DNS Forwarder and Resolver in Parallel with different DNS Servers



  • Hi!

    Asking the community for some help here. I have been running pfsense for some time and I'm very happy doing so,
    it's really the key-component of my network. Would really appreciate some input and help. I'm sort of stuck trying to figure out how to set up my pfsense with resolving DNS differently depending on which VLAN is in use.

    I came across this old topic https://forum.netgate.com/topic/104034/solved-different-dns-forwarders-for-vlan-s

    This is something I want to do.

    My scenario is that I have:

    I have a PiHole instance for blocking ads, it is configured to use my pfsense box for dns. My pfsense box
    is setup to use 1.1.1.1 and 8.8.8.8 and similar (general settings tab). I use the DNS Resolver on port 53 . I have configured DHCP to hand out the IP of the PiHole.

    DNS Query from my client looks like this
    ClientQuery -> PiHole-1 -> PfsenseResolver -> 1.1.1.1

    The benefit as I see it of doing it this way, is that I will also be able to resolve local LAN specific domains via pfsense (usually set by DHCP hostnames)

    Now since my kids are growing up and using internet and whatnot more frequently I want to do more filtering on their devices. I have setup another PiHole instance (PiHole-2), which is blocking a lot more ads and stuff. I want this to also use pfsense for dns queries so it can translate local domain names as well. The problem is how can I use a different dns-server from pfsense for this PiHole?
    So I'm thinking I can run the DNS Forwarder on port 54 (Resolver is running on port 53), but how can I set a specific DNS server for the forwarder?

    So this is what I would like the query to be like:

    KidsClientQuery -> PiHole-2 -> PfsenseForwarder -> 1.1.1.3 (Where 1.1.1.3 is the family version)

    Thanks in advance,
    Best Regards D



  • I solved this for now with a workaround.
    I have set my pi hole to use dns 1.1.1.3 and then I copy the /etc/hosts file from pfsense to the pihole (do resolve the local names), I do this with a bash-script that's invoked once a week via crond.
    Not the best good looking solution, but will do for now.

    Regards, D



  • And another update in my "blog".
    In Pihole you can set "Use Conditional forwarding" and list your domain and pfsense ip.
    That way I can resolve my own internal domain and at the same time use 1.0.0.3 and 1.1.1.3 for dns lookup without going to pfsense. No need to copy over the hosts file.

    I ended up not launch resolver and forwarder in parallel.

    My setup now is that I Port forward all dns request on all interfaces except the kids-vlan to my pihole-1, I then portforward request coming on my kids vlan to 53 to pihole-2. I allow outgoing requests from my pihole-1 and pihole-2.

    Regards. D