"Proper" Config For DNS pfSense and PI Hole



  • I read a few opinions and posts here and I think I have it correct, so let's call this a sanity check.

    Things I want to work
    -pfSense itself does not need ad blocking internally, so it should not rely on the pi.hole.
    -servers and IoT devices use pfSense as DNS resolver as they also do not benefit from ad blocking, nor do I anticipate that pi.hole stats or graphs would be helpful for these types of devices (not 100% sure on this yet)
    -pfSense should be able to resolve all clients hostname <> IP address so that the pfSense tools like Traffic Graph correctly list hostnames.
    -clients need to resolve each other, servers, and IOT devices by hostname and by fully qualified name.
    -pi.hole graphs should resolve client to IP correctly so that lists like Top Clients correctly have the hostnames, not the IP addresses.

    pfSense config

    System>General Setup
    hostname and domain name set to rtr and my registered domain name.
    DNS Servers 1.1.1.1 and 1.0.0.1 (edit removed these because as pointed out, they are not required or used)
    DNS Server Override and Disable DNS Forwarder as NOT checked.

    Services>DNS Resolver>General Settings
    unbound DNS resolver is enabled
    DNS Query Forwarding is not enabled
    DHCP Registration is enabled
    Static DHCP Registrations are enabled

    Services>DHCP Server>LAN
    DHCP server is enabled
    DNS server is set to IP address of pi.hole
    DHCP Static Mapping created for each permanent device on my LAN network. These Static Mappings exist if the device actually uses DHCP, or if it is hardcoded.
    No DNS is specified in each static mapping

    Server and IOT device config
    Static IP and DNS to pfsense directly

    Raspberry.pi
    I have hardcoded IPs and have DNS set to the pfsense IP address.

    pie.hole config
    Upstream DNS is set to the pfsense IP address.
    no other upstream DNS is set.
    never forward non-FQDN is not checked
    never forward reverse lookups for private IP ranges is not checked
    use conditional forwarding is not checked, no IP of the router is entered, nor local domain name.

    Everything seems to work so far.
    Anything back assward or less than ideal?

    feedback is welcome!



  • Hi mervincm,

    I have a similar setup incl. IOT hosts that won’t benefit from pihole .... here are some details of my setup.

    • created alias ‘iot_hosts’ and added static ip’s

    • created dhcp reservations for iot hosts that won’t allow static ip

    • in unbound checked box to register hostnames of dhcp leases

    • created port forward rule (with automatic fw rule):
      Source: !(not)iot_hosts, Dest: any ,Dest Ports: UDP/TCP53 forward to: pihole

    Above port forward rule forces all hosts (other than ‘iot_hosts’) to use pihole as DNS server.

    • created port forward rule (with automatic fw rule):
      Source: iot_hosts, Dest: any ,Dest Ports: UDP/TCP53 forward to: unbound (Lan IF address)

    Above port forward rule forces all ‘iot_hosts’ to use unbound as DNS server. This prevents iot devices from using hardcoded DNS servers, trying to bypass unbound.

    • modified fw rules to tag DNS packets with ‘NO_WAN_EGRESS’
    • created floating fw rule to stop ‘NO_WAN_EGRESS’ packets from exiting WAN IF.
    • create fw rule to ensure only ‘iot_hosts’ & pihole are allowed to talk to unbound

    Also, if you use unbound you wont need to specify DNS servers in Pfsense.



  • A couple thoughts from my side - I also use Pi-hole on my network with pfSense DNS sitting directly upstream and acting as DNS resolver.

    1. I see you have added Cloudflare's DNS servers but don't have "DNS Query Forwarding" enabled. Are you planning on resolving your own DNS resolver or forwarding all your DNS queries to Cloudflare?

    2. Regarding Pi-Hole and IoT, I would actually recommend passing IoT DNS traffic through Pi-Hole as well. While it's true that there is no benefit in terms of ad blocking for these devices, Pi-Hole is useful for more than just ad-blocking - it can become general DNS Filter on your network (e.g. similar to pfBlockerNG). Unless you trust all your IoT and Smart Home devices it might be interesting to monitor what hosts they are trying to talk and how often.

    Hope this helps.



  • @tman222

    You are correct that iot devices can utilise pihole, too. However, i have an internet radio and a samsung tv.
    The radio alone was doing 80.000+ dns queries a day alone. This was messing up pihole stats for me.
    The samsung tv was very chatty, too.
    I also run unbound in forwarder mode with cloudflare. I use ssl/tls for outgoing requests on port 853 to stop my isp intercepting tls.
    This has been working very well so far.



  • 80,000 DNS queries per day from just one device does seems like an awful lot - that's almost 1 per second over a 24 hour period. Are they all legitimate look ups, or is the radio trying to talk to a e.g. tracking or ad server and just getting blocked (i.e. it's just trying to over and over to contact the server)?

    I think in general it makes sense to route DNS traffic from IoT devices through Pi-hole at least initially to get a sense of the type of lookups that are being done. Once one is aware of the type of DNS traffic and it looks legitimate then the routing through Pi-hole could be turned off I suppose if there are issues with skewing of statistics, etc. I do concur with the OP's observations that IoT and Smart Home devices are exceptionally chatty.



  • @gcu_greyarea said in "Proper" Config For DNS pfSense and PI Hole:

    Also, if you use unbound you won't need to specify DNS servers in Pfsense.

    Thanks for pointing that out, I removed them from my configuration and edited the top post.



  • @tman222 said in "Proper" Config For DNS pfSense and PI Hole:

    1. I see you have added Cloudflare's DNS servers but don't have "DNS Query Forwarding" enabled. Are you planning on resolving your own DNS resolver or forwarding all your DNS queries to Cloudflare?

    2. Regarding Pi-Hole and IoT, I would actually recommend passing IoT DNS traffic through Pi-Hole as well. While it's true that there is no benefit in terms of ad blocking for these devices, Pi-Hole is useful for more than just ad-blocking - it can become general DNS Filter on your network (e.g. similar to pfBlockerNG). Unless you trust all your IoT and Smart Home devices it might be interesting to monitor what hosts they are trying to talk and how often. >

    1. Makes sense, I removed the Cloudflare DNS from my configuration, and edited the top post. thanks!
    2. I followed this advice and learned indeed how much DNS activity some devices create that I was not aware of. I have a Fingbox that is the #3 creator of DNS traffic in the entire network. A great amount of it seems to be a reverse lookup of my internal IP addresses, This seems reasonable.


  • @mervincm said in "Proper" Config For DNS pfSense and PI Hole:

    -pi.hole graphs should resolve client to IP correctly so that lists like Top Clients correctly have the hostnames, not the IP addresses.

    Just to confirm.... did you get that functionality working?

    I think I've implemented everything you've got here, but can't manage to get hostnames to resolve (on pihole lists) across different subnets.



  • Yes this works as described |-left aligned paragraph



  • Thanks.... found the problem, I'd reinstalled pihole and forgot to uncheck the required variables.

    Works great now, thanks for capturing all of that.

    If anyone tries to do this on Synology.. some good practices here: https://github.com/chriscrowe/docker-pihole-unbound



  • Any chance you've got this working in IPv6 and figured out how to get pfsense hostnames to resolve in pihole the way they do for IPv4?

    Particularly if using a tracked interface for addressing?



  • @BigSnicker I do not use ip6.



  • @BigSnicker I also can’t get the hostnames to show up in Pihole. What setting did you uncheck during install to fix this?



  • @mcbuckets In IPv4 the way to do that was to first populate all of the hostnames as static leases outside of the DHCP address range and having them registered (and routable) at the DHCP server level:

    DHCP Registration is enabled
    DHCP Static Mapping created for each permanent device on my LAN network. These Static Mappings exist if the device actually uses DHCP, or if it is hardcoded.

    And then uncheck the following two settings in pi-hole:

    never forward non-FQDN is not checked
    never forward reverse lookups for private IP ranges is not checked

    That should really do it for you.

    Unless you also want that happening in IPv6 (i.e. DNS6).. which seems to be a WHOLE other thing. lol



  • FYI, after doing some research on how to get hostnames resolved in IPv6, it looks like the best option is to put in a host override in the DNS resolver.

    DNS Resolver -> General Settings -> Host override

    There's a thread discussing the options here.


Log in to reply