Messages

Just a quick update guys.

I've decided to try again the article from scratch(the one provided in my very first post) and this time as advised previously in this discussion I disabled the Unbound DNS and then I was able to successfully enable the dnsmasq service as port 53 was now not used anymore. From there on I followed the rest and "voila". I was really happy to see that my pi-hole server started displaying results of dns requests coming from hosts being even behind OPNSense. And good job to OPNSense itself for being able to properly forward the request to pi-hole.

Thank you all for the help and the guidance as you really helped me in understanding the basics of Unbound and Dnsmasq services.

If you give the Pi-Hole DNS IP to the clients the clients will ask there and you will start seeing the IP addresses of the clients. In order to resolve the client as hostnames Pi-Hole needs to ask OPNsense DNS which could end up in a loop.

You really need to put your requirements down first.


Cheers,
Franco

Check the attached diagram Franco.
For obvious reasons the subnets are just dummy ones.
However take note that the Pi-Hole server is in the WAN network and has a WAN IP Address. This is because my ISP Router is a Wi-Fi model and I do use this network as Guest Network. So as you can see for the Pi-Hole every request coming from hosts behind the OPNSense are considered as OPNSense's WAN IP. Maybe that is why in the article that I quoted in my first post it was described the usage of dnsmasq(not unbound dns) as maybe dnsmasq does allow forwarding of information for source hostnames to pi-hole. And in the article they did create some file via ssh onto the local filesystem.

> 1. The Pi-hole still doesn't display hostnames(it still sees only my OPNsense's instance as client)

Well for this you need to put DHCPv4 DNS server back pointing to Pi-Hole directly. It really really depends on your requirements (and getting these defined first). Your post starts with "to use my pi-hole instance as DNS server" so that's what I suggested before the goal post shifted. And this is regardless of Dnsmasq/Unbound complication. ;)

> 2. Now I lost the resolving of the Pi-Hole "Local DNS Records"

Not sure what that is.


Cheers,
Franco

As per your advise I've put my Pi-Hole IP Address back as DNS in the LAN's DHCP configuration and now it's all working like before. Pi-Hole still only sees OPNSense as the only source of DNS requests. And yes, you are right from the very begging I wanted to use dnsmasq as quoted in the article to be able to forward the hostname's fqdns and force Pi-Hole to see them as sources(not only OPNSense) and apparently I didn't know about the Unbound DNS that was the reason for dnsmasq not being able to be activated as the Unbound was already enabled and occupying port 53. However I think that in some of the posts above you said that no matter the service - Unbound or Dnsmasq both were capable of achieving what I want i.e to make Pi-hole see the hostnames making the DNS requests even behind the OPNsense. So please excuse me if in some point I've misled you but now it is strange for me that even after I enabled the forwarding in the Unbound section, Pi-Hole still is not able to see the hostname's as sources of origin. Do you happen to know if there is something else that should be done Pi-Hole's end?

Use gateway: none


Cheers,
Franco

Thanks Franco, selecting "none" worked and I continued configuring everything else that you described.
I also removed the Pi-hole's IP Address from the LAN's DHCP configuration and now the LAN network Interface IP is being assigned as gateway and dns on my laptop which of course is expected and normal. I also tested opening a couple of websites for which I know are full of Ads and when I checked my Pi-hole logs I saw those ads being blocked which is also great. So far so good BUT there are two issues left - one old and one new.
1. The Pi-hole still doesn't display hostnames(it still sees only my OPNsense's instance as client)
2. Now I lost the resolving of the Pi-Hole "Local DNS Records"

Do you have any idea why and how I could debug or fix that?

PS: If needed I can upload screenshots for every configuration and step described above

Yes, replace google servers, leave allow override unchecked. You only need DHCP options in Unbound when you want these to be available as host names from the firewall for all other clients. And yes set use name server setting in query forwarding.


Cheers,
Franco

As always thank you for your assistance and rapid response and while trying to follow up on your directions I got into a small bump.
Could you kindly look at both screenshots and advise further?  :)

so why not just put the pihole IP address on your DHCPv4 for DNS and you are done. Whenever a device gets an IP the DNS will be the pihole and you are done. no need for dnsmasq or unbound.

This is how I've been doing it for the past year but as I said I was looking for a way how to make my pi-hole see all of my hostnames(both LAN & DMZ) as currently it only sees my opnsense device making all of the requests. That is why I think I need to use Unbound or Dnsmasq DNS with DNS forwarding enabled so the DNS requests will be forwarded but also holding information for the specific host for which it is sending the request. @Franco correct me if I am wrong.

Yes, you can do this with either Dnsmasq or Unbound. Both feature overrides and forward support.

The easiest way to pull this off is to add PiHole server to System: Settings: General and disable override for WAN DNS servers. If you use Unbound enable forwarding mode and done... If you use Dnsmasq nothing else needs to be configured.


Cheers,
Franco

Franco, could you please take a look at my screenshots and confirm if this is what I am supposed to do if I want to stick with the Unbound.

Thanks in advance!

The guide talks about configuring Dnsmasq to do the forwarding. If you want to use Dnsmasq on port 53 you need to disable Unbound or move it to another port. This was always the case.

FWIW, the guide probably uses Dnsmasq because it's a smaller setup than running a full Unbound resolver. Nothing wrong with that.


Cheers,
Franco

To be honest Franco I am not sure if I need the whole setup from the article, I just need to see the requests coming from the different hostnames so I could determine what traffic is generated from each host as in my current scenario I only see all of the requests coming only from one host which is the OPNSense one(check attached screenshot).

Unbound is the standard recursive DNS server in OPNsense and many other systems.

I see. So in the end I suppose it is normal for it to be disabled like in this scenario where an external DNS service like Pi-Hole is about to be used.

please post the picture of the unbound > General. It looks like you have unbound enabled.

Thanks for your reply lilsense and yes, you were totally right. In the end it turned out that indeed the unbound option was enabled(check attached screen).
By the way what is the idea behind this "unbound" option in general?

Hi Guys,
I would really appreciate your help and assistance in regard to my issue.
Pretty much I am using this article https://pi-hole.net/blog/2021/09/30/pi-hole-and-opnsense/#page-content in order to use my pi-hole instance as DNS server but when I try to do, in the very first step I get "Unbound DNS is currently using this port"(check attached screenshot).
I've also checked the ports used on the opnsense via ssh and there is no port 53 being used at the moment.