; global options: +cmd
                                          ;; Got answer:
                                          ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21744
                                          ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
                                          
                                          ;; OPT PSEUDOSECTION:
                                          ; EDNS: version: 0, flags:; udp: 4096
                                          ;; QUESTION SECTION:
                                          ;www.dnssec-failed.org.         IN      A
                                          
                                          ;; Query time: 176 msec
                                          ;; SERVER: 9.9.9.9#53(9.9.9.9)
                                          ;; WHEN: Mon Aug 12 08:09:43 Central Daylight Time 2019
                                          ;; MSG SIZE  rcvd: 50
                                          

                                          But if I ask something that doesn't do dnssec.. Say 4.2.2.2, or even quad9 different address - it gives me answer even though the dnssec fails, be it I ask for dnssec or not

                                          $ dig @9.9.9.10 www.dnssec-failed.org
                                          
                                          ; <<>> DiG 9.14.4 <<>> @9.9.9.10 www.dnssec-failed.org
                                          ; (1 server found)
                                          ;; global options: +cmd
                                          ;; Got answer:
                                          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1233
                                          ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
                                          
                                          ;; OPT PSEUDOSECTION:
                                          ; EDNS: version: 0, flags:; udp: 4096
                                          ;; QUESTION SECTION:
                                          ;www.dnssec-failed.org.         IN      A
                                          
                                          ;; ANSWER SECTION:
                                          www.dnssec-failed.org.  7200    IN      A       68.87.109.242
                                          www.dnssec-failed.org.  7200    IN      A       69.252.193.191
                                          
                                          ;; Query time: 145 msec
                                          ;; SERVER: 9.9.9.10#53(9.9.9.10)
                                          ;; WHEN: Mon Aug 12 08:13:04 Central Daylight Time 2019
                                          ;; MSG SIZE  rcvd: 82
                                          

                                          9.9.9.10 is specific address by quad9 that does not do dnssec validation.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                          x2rlX 1 Reply Last reply Reply Quote 1
                                          • x2rlX Offline
                                            x2rl @johnpoz
                                            last edited by

                                            @johnpoz wow thank you John. I understand it alot better now I think!

                                            So if my dns from my ISP is going into pfsense to be resolved when a domain is asked of it. what happens to the dns they send is it just killed of so to speak and pfsense takes over?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.